Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
e-SPT Masa PPh.exe

Overview

General Information

Sample name:e-SPT Masa PPh.exe
Analysis ID:1585779
MD5:097c653ddf86f75924a7192fb612b889
SHA1:23fc34bf9649a820a98148697e99ae3c4919ed76
SHA256:bbd7bf7a8d98d3cf5fb8c3f089ca61b57021fbed911465d5caf405d69a531439
Tags:exeuser-MAM
Infos:

Detection

BlackMoon
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Yara detected BlackMoon Ransomware
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a global mouse hook
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • e-SPT Masa PPh.exe (PID: 6196 cmdline: "C:\Users\user\Desktop\e-SPT Masa PPh.exe" MD5: 097C653DDF86F75924A7192FB612B889)
    • e-SPT Masa PPh.exe (PID: 7108 cmdline: "C:\Users\user\Desktop\e-SPT Masa PPh.exe" /i "C:\Program Files (x86)\WindowsInstallerIC\7AF5081\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\IkCWSTWLLRQX" SECONDSEQUENCE="1" CLIENTPROCESSID="6196" AI_MORE_CMD_LINE=1 MD5: 097C653DDF86F75924A7192FB612B889)
  • msiexec.exe (PID: 7092 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 5268 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 53BFAE2425B516854415A490E8C0A705 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 6540 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding FC2A87C99CB9700EDEC5D180B7A0E6E9 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • fhjyy.exe (PID: 5444 cmdline: "C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe" MD5: BE4ED0D3AA0B2573927A046620106B13)
      • e8a0d5af432b7e64DBD.exe (PID: 1536 cmdline: "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\LJBPHRBSRLCI.FNG" -o"C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B" -pIWLHTVJXHINUWUFBWIU -aos -y MD5: FAE7D0A530279838C8A5731B086A081B)
        • conhost.exe (PID: 576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • e8a0d5af432b7e64DBD.exe (PID: 1196 cmdline: "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\KKVIOQVTEUTA.OKO" -o"C:\Program Files (x86)\IkCWSTWLLRQX" -pRFOLHRLVLKWUMQMLJJA -aos -y MD5: FAE7D0A530279838C8A5731B086A081B)
        • conhost.exe (PID: 1864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • e8a0d5af432b7e64DBD.exe (PID: 3136 cmdline: "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\FNCUNPTNLBMW.DNA" -o"C:\Users\user\AppData\Roaming" -pAEXIKRSDXTBGHJSHHPK -aos -y MD5: FAE7D0A530279838C8A5731B086A081B)
        • conhost.exe (PID: 1396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Bor32-update-flase.exe (PID: 3576 cmdline: "C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe" MD5: 938C33C54819D6CE8D731B68D9C37E38)
  • Bor32-update-flase.exe (PID: 3440 cmdline: "C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe" MD5: 938C33C54819D6CE8D731B68D9C37E38)
    • Haloonoroff.exe (PID: 5972 cmdline: "C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exe" MD5: 0D318144BD23BA1A72CC06FE19CB3F0C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
KrBanker, BlackMoonThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dllMimikatz_Gen_StringsDetects Mimikatz by using some special stringsFlorian Roth
    • 0x6b86c:$s5: Ask debug privilege
    C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dllMimikatz_StringsDetects Mimikatz stringsFlorian Roth
    • 0x6bf04:$x6: Lists LM & NTLM credentials
    C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dllMimikatz_Gen_StringsDetects Mimikatz by using some special stringsFlorian Roth
    • 0x6b86c:$s5: Ask debug privilege
    C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dllMimikatz_StringsDetects Mimikatz stringsFlorian Roth
    • 0x6bf04:$x6: Lists LM & NTLM credentials
    Click to see the 1 entries

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_blackmoonYara detected BlackMoon RansomwareJoe Security
      0000000E.00000000.2471325966.0000000000401000.00000020.00000001.01000000.0000000F.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        00000008.00000003.2393860781.0000000002FC6000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          Process Memory Space: e8a0d5af432b7e64DBD.exe PID: 1536JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            Process Memory Space: Bor32-update-flase.exe PID: 3440JoeSecurity_blackmoonYara detected BlackMoon RansomwareJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              17.2.Bor32-update-flase.exe.307950e.7.unpackJoeSecurity_blackmoonYara detected BlackMoon RansomwareJoe Security
                17.2.Bor32-update-flase.exe.307950e.7.unpackMALWARE_Win_BlackMoonDetects executables using BlackMoon RunTimeditekSHen
                • 0x45ba:$s1: blackmoon
                • 0x45fa:$s2: BlackMoon RunTime Error:
                14.0.Bor32-update-flase.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                  17.2.Bor32-update-flase.exe.307950e.7.raw.unpackJoeSecurity_blackmoonYara detected BlackMoon RansomwareJoe Security
                    17.2.Bor32-update-flase.exe.307950e.7.raw.unpackMALWARE_Win_BlackMoonDetects executables using BlackMoon RunTimeditekSHen
                    • 0x45ba:$s1: blackmoon
                    • 0x45fa:$s2: BlackMoon RunTime Error:

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-08T09:15:13.512590+010020528751A Network Trojan was detected192.168.2.549962154.82.113.13963701TCP
                    2025-01-08T09:16:14.637182+010020528751A Network Trojan was detected192.168.2.549962154.82.113.13963701TCP
                    2025-01-08T09:17:15.793348+010020528751A Network Trojan was detected192.168.2.549962154.82.113.13963701TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\HipsdiaMain.dllReversingLabs: Detection: 41%
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\TDPINFO.dllReversingLabs: Detection: 13%
                    Source: e-SPT Masa PPh.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile opened: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Microsoft.VC90.CRT\msvcr90.dll
                    Source: e-SPT Masa PPh.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                    Source: Binary string: wininet.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.2092124918.000000000983D000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2175531406.00000000072DD000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\oDayProtect.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: msvcr90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004DD9000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\dbs\el\ddvsm\out\Intermediate\vscommon\perfwatson2.csproj_FB008427_ret\objr\amd64\PerfWatson2.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScan.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: msvcp100.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000047B4000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\build\ob\bora-21885936\cayman_zlib\build\release\win32_vc140\zlib\build\zlib1.pdb$$ source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000005131000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQPCHwNetwork.pdbRR#GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLayoutMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmauthd-log\win32\release\vmauthd.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: c:\vmagent_new\bin\joblist\622859\src\x\x86_ntvbld\objfre_win7_x86\i386\ntvbld.pdb` source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQFileFlt.pdb.. GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\build\ob\bora-19436861\cayman_gettext\gettext\MSVC14\libintl_dll\Release\libintl_dll.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\gitproj\7z2201-src\CPP\7zip\UI\Console\Release\Console.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000000.2375919583.0000000000CD8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000002.2424435560.0000000000CD8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000002.2442124456.0000000000CD8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000000.2425091128.0000000000CD8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000C.00000002.2444255779.0000000000CD8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000C.00000000.2442832914.0000000000CD8000.00000002.00000001.01000000.0000000D.sdmp
                    Source: Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLayoutMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb!! source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\MemDefrag.pdbII#GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\a\_work\1\s\obj\VS\Microsoft.VisualStudio.Web.Host\Release\Microsoft.VisualStudio.Web.Host.pdbf source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScanX64.pdb'' GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: e:\KWSING\trunk\KwResource\pdb\release\HTTPRequest.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLib.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: .pdb% source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2609178668.0000000002468000.00000040.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMEventBus.pdb source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038A0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: mfc90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004458000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScan.pdbLL%GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\Administrator\Desktop\etcp5.0\Release\etcp.pdb source: Bor32-update-flase.exe, 00000011.00000002.2609178668.0000000002460000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: libEGL.dll.pdbs source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: msvcp120.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000048DB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003CF2000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: msvcr80.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004A91000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: msvcr100.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004A91000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003CF2000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, Bor32-update-flase.exe, 00000011.00000002.2612975709.000000006B0F1000.00000020.00000001.01000000.00000016.sdmp
                    Source: Binary string: d:\build\ob\bora-19436861\cayman_gettext\gettext\MSVC14\libintl_dll\Release\libintl_dll.pdb11 source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\8168\vc98\dev\bin\vcspawn.pdbMZ source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: msvcr120.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004A91000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMDns.pdbDD!GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\Projects\WinRAR\rar\build\rar32\Release\RAR.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMDns.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: msvcp110.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000047B4000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwCommonUI.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wininet.pdbUGP source: e-SPT Masa PPh.exe, 00000000.00000003.2092124918.000000000983D000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2175531406.00000000072DD000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: c:\vmagent_new\bin\joblist\622869\src\x\x64_ntvbld\objfre_win7_amd64\amd64\ntvbld64.pdbL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\oDayProtect.pdbAA#GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: c:\vmagent_new\bin\joblist\622859\src\x\x86_ntvbld\objfre_win7_x86\i386\ntvbld.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: msvcp80.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000048DB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: h:\ch1\src\sandbox\wow_helper\wow_helper.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009620000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\8168\vc98\dev\bin\vcspawn.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMEventBus.pdbZZ source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: msvcr110.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004A91000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\vmagent_new\bin\joblist\419058\out\Release\360AppCore.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQPCHwNetwork.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: G:\CLIENT\fhbemb\src\bin\Release\fhjyy.pdb source: fhjyy.exe, 00000007.00000002.2444646168.0000000000BEE000.00000002.00000001.01000000.0000000B.sdmp, fhjyy.exe, 00000007.00000000.2373305064.0000000000BEE000.00000002.00000001.01000000.0000000B.sdmp
                    Source: Binary string: C:\test\intelligentDemo\PackageMgr\Release\PackageMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: e:\KWSING\trunk\KwResource\pdb\release\kwlogsvr.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScanX64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLib.pdbp source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMAVProxy.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000048DB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003CF2000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: h:\ch1\src\sandbox\wow_helper\wow_helper.pdbp source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009620000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009620000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\build\ob\bora-19188697\cayman_glib\glib\src\build\win32\vs14\Release\Win32\bin\gmodule-2.0.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: G:\CLIENT\fhbemb\src\bin\Release_NL\fhbmini.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, Haloonoroff.exe, 00000013.00000000.2606321492.000000000005E000.00000002.00000001.01000000.00000018.sdmp
                    Source: Binary string: C:\vmagent_new\bin\joblist\368203\out\Release\HipsLog.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: e-SPT Masa PPh.exe
                    Source: Binary string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb.. source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000048DB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003CF2000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMRtpDLL.pdbWW'GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: msvcp90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004A91000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQFileFlt.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_2.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000048DB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003CF2000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: libEGL.dll.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: G:\CLIENT\WallPaper_feihuo\windows\FFWallpaper\bin\Release\bfcipc.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: \WallPaper\windows\FFWallpaper\bin\Release\FFWallpaper.pdb source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: c:\vmagent_new\bin\joblist\622869\src\x\x64_ntvbld\objfre_win7_amd64\amd64\ntvbld64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb-- source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.2067835237.0000000008117000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009A37000.00000004.00001000.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2170644364.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2175135063.0000000007BB1000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: rundll32.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\build\ob\bora-21885936\cayman_zlib\build\release\win32_vc140\zlib\build\zlib1.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000005131000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\a\_work\1\s\obj\VS\Microsoft.VisualStudio.Web.Host\Release\Microsoft.VisualStudio.Web.Host.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMRtpDLL.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009620000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\MemDefrag.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\basichttp\win32\release\basichttp.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\InstallerAnalytics.pdb source: e-SPT Masa PPh.exe, 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2064937321.000000000991B000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009620000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\test\intelligentDemo\PackageMgr\Release\PackageMgr.pdb//' source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMAVProxy.pdb__(GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: z:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: x:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: v:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: t:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: r:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: p:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: n:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: l:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: j:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: h:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: f:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: b:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: y:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: w:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: u:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: s:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: q:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: o:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: m:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: k:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: i:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: g:
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: e:
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeFile opened: c:Jump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile opened: a:Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile opened: [:
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_0102E4E0 FindFirstFileW,GetLastError,FindClose,0_2_0102E4E0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F14AD0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,0_2_00F14AD0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01059F30 FindFirstFileW,FindClose,CloseHandle,CloseHandle,0_2_01059F30
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_010540C0 FindFirstFileW,FindClose,0_2_010540C0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01010370 FindFirstFileW,FindNextFileW,FindClose,0_2_01010370
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01064620 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_01064620
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01064AA0 FindFirstFileW,FindClose,0_2_01064AA0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_0103CDF0 FindFirstFileW,FindClose,FindClose,0_2_0103CDF0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_0102DBB0 FindFirstFileW,FindFirstFileW,FindClose,FindClose,0_2_0102DBB0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5E4E20 FindFirstFileW,FindClose,GetLastError,FindClose,0_2_6C5E4E20
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5DF260 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,0_2_6C5DF260
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C603D4B FindFirstFileExW,0_2_6C603D4B
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_0102E4E0 FindFirstFileW,GetLastError,FindClose,4_2_0102E4E0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_0102DA30 FindFirstFileW,FindFirstFileW,FindClose,FindClose,4_2_0102DA30
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeCode function: 7_2_00BE74DA FindFirstFileExW,7_2_00BE74DA
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C58BA4 __EH_prolog3_GS,FindFirstFileA,FindFirstFileW,FindFirstFileW,8_2_00C58BA4
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CBD528 FindFirstFileExA,8_2_00CBD528
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CBD7E0 FindFirstFileExW,FindClose,FindNextFileW,8_2_00CBD7E0
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CBD9C1 FindFirstFileExW,8_2_00CBD9C1
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CBD996 FindFirstFileExA,8_2_00CBD996
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_0085657C GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,17_2_0085657C
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00858E6C FindFirstFileA,FindClose,17_2_00858E6C
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00858E6A FindFirstFileA,FindClose,17_2_00858E6A
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A52298 FindFirstFileA,SetFileAttributesA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,17_2_00A52298
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_0098A698 FindFirstFileA,FindClose,17_2_0098A698
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_0098A696 FindFirstFileA,FindClose,17_2_0098A696
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_0098A7A8 FindFirstFileA,FindClose,17_2_0098A7A8
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_009D27D0 FindFirstFileA,FindClose,FileTimeToDosDateTime,17_2_009D27D0
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_0098AAB4 FindFirstFileA,GetLastError,17_2_0098AAB4
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00986B80 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,17_2_00986B80
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A4EDA0 FindFirstFileA,SetFileAttributesA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,17_2_00A4EDA0
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A98948 FindFirstFileA,FindClose,17_2_00A98948
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A98946 FindFirstFileA,FindClose,17_2_00A98946
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01063270 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,0_2_01063270

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.5:49962 -> 154.82.113.139:63701
                    Connects to many ports of the same IP (likely port scanning)
                    Source: global trafficTCP traffic: 154.82.113.139 ports 63701,0,1,3,6,7
                    Source: global trafficTCP traffic: 192.168.2.5:49962 -> 154.82.113.139:63701
                    Source: Joe Sandbox ViewASN Name: ROOTNETWORKSUS ROOTNETWORKSUS
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.82.113.139
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: "https://www.facebook.com/iobitsoft equals www.facebook.com (Facebook)
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004458000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: ftp://http://HTTP/1.0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ascstats.iobit.com/active.php
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ascstats.iobit.com/moreuse.php
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ascstats.iobit.com/multi_app/app_db3promote.php?action=insert
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ascstats.iobit.com/other/db_driverinstall.php
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ascstats.iobit.com/other/db_extlink_download.php
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ascstats.iobit.com/other/db_temp_download.php
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ascstats.iobit.com/other/insert.php
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ascstats.iobit.com/usage.php
                    Source: e-SPT Masa PPh.exe, 00000004.00000003.2175397273.0000000007BA7000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2469588665.0000000007BA7000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2470340579.0000000007BAC000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2469701221.0000000007BA7000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174931129.0000000007BA7000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2175156779.0000000007BA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digi
                    Source: e-SPT Masa PPh.exe, 00000000.00000002.2485680586.000000000A1A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digic
                    Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2067835237.000000000812E000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009A37000.00000004.00001000.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2171859586.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174893988.0000000007BB1000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000002.2471106139.0000000000B61000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174893988.0000000007BB6000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174931129.0000000007BA7000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2469994210.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000002.2471873248.0000000006A85000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2171214712.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2175156779.0000000007BA9000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000005131000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                    Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
                    Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000005131000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2476674030.0000000008106000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000002.2485445400.0000000008111000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2067835237.000000000812E000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009A37000.00000004.00001000.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2481797917.0000000008110000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2171859586.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174893988.0000000007BB1000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000002.2471106139.0000000000B61000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174931129.0000000007BA7000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2469994210.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000002.2471873248.0000000006A85000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2171214712.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2175156779.0000000007BA9000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000005131000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2067835237.000000000812E000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009A37000.00000004.00001000.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2171859586.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174893988.0000000007BB1000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000002.2471106139.0000000000B61000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174893988.0000000007BB6000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174931129.0000000007BA7000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2469994210.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000002.2471873248.0000000006A85000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2171214712.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2175156779.0000000007BA9000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000005131000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: e-SPT Masa PPh.exe, e-SPT Masa PPh.exe, 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2064937321.000000000991B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://collect.installeranalytics.com
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004A91000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004458000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000047B4000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2067835237.000000000812E000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009A37000.00000004.00001000.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2171859586.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174893988.0000000007BB1000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000002.2471106139.0000000000B61000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174893988.0000000007BB6000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174931129.0000000007BA7000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2469994210.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000002.2471873248.0000000006A85000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2171214712.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2175156779.0000000007BA9000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000005131000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                    Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000005131000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2476674030.0000000008106000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000002.2485445400.0000000008111000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2067835237.000000000812E000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009A37000.00000004.00001000.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2481797917.0000000008110000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2171859586.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174893988.0000000007BB1000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000002.2471106139.0000000000B61000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174931129.0000000007BA7000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2469994210.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000002.2471873248.0000000006A85000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2171214712.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2175156779.0000000007BA9000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000005131000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
                    Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                    Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000005131000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                    Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
                    Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2078979442.0000000005532000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2079794804.0000000005532000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/N
                    Source: e-SPT Masa PPh.exe, e-SPT Masa PPh.exe, 00000004.00000002.2471106139.0000000000B61000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2469994210.0000000000B5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                    Source: e-SPT Masa PPh.exe, e-SPT Masa PPh.exe, 00000004.00000002.2471106139.0000000000B61000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2469994210.0000000000B5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2481985838.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2482671788.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000002.2483950373.00000000054D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/eng
                    Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2616789229.000000006B296000.00000008.00000001.01000000.0000001F.sdmpString found in binary or memory: http://curl.haxx.se/V
                    Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2616789229.000000006B296000.00000008.00000001.01000000.0000001F.sdmpString found in binary or memory: http://curl.haxx.se/docs/copyright.htmlDVarFileInfo$
                    Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, Bor32-update-flase.exe, 00000011.00000002.2616478598.000000006B282000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://curl.haxx.se/docs/http-cookies.html
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ec.360bc.cnhttp://www.eyybc.com/forumdisplay.php?fid=17/memcp.php/ip.asp/time.asp/gonggao.txt
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://forums.iobit.com/forum/driver-booster/driver-booster-5
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://forums.iobit.com/showthread.php?t=16792
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://idb.iobit.com/check.php
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://install-log.kuwo.cn/music.yl
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://klog.kuwo.cn/music.yl
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://klog.kuwo.cn/music.ylhttp://install-log.kuwo.cn/music.ylhttp://log.kuwo.cn/music.ylrwSend
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://log.kuwo.cn/music.yl
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000005131000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2067835237.000000000812E000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009A37000.00000004.00001000.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2171859586.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174893988.0000000007BB1000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000002.2471106139.0000000000B61000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174893988.0000000007BB6000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174931129.0000000007BA7000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2469994210.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000002.2471873248.0000000006A85000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2171214712.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2175156779.0000000007BA9000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000005131000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2067835237.000000000812E000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000002.2485680586.000000000A1A0000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009A37000.00000004.00001000.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2171859586.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174893988.0000000007BB1000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000002.2471106139.0000000000B61000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174893988.0000000007BB6000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174931129.0000000007BA7000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2469994210.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000002.2471873248.0000000006A85000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2171214712.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2175156779.0000000007BA9000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000005131000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                    Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://ocsp.digicert.com0H
                    Source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2476674030.0000000008106000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000002.2485445400.0000000008111000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2067835237.000000000812E000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009A37000.00000004.00001000.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2481797917.0000000008110000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2171859586.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174893988.0000000007BB1000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000002.2471106139.0000000000B61000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174931129.0000000007BA7000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2469994210.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000002.2471873248.0000000006A85000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2171214712.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2175156779.0000000007BA9000.00000004.00000020.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000005131000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004A91000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004458000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000047B4000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/pca3-g5.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com0_
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
                    Source: e-SPT Masa PPh.exeString found in binary or memory: http://schemas.micr
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crl0a
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crt0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sf.symcd.com0&
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://stats.iobit.com/active_day.php
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://stats.iobit.com/active_month.php
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://stats.iobit.com/register.php
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://stats.iotransfer.net/active.php
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sw.symcb.com/sw.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sw.symcd.com0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sw1.symcb.com/sw.crt0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://t2.symcb.com0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tl.symcb.com/tl.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tl.symcb.com/tl.crt0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tl.symcd.com0&
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004A91000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004458000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000047B4000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004A91000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004458000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000047B4000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004A91000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004458000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000047B4000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://update.iobit.com/infofiles/db2/Freeware-db.upt
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://update.iobit.com/infofiles/db2/db2_free.upt
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://update.iobit.com/infofiles/db2/db2_oth.upt
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://update.iobit.com/infofiles/db2/db2_pro.upt
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://update.iobit.com/infofiles/db3/embhtml/update.upt
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://updatestats.cd4o.com/api.php?act=update
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.360.cn
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.bsplayer.com
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.cd4o.com/drivers/
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.cd4o.com/drivers/wlst/v.json
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000005131000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/language-subtag-registry
                    Source: Bor32-update-flase.exe, 00000011.00000002.2608400203.0000000000ADD000.00000020.00000001.01000000.0000001D.sdmpString found in binary or memory: http://www.indyproject.org/
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=activateweb
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=activateweb-%d
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=bannerbuy
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=compare
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=dbproduct
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=download
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=expired
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=faq
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=feature
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=feedback
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=filerupt
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=forum
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=gaexpired
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=help
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=helptranslate
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=htmlfailed
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=index
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=install
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=likefb
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=lostcode
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=multipcexpired
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=othupdate
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=proupdate
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=purchase
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=purchase-%d
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=regexpired
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=reggaexpired
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=regovermax
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=revokedkey
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=update
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=usermanual
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/appgoto.php?to=vertoold
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/cloud/db/index.php
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/compare/db/index.php
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/driver-booster-pro.php
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/faq.php?product=db
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/feedback/db/feedback.php
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/goto.php?id=dbproregister
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/goto.php?id=dbsurvey
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/goto.php?id=likefb01_DB
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/goto.php?id=plusgp01_DB
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/goto.php?id=plusgp01_DBU
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/hotquestions-db.php
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/install/db/index.php
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/lostcode.php
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.iobit.com/productfeedback.php?product=driver-booster
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004A91000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004458000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000047B4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.kuwo.cn0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ludashi.com0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rfc-editor.org/rfc/bcp/bcp47.txt
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.super-ec.cn
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sysinternals.com
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll1.2.3
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000005131000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.zlib.net/D
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhi.hfnuola.com/pc/BaiZhu/Request
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhi.hfnuola.com/pc/DesktopComponent/GetPopupList
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhi.hfnuola.com/pc/Device/ClientHardwareConfig
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhi.hfnuola.com/pc/LockWallpaper/Get
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhi.hfnuola.com/pc/LockWallpaper/Gethttps://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaperht
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaper
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhi.hfnuola.com/pc/adApi/plugRecommendNew
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhi.hfnuola.com/pc/adApi/plugRecommendNew%s?channel=%shttps://bizhi.hfnuola.com/pc/desktop
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhi.hfnuola.com/pc/agg/StartUp
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhi.hfnuola.com/pc/agg/hour
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhi.hfnuola.com/pc/desktopSubject
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhi.hfnuola.com/pc/fhbzApi/checkFile
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhi.hfnuola.com/pc/v/AfterLocalSet
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhi.hfnuola.com/pc/v/AfterLocalSethttps://bizhi.hfnuola.com/pc/DesktopComponent/GetPopupLi
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhi.hfnuola.com/pc/v/FilterPayWallpaper
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhi.hfnuola.com/pc/v/wallpaperInfoMulti
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhi.hfnuola.com/pc/v/wallpaperInfoMulti%sFFSL.exe
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhiweb.hfnuola.com/clientNew/index.html
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhiweb.hfnuola.com/clientNew/index.htmlchrome-error://chromewebdata_err:firstNav_
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhiweb.hfnuola.com/web/advertising.html?type=
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhiweb.hfnuola.com/web/advertising.html?type=9IagJ4qlKos8A8lm
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bizhiweb.hfnuola.com/web/vip.htmlhttps://bizhiweb.hfnuola.com/web/payNew.html%s?channel=%s&p
                    Source: e-SPT Masa PPh.exe, e-SPT Masa PPh.exe, 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2064937321.000000000991B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://collect.installeranalytics.com
                    Source: e-SPT Masa PPh.exe, 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2064937321.000000000991B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0)
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hao.360.cnstrtolwcstombsmbstowcsiexplore.exe360chrome.exe360se.exeSafehmpgHelperkslaunchwsaf
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://idea.hfnuola.com
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://idea.hfnuola.com20012rgbautoStartauto_start_slienthideDesktopIconpauseVidoset_mute_on_fullsc
                    Source: e-SPT Masa PPh.exeString found in binary or memory: https://installeranalytics.com
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://logs.hfnuola.com
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://s1.driverboosterscan.com/worker.php
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://s2.driverboosterscan.com/worker.php
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0B
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/iobitsoft
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2607835179.0000000000964000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/03
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/06
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gnu.org/licenses/
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.hfnuola.com
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.hfnuola.com/select
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.itrus.com.cn0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.thawte.com/cps0/
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.thawte.com/repository0W
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_009F0F5C OpenClipboard,GlobalAlloc,GlobalLock,EmptyClipboard,SetClipboardData,GlobalUnlock,17_2_009F0F5C
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_009F0F5C OpenClipboard,GlobalAlloc,GlobalLock,EmptyClipboard,SetClipboardData,GlobalUnlock,17_2_009F0F5C
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_009DC328 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,17_2_009DC328
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_0100A0D0 SendMessageW,GetParent,GetWindowRect,GetParent,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,MapWindowPoints,FillRect,DeleteDC,SendMessageW,SendMessageW,0_2_0100A0D0
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A17AD4 GetMessagePos,GetKeyboardState,17_2_00A17AD4
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevicesmemstr_a0404267-1
                    Source: Yara matchFile source: Process Memory Space: e8a0d5af432b7e64DBD.exe PID: 1536, type: MEMORYSTR

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Yara detected BlackMoon Ransomware
                    Source: Yara matchFile source: 17.2.Bor32-update-flase.exe.307950e.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.Bor32-update-flase.exe.307950e.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Bor32-update-flase.exe PID: 3440, type: MEMORYSTR
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A4F1A0 OpenDesktopA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateDesktopA,17_2_00A4F1A0

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 17.2.Bor32-update-flase.exe.307950e.7.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 17.2.Bor32-update-flase.exe.307950e.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll, type: DROPPEDMatched rule: Detects Mimikatz by using some special strings Author: Florian Roth
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll, type: DROPPEDMatched rule: Detects Mimikatz strings Author: Florian Roth
                    Source: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dll, type: DROPPEDMatched rule: Detects Mimikatz by using some special strings Author: Florian Roth
                    Source: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dll, type: DROPPEDMatched rule: Detects Mimikatz strings Author: Florian Roth
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00FE82D0 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W,GetSysColor,0_2_00FE82D0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_0107BBB0 NtdllDefWindowProc_W,0_2_0107BBB0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00FC64E0 NtdllDefWindowProc_W,0_2_00FC64E0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F08480 NtdllDefWindowProc_W,GetSysColor,0_2_00F08480
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F12590 NtdllDefWindowProc_W,0_2_00F12590
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F0A680 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,0_2_00F0A680
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F12700 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_00F12700
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F1E8F0 NtdllDefWindowProc_W,0_2_00F1E8F0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F2CC50 NtdllDefWindowProc_W,0_2_00F2CC50
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F0AE70 NtdllDefWindowProc_W,0_2_00F0AE70
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F18F00 KillTimer,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,0_2_00F18F00
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F0B4D0 NtdllDefWindowProc_W,0_2_00F0B4D0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F71640 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_00F71640
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F07600 GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,NtdllDefWindowProc_W,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,0_2_00F07600
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F07DD0 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,SysFreeString,0_2_00F07DD0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00FE82D0 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W,4_2_00FE82D0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00FC64E0 NtdllDefWindowProc_W,4_2_00FC64E0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F0B4D0 NtdllDefWindowProc_W,4_2_00F0B4D0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F08480 NtdllDefWindowProc_W,4_2_00F08480
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F12590 NtdllDefWindowProc_W,4_2_00F12590
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F0A680 NtdllDefWindowProc_W,4_2_00F0A680
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F71640 NtdllDefWindowProc_W,4_2_00F71640
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F07600 NtdllDefWindowProc_W,NtdllDefWindowProc_W,GlobalAlloc,GlobalLock,GlobalUnlock,NtdllDefWindowProc_W,4_2_00F07600
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F12700 NtdllDefWindowProc_W,4_2_00F12700
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F1E8F0 NtdllDefWindowProc_W,4_2_00F1E8F0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F2CC50 NtdllDefWindowProc_W,4_2_00F2CC50
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F0AE70 NtdllDefWindowProc_W,4_2_00F0AE70
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F18F00 NtdllDefWindowProc_W,DeleteCriticalSection,4_2_00F18F00
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_008969D8 inet_addr,ntohl,lstrcmpiA,17_2_008969D8
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00896A24 ntohl,inet_ntoa,17_2_00896A24
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A4CA0C inet_addr,ntohl,lstrcmpiA,17_2_00A4CA0C
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A4CA58 ntohl,inet_ntoa,17_2_00A4CA58
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C596C6: DeviceIoControl,8_2_00C596C6
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGXlong.sys
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5a0931.msiJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAB8.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB07.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB37.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB76.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBB6.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBE6.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2EFF.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2F3F.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI31EF.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3AAB.tmpJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\SysWOW64\libjyy.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIAB8.tmpJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_010367100_2_01036710
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01044A600_2_01044A60
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01048AE00_2_01048AE0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01090C600_2_01090C60
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_010732B00_2_010732B0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_0108D2B00_2_0108D2B0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F1F5800_2_00F1F580
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01059F300_2_01059F30
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_0109A3100_2_0109A310
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F2E3700_2_00F2E370
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_010345200_2_01034520
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F264400_2_00F26440
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F225B30_2_00F225B3
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_0111E4BF0_2_0111E4BF
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_0110C6B00_2_0110C6B0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_0100A9300_2_0100A930
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F329700_2_00F32970
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_011148D30_2_011148D3
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_010DE8E00_2_010DE8E0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F74B500_2_00F74B50
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F24C800_2_00F24C80
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F12C400_2_00F12C40
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01104CCE0_2_01104CCE
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F1AF200_2_00F1AF20
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F1F0100_2_00F1F010
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_0110505C0_2_0110505C
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_010910D00_2_010910D0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_011895180_2_01189518
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_0118951C0_2_0118951C
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_010E55000_2_010E5500
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_011895080_2_01189508
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_011895200_2_01189520
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00EF34800_2_00EF3480
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00EF14900_2_00EF1490
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F2F5B00_2_00F2F5B0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_010896C00_2_010896C0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_0109D8F00_2_0109D8F0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00EF7AA00_2_00EF7AA0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_0107DD600_2_0107DD60
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F1FDE00_2_00F1FDE0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01091E700_2_01091E70
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5CB5000_2_6C5CB500
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5D12D00_2_6C5D12D0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5E9C100_2_6C5E9C10
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5DAD400_2_6C5DAD40
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5E9D200_2_6C5E9D20
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5F5EDC0_2_6C5F5EDC
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C605F400_2_6C605F40
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5EA9600_2_6C5EA960
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5F7AB00_2_6C5F7AB0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5D7B500_2_6C5D7B50
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5CE4E00_2_6C5CE4E0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5FE6070_2_6C5FE607
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C6006920_2_6C600692
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5E71E00_2_6C5E71E0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C6071820_2_6C607182
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5C21B00_2_6C5C21B0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5CD2400_2_6C5CD240
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5F626A0_2_6C5F626A
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_3_00B766A44_3_00B766A4
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_0108D2B04_2_0108D2B0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_01090C604_2_01090C60
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F1F0104_2_00F1F010
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_010910D04_2_010910D0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_0109A3104_2_0109A310
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F2E3704_2_00F2E370
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00EF34804_2_00EF3480
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00EF14904_2_00EF1490
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F264404_2_00F26440
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F225B34_2_00F225B3
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F2F5B04_2_00F2F5B0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F1F7AE4_2_00F1F7AE
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_010896C04_2_010896C0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_0100A9304_2_0100A930
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F329F34_2_00F329F3
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F339854_2_00F33985
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_0109D8F04_2_0109D8F0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F74B504_2_00F74B50
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00EF7AA04_2_00EF7AA0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F24C804_2_00F24C80
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F12C404_2_00F12C40
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F1FDE04_2_00F1FDE0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_01091E704_2_01091E70
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F1AF204_2_00F1AF20
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeCode function: 7_2_00BED2377_2_00BED237
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C745F78_2_00C745F7
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C723DA8_2_00C723DA
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C7E3198_2_00C7E319
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C8EB3E8_2_00C8EB3E
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C5C09C8_2_00C5C09C
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CCC1408_2_00CCC140
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CB01048_2_00CB0104
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C8C1118_2_00C8C111
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CB03618_2_00CB0361
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CB05BE8_2_00CB05BE
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CCC6808_2_00CCC680
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C647128_2_00C64712
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CB082A8_2_00CB082A
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C78A0D8_2_00C78A0D
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CCCB308_2_00CCCB30
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C88EC18_2_00C88EC1
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C510008_2_00C51000
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CCD25F8_2_00CCD25F
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C5D4908_2_00C5D490
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C715F58_2_00C715F5
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C6D6F38_2_00C6D6F3
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CD18908_2_00CD1890
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C859C78_2_00C859C7
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CD196B8_2_00CD196B
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C965658_2_00C96565
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C968D78_2_00C968D7
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C9A8BE8_2_00C9A8BE
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C6EAC48_2_00C6EAC4
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C96B818_2_00C96B81
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CCACC28_2_00CCACC2
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C96E488_2_00C96E48
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C6AE298_2_00C6AE29
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CAEF0B8_2_00CAEF0B
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C971038_2_00C97103
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CAF13A8_2_00CAF13A
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C773958_2_00C77395
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C6F3528_2_00C6F352
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CAF3748_2_00CAF374
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CA34AD8_2_00CA34AD
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CAF5A38_2_00CAF5A3
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CAF7D28_2_00CAF7D2
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C6F7838_2_00C6F783
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CAFA0C8_2_00CAFA0C
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C6FCAB8_2_00C6FCAB
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CAFC3B8_2_00CAFC3B
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CAFE988_2_00CAFE98
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_008522F417_2_008522F4
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A3629C17_2_00A3629C
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A2C3E817_2_00A2C3E8
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_009823E417_2_009823E4
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_0098651017_2_00986510
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A2A6B017_2_00A2A6B0
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A366CC17_2_00A366CC
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A087D017_2_00A087D0
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A369C817_2_00A369C8
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A2AA7917_2_00A2AA79
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A38E8817_2_00A38E88
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A3509417_2_00A35094
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A3551017_2_00A35510
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A3762817_2_00A37628
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A2F66817_2_00A2F668
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_009F77F417_2_009F77F4
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A31B3417_2_00A31B34
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A922E417_2_00A922E4
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A2AE5C17_2_00A2AE5C
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeProcess token adjusted: Security
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: String function: 00C931F1 appears 337 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: String function: 00C9325C appears 36 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: String function: 00C931BA appears 36 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: String function: 00CB9CD9 appears 60 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: String function: 00C931A7 appears 31 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: String function: 00C93225 appears 36 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: String function: 00CA0FCC appears 87 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: String function: 00C92F70 appears 66 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: String function: 00C93190 appears 40 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: String function: 00CBBEAC appears 35 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeCode function: String function: 00BE29E0 appears 33 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: String function: 00A949BC appears 44 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: String function: 00A94E5C appears 54 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: String function: 00992524 appears 33 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: String function: 008551FC appears 36 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: String function: 00854F08 appears 38 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: String function: 009A9318 appears 96 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: String function: 00985274 appears 34 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: String function: 0098514C appears 32 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: String function: 00987C18 appears 82 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: String function: 00854EE4 appears 116 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: String function: 00985220 appears 44 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: String function: 00872FEC appears 97 times
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: String function: 00985538 appears 36 times
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: String function: 6C5EEED0 appears 50 times
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: String function: 00EF87D0 appears 103 times
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: String function: 010FD400 appears 39 times
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: String function: 00EF8880 appears 60 times
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: String function: 00EFA2A0 appears 32 times
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: String function: 00EFAE80 appears 81 times
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: String function: 010F9CA7 appears 44 times
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: String function: 00F14AD0 appears 48 times
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: String function: 01116031 appears 34 times
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: String function: 010FCA24 appears 58 times
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: String function: 00F01740 appears 31 times
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: String function: 00EF9300 appears 243 times
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: String function: 01022340 appears 58 times
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: String function: 00EFA840 appears 62 times
                    Source: e-SPT Masa PPh.exeStatic PE information: invalid certificate
                    Source: e-SPT Masa PPh.exeStatic PE information: Resource name: RT_VERSION type: PDP-11 overlaid pure executable not stripped
                    Source: fixsc.dll.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: fixsc64.dll.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: libcurrant.dll.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: libzdtp.dll.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: libzdtp64.dll.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: fixsc.dll.2.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: fixsc64.dll.2.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2092124918.000000000983D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewininet.dllD vs e-SPT Masa PPh.exe
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009620000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelzmaextractor.dllF vs e-SPT Masa PPh.exe
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009620000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrereq.dllF vs e-SPT Masa PPh.exe
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009620000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs e-SPT Masa PPh.exe
                    Source: e-SPT Masa PPh.exe, 00000000.00000002.2486038035.000000006C681000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenameInstallerAnalytics.dllF vs e-SPT Masa PPh.exe
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2067835237.0000000008117000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs e-SPT Masa PPh.exe
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2064937321.000000000991B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs e-SPT Masa PPh.exe
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009A37000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameInstallerAnalytics.dllF vs e-SPT Masa PPh.exe
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009A37000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs e-SPT Masa PPh.exe
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2476571795.0000000008042000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs e-SPT Masa PPh.exe
                    Source: e-SPT Masa PPh.exe, 00000004.00000003.2170644364.0000000000BC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs e-SPT Masa PPh.exe
                    Source: e-SPT Masa PPh.exe, 00000004.00000003.2175531406.00000000072DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewininet.dllD vs e-SPT Masa PPh.exe
                    Source: e-SPT Masa PPh.exe, 00000004.00000003.2175135063.0000000007BB1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs e-SPT Masa PPh.exe
                    Source: e-SPT Masa PPh.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 17.2.Bor32-update-flase.exe.307950e.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 17.2.Bor32-update-flase.exe.307950e.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll, type: DROPPEDMatched rule: Mimikatz_Gen_Strings date = 2017-06-19, hash3 = f35b589c1cc1c98c4c4a5123fd217bdf0d987c00d2561992cbfb94bd75920159, hash2 = eefd4c038afa0e80cf6521c69644e286df08c0883f94245902383f50feac0f85, author = Florian Roth, description = Detects Mimikatz by using some special strings, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 058cc8b3e4e4055f3be460332a62eb4cbef41e3a7832aceb8119fd99fea771c4
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll, type: DROPPEDMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dll, type: DROPPEDMatched rule: Mimikatz_Gen_Strings date = 2017-06-19, hash3 = f35b589c1cc1c98c4c4a5123fd217bdf0d987c00d2561992cbfb94bd75920159, hash2 = eefd4c038afa0e80cf6521c69644e286df08c0883f94245902383f50feac0f85, author = Florian Roth, description = Detects Mimikatz by using some special strings, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 058cc8b3e4e4055f3be460332a62eb4cbef41e3a7832aceb8119fd99fea771c4
                    Source: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dll, type: DROPPEDMatched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: D:\dbs\el\ddvsm\out\Intermediate\vscommon\perfwatson2.csproj_FB008427_ret\objr\amd64\PerfWatson2.pdb
                    Source: classification engineClassification label: mal92.rans.troj.spyw.evad.winEXE@23/437@0/1
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_010318D0 FormatMessageW,GetLastError,0_2_010318D0
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C6828A GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,8_2_00C6828A
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C5B687 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,FreeLibrary,8_2_00C5B687
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01065A70 GetDiskFreeSpaceExW,0_2_01065A70
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_010806B0 CoCreateInstance,0_2_010806B0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00EFA700 LoadResource,LockResource,SizeofResource,0_2_00EFA700
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerICJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\AdvinstAnalyticsJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1396:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:576:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1864:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeMutant created: \Sessions\1\BaseNamedObjects\??
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeMutant created: \Sessions\1\BaseNamedObjects\NIpizDg64rfvhLyrCQMywaHQBENjzMv1R6uEoR8NfcvFEqARIU
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\INAE771.tmpJump to behavior
                    Source: Yara matchFile source: 14.0.Bor32-update-flase.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000000.2471325966.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.2393860781.0000000002FC6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\rtl120.bpl, type: DROPPED
                    Source: e-SPT Masa PPh.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: e-SPT Masa PPh.exeString found in binary or memory: https://installeranalytics.com
                    Source: Bor32-update-flase.exeString found in binary or memory: ISO_6937-2-add
                    Source: Bor32-update-flase.exeString found in binary or memory: JIS_C6229-1984-b-add
                    Source: Bor32-update-flase.exeString found in binary or memory: jp-ocr-b-add
                    Source: Bor32-update-flase.exeString found in binary or memory: JIS_C6229-1984-hand-add
                    Source: Bor32-update-flase.exeString found in binary or memory: jp-ocr-hand-add
                    Source: Bor32-update-flase.exeString found in binary or memory: NATS-DANO-ADD
                    Source: Bor32-update-flase.exeString found in binary or memory: NATS-SEFI-ADD
                    Source: Bor32-update-flase.exeString found in binary or memory: addon-installstart
                    Source: Bor32-update-flase.exeString found in binary or memory: addon-installover
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile read: C:\Users\user\Desktop\e-SPT Masa PPh.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\e-SPT Masa PPh.exe "C:\Users\user\Desktop\e-SPT Masa PPh.exe"
                    Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 53BFAE2425B516854415A490E8C0A705 C
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeProcess created: C:\Users\user\Desktop\e-SPT Masa PPh.exe "C:\Users\user\Desktop\e-SPT Masa PPh.exe" /i "C:\Program Files (x86)\WindowsInstallerIC\7AF5081\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\IkCWSTWLLRQX" SECONDSEQUENCE="1" CLIENTPROCESSID="6196" AI_MORE_CMD_LINE=1
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FC2A87C99CB9700EDEC5D180B7A0E6E9
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe "C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe"
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess created: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\LJBPHRBSRLCI.FNG" -o"C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B" -pIWLHTVJXHINUWUFBWIU -aos -y
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess created: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\KKVIOQVTEUTA.OKO" -o"C:\Program Files (x86)\IkCWSTWLLRQX" -pRFOLHRLVLKWUMQMLJJA -aos -y
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess created: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\FNCUNPTNLBMW.DNA" -o"C:\Users\user\AppData\Roaming" -pAEXIKRSDXTBGHJSHHPK -aos -y
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe "C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe"
                    Source: unknownProcess created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe "C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe"
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeProcess created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exe "C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exe"
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeProcess created: C:\Users\user\Desktop\e-SPT Masa PPh.exe "C:\Users\user\Desktop\e-SPT Masa PPh.exe" /i "C:\Program Files (x86)\WindowsInstallerIC\7AF5081\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\IkCWSTWLLRQX" SECONDSEQUENCE="1" CLIENTPROCESSID="6196" AI_MORE_CMD_LINE=1Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 53BFAE2425B516854415A490E8C0A705 CJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FC2A87C99CB9700EDEC5D180B7A0E6E9Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe "C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe"Jump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess created: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\LJBPHRBSRLCI.FNG" -o"C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B" -pIWLHTVJXHINUWUFBWIU -aos -yJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess created: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\KKVIOQVTEUTA.OKO" -o"C:\Program Files (x86)\IkCWSTWLLRQX" -pRFOLHRLVLKWUMQMLJJA -aos -yJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess created: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\FNCUNPTNLBMW.DNA" -o"C:\Users\user\AppData\Roaming" -pAEXIKRSDXTBGHJSHHPK -aos -yJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeProcess created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exe "C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exe"
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: davhlpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: msimg32.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: lpk.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: msihnd.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: atlthunk.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: tsappcmp.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: cryptnet.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: pcacli.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netprofm.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: npmproxy.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: davhlpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: msimg32.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: lpk.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: msihnd.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: tsappcmp.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: pcacli.dllJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: libjyy.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: vcruntime140.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: pcacli.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: version.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: wsock32.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: upsdk.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: tdpcontrol.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: tdpstat.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: libcurl.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: mpr.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: tdpstat.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: wininet.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: tdpinfo.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: wship6.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: hipsdiamain.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: msvcr100.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: cryptsp.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: rsaenh.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: sspicli.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: cryptbase.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: napinsp.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: pnrpnsp.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: wshbth.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: nlaapi.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: iphlpapi.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: mswsock.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: dnsapi.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: winrnr.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: wldp.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: apphelp.dll
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: libmini.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: netdevenvspeed.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: winmm.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: dxgi.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: dinput8.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: inputhost.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: coremessaging.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: coreuicomponents.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: napinsp.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: pnrpnsp.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: wshbth.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: nlaapi.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: hid.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: winrnr.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: devobj.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: winmmbase.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: mmdevapi.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: ksuser.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: avrt.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: audioses.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: powrprof.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: umpdc.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: msacm32.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: midimap.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: devenum.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: msdmo.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: avicap32.dll
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeSection loaded: msvfw32.dll
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile written: C:\Users\user\AppData\Local\AdvinstAnalytics\6627be3e20a59ade4c1add8b\1.1.6\tracking.iniJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: e-SPT Masa PPh.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: e-SPT Masa PPh.exeStatic file information: File size 29409880 > 1048576
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile opened: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Microsoft.VC90.CRT\msvcr90.dll
                    Source: e-SPT Masa PPh.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x298000
                    Source: e-SPT Masa PPh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: e-SPT Masa PPh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: e-SPT Masa PPh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: e-SPT Masa PPh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: e-SPT Masa PPh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: e-SPT Masa PPh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: e-SPT Masa PPh.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                    Source: e-SPT Masa PPh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: wininet.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.2092124918.000000000983D000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2175531406.00000000072DD000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\oDayProtect.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: msvcr90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004DD9000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\dbs\el\ddvsm\out\Intermediate\vscommon\perfwatson2.csproj_FB008427_ret\objr\amd64\PerfWatson2.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScan.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: msvcp100.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000047B4000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\build\ob\bora-21885936\cayman_zlib\build\release\win32_vc140\zlib\build\zlib1.pdb$$ source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000005131000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQPCHwNetwork.pdbRR#GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLayoutMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmauthd-log\win32\release\vmauthd.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: c:\vmagent_new\bin\joblist\622859\src\x\x86_ntvbld\objfre_win7_x86\i386\ntvbld.pdb` source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQFileFlt.pdb.. GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\build\ob\bora-19436861\cayman_gettext\gettext\MSVC14\libintl_dll\Release\libintl_dll.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\gitproj\7z2201-src\CPP\7zip\UI\Console\Release\Console.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000000.2375919583.0000000000CD8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000002.2424435560.0000000000CD8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000002.2442124456.0000000000CD8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000000.2425091128.0000000000CD8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000C.00000002.2444255779.0000000000CD8000.00000002.00000001.01000000.0000000D.sdmp, e8a0d5af432b7e64DBD.exe, 0000000C.00000000.2442832914.0000000000CD8000.00000002.00000001.01000000.0000000D.sdmp
                    Source: Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLayoutMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb!! source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\MemDefrag.pdbII#GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\a\_work\1\s\obj\VS\Microsoft.VisualStudio.Web.Host\Release\Microsoft.VisualStudio.Web.Host.pdbf source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScanX64.pdb'' GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: e:\KWSING\trunk\KwResource\pdb\release\HTTPRequest.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLib.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: .pdb% source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2609178668.0000000002468000.00000040.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMEventBus.pdb source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038A0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: mfc90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004458000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScan.pdbLL%GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\Administrator\Desktop\etcp5.0\Release\etcp.pdb source: Bor32-update-flase.exe, 00000011.00000002.2609178668.0000000002460000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: libEGL.dll.pdbs source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: msvcp120.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000048DB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003CF2000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: msvcr80.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004A91000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: msvcr100.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004A91000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003CF2000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, Bor32-update-flase.exe, 00000011.00000002.2612975709.000000006B0F1000.00000020.00000001.01000000.00000016.sdmp
                    Source: Binary string: d:\build\ob\bora-19436861\cayman_gettext\gettext\MSVC14\libintl_dll\Release\libintl_dll.pdb11 source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\8168\vc98\dev\bin\vcspawn.pdbMZ source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: msvcr120.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004A91000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMDns.pdbDD!GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\Projects\WinRAR\rar\build\rar32\Release\RAR.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMDns.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: msvcp110.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000047B4000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwCommonUI.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wininet.pdbUGP source: e-SPT Masa PPh.exe, 00000000.00000003.2092124918.000000000983D000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2175531406.00000000072DD000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: c:\vmagent_new\bin\joblist\622869\src\x\x64_ntvbld\objfre_win7_amd64\amd64\ntvbld64.pdbL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\oDayProtect.pdbAA#GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: c:\vmagent_new\bin\joblist\622859\src\x\x86_ntvbld\objfre_win7_x86\i386\ntvbld.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: msvcp80.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000048DB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: h:\ch1\src\sandbox\wow_helper\wow_helper.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009620000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\8168\vc98\dev\bin\vcspawn.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMEventBus.pdbZZ source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: msvcr110.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004A91000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\vmagent_new\bin\joblist\419058\out\Release\360AppCore.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439980096.00000000038AF000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2439802519.00000000036A0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQPCHwNetwork.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: G:\CLIENT\fhbemb\src\bin\Release\fhjyy.pdb source: fhjyy.exe, 00000007.00000002.2444646168.0000000000BEE000.00000002.00000001.01000000.0000000B.sdmp, fhjyy.exe, 00000007.00000000.2373305064.0000000000BEE000.00000002.00000001.01000000.0000000B.sdmp
                    Source: Binary string: C:\test\intelligentDemo\PackageMgr\Release\PackageMgr.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: e:\KWSING\trunk\KwResource\pdb\release\kwlogsvr.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMOfficeScanX64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: e:\KWSING\trunk\KwResource\pdb\release\KwLib.pdbp source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMAVProxy.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000048DB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003CF2000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: h:\ch1\src\sandbox\wow_helper\wow_helper.pdbp source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009620000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009620000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\build\ob\bora-19188697\cayman_glib\glib\src\build\win32\vs14\Release\Win32\bin\gmodule-2.0.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: G:\CLIENT\fhbemb\src\bin\Release_NL\fhbmini.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, Haloonoroff.exe, 00000013.00000000.2606321492.000000000005E000.00000002.00000001.01000000.00000018.sdmp
                    Source: Binary string: C:\vmagent_new\bin\joblist\368203\out\Release\HipsLog.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: e-SPT Masa PPh.exe
                    Source: Binary string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb.. source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000048DB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003CF2000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMRtpDLL.pdbWW'GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: msvcp90.i386.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004A91000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QQFileFlt.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_2.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000048DB000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003CF2000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: libEGL.dll.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: G:\CLIENT\WallPaper_feihuo\windows\FFWallpaper\bin\Release\bfcipc.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: \WallPaper\windows\FFWallpaper\bin\Release\FFWallpaper.pdb source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: c:\vmagent_new\bin\joblist\622869\src\x\x64_ntvbld\objfre_win7_amd64\amd64\ntvbld64.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb-- source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.2067835237.0000000008117000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009A37000.00000004.00001000.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2170644364.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2175135063.0000000007BB1000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: rundll32.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: d:\build\ob\bora-21885936\cayman_zlib\build\release\win32_vc140\zlib\build\zlib1.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000005131000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\a\_work\1\s\obj\VS\Microsoft.VisualStudio.Web.Host\Release\Microsoft.VisualStudio.Web.Host.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMRtpDLL.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009620000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\MemDefrag.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\basichttp\win32\release\basichttp.pdb source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\InstallerAnalytics.pdb source: e-SPT Masa PPh.exe, 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2064937321.000000000991B000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009620000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\test\intelligentDemo\PackageMgr\Release\PackageMgr.pdb//' source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: E:\qci_workspace\root-workspaces\__qci-pipeline-1196123-1\Basic\Output\BinFinal\QMAVProxy.pdb__(GCTL source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmp
                    Source: e-SPT Masa PPh.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: e-SPT Masa PPh.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: e-SPT Masa PPh.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: e-SPT Masa PPh.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: e-SPT Masa PPh.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                    Source: shiE7EF.tmp.0.drStatic PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01044A60 SHGetFolderPathW,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetModuleFileNameW,SHGetSpecialFolderLocation,LoadLibraryW,GetProcAddress,GetEnvironmentVariableW,SHGetPathFromIDListW,SHGetMalloc,0_2_01044A60
                    Source: e-SPT Masa PPh.exeStatic PE information: section name: .didat
                    Source: NetmTray.dll.0.drStatic PE information: section name: .menu_sh
                    Source: NetmTray64.dll.0.drStatic PE information: section name: .menu_sh
                    Source: npaxlogin.dll.0.drStatic PE information: section name: .orpc
                    Source: Ntvbld64.dll.0.drStatic PE information: section name: .share
                    Source: HackPatch.dll.0.drStatic PE information: section name: PlugImm
                    Source: HotfixCommon.dll.0.drStatic PE information: section name: .detourc
                    Source: HotfixCommon.dll.0.drStatic PE information: section name: .detourd
                    Source: HotfixCommon64.dll.0.drStatic PE information: section name: .detourc
                    Source: HotfixCommon64.dll.0.drStatic PE information: section name: .detourd
                    Source: ieplus.dll.0.drStatic PE information: section name: .360_iep
                    Source: ieplus64.dll.0.drStatic PE information: section name: .360_iep
                    Source: iNetSafe.dll.0.drStatic PE information: section name: .shared
                    Source: iNetSafe64.dll.0.drStatic PE information: section name: .detourc
                    Source: iNetSafe64.dll.0.drStatic PE information: section name: .detourd
                    Source: libzdtp.dll.0.drStatic PE information: section name: .detourc
                    Source: libzdtp.dll.0.drStatic PE information: section name: .detourd
                    Source: libzdtp64.dll.0.drStatic PE information: section name: .detourc
                    Source: libzdtp64.dll.0.drStatic PE information: section name: .detourd
                    Source: shiE7EF.tmp.0.drStatic PE information: section name: .wpp_sf
                    Source: shiE7EF.tmp.0.drStatic PE information: section name: .didat
                    Source: NetmTray.dll.2.drStatic PE information: section name: .menu_sh
                    Source: NetmTray64.dll.2.drStatic PE information: section name: .menu_sh
                    Source: npaxlogin.dll.2.drStatic PE information: section name: .orpc
                    Source: Ntvbld64.dll.2.drStatic PE information: section name: .share
                    Source: HackPatch.dll.2.drStatic PE information: section name: PlugImm
                    Source: HotfixCommon.dll.2.drStatic PE information: section name: .detourc
                    Source: HotfixCommon.dll.2.drStatic PE information: section name: .detourd
                    Source: HotfixCommon64.dll.2.drStatic PE information: section name: .detourc
                    Source: HotfixCommon64.dll.2.drStatic PE information: section name: .detourd
                    Source: ieplus.dll.2.drStatic PE information: section name: .360_iep
                    Source: ieplus64.dll.2.drStatic PE information: section name: .360_iep
                    Source: iNetSafe.dll.2.drStatic PE information: section name: .shared
                    Source: iNetSafe64.dll.2.drStatic PE information: section name: .detourc
                    Source: iNetSafe64.dll.2.drStatic PE information: section name: .detourd
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_3_054BD282 push 08054D6Eh; ret 0_3_054BD28D
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_3_054BD282 push 08054D6Eh; ret 0_3_054BD28D
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_3_054BD592 push ebp; ret 0_3_054BD5A1
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_3_054BD592 push ebp; ret 0_3_054BD5A1
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_3_05504FA1 push edx; ret 0_3_0550533D
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_3_05504FA1 push edx; ret 0_3_0550533D
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_3_05504FA1 push edx; ret 0_3_0550533D
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_3_05504FA1 push edx; ret 0_3_0550533D
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_3_05504FA1 push edx; ret 0_3_0550533D
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_3_05504FA1 push edx; ret 0_3_0550533D
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_3_054BD282 push 08054D6Eh; ret 0_3_054BD28D
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_3_054BD282 push 08054D6Eh; ret 0_3_054BD28D
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_3_054BD592 push ebp; ret 0_3_054BD5A1
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_3_054BD592 push ebp; ret 0_3_054BD5A1
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_3_05504FA1 push edx; ret 0_3_0550533D
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_3_05504FA1 push edx; ret 0_3_0550533D
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_3_05504FA1 push edx; ret 0_3_0550533D
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_010FD23E push ecx; ret 0_2_010FD251
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F0F3B0 push ecx; mov dword ptr [esp], ecx0_2_00F0F3B1
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_0100B290 push ecx; mov dword ptr [esp], 3F800000h0_2_0100B3EF
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5EEC0C push ecx; ret 0_2_6C5EEC1F
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C585DC4 push es; retn 0003h0_2_6C585DC7
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_3_00B766A4 push ebp; ret 4_3_00B76D61
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_3_00B658F4 push ebx; retf 4_3_00B658F7
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_3_00B658F8 push ecx; retf 4_3_00B658FB
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_3_00B658E4 push ebp; retf 4_3_00B658F3
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_3_00B62FD5 push 0000002Fh; retf 0075h4_3_00B6305A
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_3_00B76DD4 push edi; ret 4_3_00B76DD9
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_3_00B6BB29 push eax; iretd 4_3_00B6BBA5
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_010FD23E push ecx; ret 4_2_010FD251
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F0F3B0 push ecx; mov dword ptr [esp], ecx4_2_00F0F3B1

                    Persistence and Installation Behavior

                    barindex
                    Sample is not signed and drops a device driver
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGXlong.sys
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ntvbld.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\filemgr.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcr90.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\LeakFixHelper.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\probe.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeFile created: C:\Users\user\AppData\Local\Temp\5941984\....\TemporaryFile (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\iNetSafe.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Watson2.exeJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\BBC.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\mobileflux.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\hipslog.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\jpnative32.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\libcurrant.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\rtl120.bplJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\libgravity.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\madExcept_.bplJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\PopSoftEng.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\HotfixCommon64.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\pp_helper.exeJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\vcruntime140.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Ntvbld64.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\DrawContent\DrawContentNoname.exeJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Microsoft.VC90.CRT\msvcp90.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\MiniUI.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\HotfixCommon.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\PackageMgr.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\7z.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeFile created: C:\Users\user\AppData\Local\Temp\5943031\....\TemporaryFile (copy)Jump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\NetmonEP.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3AAB.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\GmeApi64.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF803.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\npaxlogin.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\zlib1.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\HipsdiaMain.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp110.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\oDayProtect.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\fhjyy.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\NotifyDown.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\QseCore.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\TDPSTAT.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\HipsLogCenter.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\npaxlogin.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\vcruntime140_1.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\libcurl.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp140_2.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\NetDevenvSpeed.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcr110.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetDiagDll.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp80.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\iNetSafe64.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libzdtp64.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\np360SoftMgr.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\probe.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\Netgm.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\MSI7BD1.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetDefender.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\iopdate.exeJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QMDns.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Microsoft.VC90.MFC\mfc90.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\bpchelper.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\NetmLogin.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\fixsc64.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\qutmload.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\shiECC0.tmpJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp100.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\ieplus.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\libzdtp64.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\lockkrnl.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\filemgr.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp140_1.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\rar.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBE6.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetSpeed.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\UPSDK.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HipsLogCenter.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libzdtp.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ieplus.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeFile created: C:\Users\user\AppData\Local\Temp\5941921\....\TemporaryFile (copy)Jump to dropped file
                    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\SysWOW64\libjyy.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\RX.EXEJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\heavygate.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB76.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\np360SoftMgr.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp120.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\N0vaDesktop.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\NetmTray.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\LeakFixHelper64.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\shiED3E.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ieplus64.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcr120.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Gme.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcr110.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\imhelper.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\GmeApi.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\vcruntime140.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\LeakFixHelper64.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\7z.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\OTGContainer.exeJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\mobileflux.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\NetDefender.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\MSIE89C.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\MSIEAEF.tmpJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcr120.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF8C1.tmpJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp100.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\qutmipc.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\ebHost.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\fixsc.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\GmeApi.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp110.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QQFileFlt.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\LiveUpd360.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB37.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\qroscfg.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\MemDefrag.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\pluginmgr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile created: C:\Users\user\AppData\Local\Temp\27557\....\Microsoft.TransCompositib.msi (copy)Jump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QMOfficeScan.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp140_1.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\XLGameUpdate.exeJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\WHelp.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp140_2.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp140.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeFile created: C:\Users\user\AppData\Local\Temp\5943000\....\TemporaryFile (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF7A3.tmpJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\TDPINFO.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NotifyDown.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\shiE7EF.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\lzmaextractor.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ImAVEng.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\jpnative64.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\fixsc.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\libzdtp.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\LiveUpd360.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\libmini.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\iNetSafe64.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\PDown.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\QseCore.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\shiF964.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\NetDiagDll.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMAVProxy.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\libEGL.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QMRtpDLL.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\AgentJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\TDPCONTROL.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\ntvbld.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\NetSpeed.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QMOfficeScanX64.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmTray64.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMEventBus.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\netmstart.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcr80.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\PSpendZ.exeJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\PopSoftEng.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\netmstart.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\lco.exeJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\MSIEC96.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Hamster.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\MiniUI.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\APXhttp.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\libcurl.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMDns.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\jpnative32.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmonEP.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp120.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\GmeApi64.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\zip.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBB6.tmpJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\hipslog.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QQPCHwNetwork.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\TPClnVM.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAB8.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\Gme.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\qutmload.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\oDayProtect.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF7E3.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmLogin.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Microsoft.VC90.CRT\msvcr90.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\shiF9F2.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\MSI362.tmpJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcr100.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\ntvbld.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libcurrant.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\iNetSafe.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\bfcipc.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\vcruntime140_1.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF940.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\Hamster.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\fixsc64.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\MSI392.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\Ntvbld64.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\KwLib.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\leakrepair.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HotfixCommon.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Microsoft.Bcl.AsyncInterfaces.exeJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\intl.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\NetmTray64.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libscent35.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\madBasic_.bplJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Netgm.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\hipslog.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcr100.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\vclx120.bplJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeFile created: C:\Users\user\AppData\Local\Temp\5942968\....\TemporaryFile (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\PDown.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ipcservice.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\KwLogSvr.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\PackageMgr.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeFile created: C:\Users\user\AppData\Local\Temp\5941890\....\TemporaryFile (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\pluginmgr.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\jpnative64.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\heavygate.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\http.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\imhelper.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\shi895.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\INAE771.tmpJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp90.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF8F0.tmpJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeFile created: C:\Users\user\AppData\Local\Temp\5942937\....\TemporaryFile (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libgravity.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB07.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\ieplus64.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\leakrepair.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QMAVProxy.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF862.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\lockkrnl.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\madDisAsm_.bplJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\LeakFixHelper.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\APXmodule-2.0.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmTray.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HotfixCommon64.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\KwLayoutMgr.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\vcl120.bplJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\ImAVEng.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Ntvbld64.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\qroscfg.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2F3F.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\ipcservice.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp140.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2EFF.tmpJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\ATellPhonJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\qutmipc.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile created: C:\Users\user\AppData\Local\Temp\27557\....\Microsoft.TransCompositia.msi (copy)Jump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\KwCommonUI.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\vmauthd.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\IkCWSTWLLRQX\libscent35.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\MSI7BA2.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile created: C:\Users\user\AppData\Local\Temp\MSIEA04.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile created: C:\Users\user\AppData\Local\Temp\1736324108\....\Microsoft.TransCompositio.msi (copy)Jump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2F3F.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2EFF.tmpJump to dropped file
                    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\SysWOW64\libjyy.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB76.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB07.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB37.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBE6.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBB6.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3AAB.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAB8.tmpJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\vcl120.bplJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\vclx120.bplJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\AgentJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\ATellPhonJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\madBasic_.bplJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\madDisAsm_.bplJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\madExcept_.bplJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile created: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\rtl120.bplJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeCode function: 7_2_6C2011C0 ProcessMain,memset,CoInitialize,CoCreateGuid,CoCreateGuid,CoUninitialize,memset,lstrlenW,memset,memset,memset,memset,memset,memset,memset,memset,memset,_wcsrev,memset,lstrcatW,lstrcatW,memset,memset,memset,memset,memset,memset,memset,memset,memset,lstrcmpW,lstrcmpW,lstrcmpW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,memset,wsprintfW,wsprintfW,memset,wsprintfW,memset,wsprintfW,ShellExecuteExW,WaitForSingleObject,CloseHandle,WaitForSingleObject,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,exit,7_2_6C2011C0
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Zfvolg5992448tnl
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_009E05DC IsIconic,GetWindowPlacement,GetWindowRect,17_2_009E05DC
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A1A5DC IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,17_2_00A1A5DC
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_009F4990 IsIconic,17_2_009F4990
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_009F4A0C GetWindowLongA,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongA,SetWindowLongA,ShowWindow,ShowWindow,17_2_009F4A0C
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A1B054 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,17_2_00A1B054
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A19CD4 IsIconic,GetCapture,17_2_00A19CD4
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A200BC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,17_2_00A200BC
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Contains functionality to detect sleep reduction / modifications
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_008980EC17_2_008980EC
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                    Query firmware table information (likely to detect VMs)
                    Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile opened / queried: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Optimizat\themes\ovf-vmware.xsd
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeFile opened / queried: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Optimizat\themes\ovfenv-vmware.xsd
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,17_2_009FDE9C
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: GetAdaptersInfo,0_2_6C5BF8D0
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeThread delayed: delay time: 86400000
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeWindow / User API: threadDelayed 6225
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeWindow / User API: foregroundWindowGot 1762
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ntvbld.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\filemgr.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcr90.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\LeakFixHelper.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\probe.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5941984\....\TemporaryFile (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\iNetSafe.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Watson2.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\hipslog.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\mobileflux.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\rtl120.bplJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\libcurrant.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\jpnative32.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\libgravity.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\madExcept_.bplJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\PopSoftEng.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\HotfixCommon64.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\pp_helper.exeJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Ntvbld64.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\DrawContent\DrawContentNoname.exeJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Microsoft.VC90.CRT\msvcp90.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\MiniUI.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\HotfixCommon.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\PackageMgr.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\7z.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5943031\....\TemporaryFile (copy)Jump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\NetmonEP.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3AAB.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF803.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\GmeApi64.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\npaxlogin.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\zlib1.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp110.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\oDayProtect.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\NotifyDown.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\QseCore.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\HipsLogCenter.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\npaxlogin.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\vcruntime140_1.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcr110.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp140_2.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetDiagDll.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp80.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\iNetSafe64.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libzdtp64.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\np360SoftMgr.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\probe.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\Netgm.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7BD1.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetDefender.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\iopdate.exeJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QMDns.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Microsoft.VC90.MFC\mfc90.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\bpchelper.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\NetmLogin.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\fixsc64.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\qutmload.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiECC0.tmpJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp100.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\ieplus.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\libzdtp64.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\filemgr.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp140_1.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\lockkrnl.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\rar.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBE6.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetSpeed.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HipsLogCenter.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libzdtp.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ieplus.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5941921\....\TemporaryFile (copy)Jump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\RX.EXEJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\heavygate.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB76.tmpJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp120.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\np360SoftMgr.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\N0vaDesktop.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\NetmTray.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\LeakFixHelper64.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiED3E.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ieplus64.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcr120.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Gme.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcr110.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\imhelper.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\GmeApi.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\LeakFixHelper64.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\OTGContainer.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\7z.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\mobileflux.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\NetDefender.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIE89C.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIEAEF.tmpJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcr120.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF8C1.tmpJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp100.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\ebHost.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\qutmipc.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\fixsc.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp110.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\GmeApi.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QQFileFlt.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\LiveUpd360.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB37.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\qroscfg.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\MemDefrag.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\pluginmgr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\27557\....\Microsoft.TransCompositib.msi (copy)Jump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QMOfficeScan.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp140_1.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\XLGameUpdate.exeJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\WHelp.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp140_2.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp140.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5943000\....\TemporaryFile (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF7A3.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NotifyDown.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiE7EF.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\lzmaextractor.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ImAVEng.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\jpnative64.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\fixsc.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\libzdtp.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\LiveUpd360.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\iNetSafe64.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\PDown.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\QseCore.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiF964.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\NetDiagDll.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMAVProxy.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\libEGL.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QMRtpDLL.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\AgentJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\ntvbld.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\NetSpeed.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QMOfficeScanX64.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMEventBus.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmTray64.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\PSpendZ.exeJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcr80.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\netmstart.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\PopSoftEng.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\netmstart.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\lco.exeJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIEC96.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Hamster.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\MiniUI.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\APXhttp.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMDns.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\jpnative32.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp120.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmonEP.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\GmeApi64.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\zip.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBB6.tmpJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\hipslog.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QQPCHwNetwork.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\TPClnVM.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\Gme.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIAB8.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\qutmload.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\oDayProtect.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF7E3.tmpJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Microsoft.VC90.CRT\msvcr90.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmLogin.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiF9F2.tmpJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\ntvbld.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI362.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libcurrant.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\iNetSafe.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\vcruntime140_1.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\bfcipc.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF940.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\Hamster.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\fixsc64.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI392.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\Ntvbld64.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\KwLib.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\leakrepair.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HotfixCommon.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Microsoft.Bcl.AsyncInterfaces.exeJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\intl.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\NetmTray64.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libscent35.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\madBasic_.bplJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Netgm.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\hipslog.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\vclx120.bplJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5942968\....\TemporaryFile (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\PDown.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ipcservice.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\PackageMgr.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\KwLogSvr.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5941890\....\TemporaryFile (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\pluginmgr.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\jpnative64.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\http.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\heavygate.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\imhelper.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi895.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\INAE771.tmpJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp90.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF8F0.tmpJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5942937\....\TemporaryFile (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libgravity.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QMAVProxy.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\leakrepair.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\ieplus64.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB07.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF862.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\lockkrnl.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\madDisAsm_.bplJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\LeakFixHelper.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\APXmodule-2.0.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\KwLayoutMgr.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmTray.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HotfixCommon64.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\vcl120.bplJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\ImAVEng.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Ntvbld64.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\qroscfg.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2F3F.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\ipcservice.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp140.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2EFF.tmpJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\ATellPhonJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\qutmipc.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\27557\....\Microsoft.TransCompositia.msi (copy)Jump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\KwCommonUI.dllJump to dropped file
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\vmauthd.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\IkCWSTWLLRQX\libscent35.dllJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIEA04.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7BA2.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-89551
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeAPI coverage: 8.5 %
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeAPI coverage: 0.9 %
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_008980EC17_2_008980EC
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exe TID: 764Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exe TID: 3376Thread sleep time: -70000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exe TID: 1536Thread sleep time: -41000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exe TID: 1560Thread sleep time: -60000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exe TID: 1124Thread sleep time: -73000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exe TID: 6644Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exe TID: 1560Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exe TID: 6756Thread sleep time: -86400000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86) FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\Program Files (x86)\WindowsInstallerIC\7AF5081 FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_0102E4E0 FindFirstFileW,GetLastError,FindClose,0_2_0102E4E0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F14AD0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,0_2_00F14AD0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01059F30 FindFirstFileW,FindClose,CloseHandle,CloseHandle,0_2_01059F30
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_010540C0 FindFirstFileW,FindClose,0_2_010540C0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01010370 FindFirstFileW,FindNextFileW,FindClose,0_2_01010370
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01064620 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_01064620
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01064AA0 FindFirstFileW,FindClose,0_2_01064AA0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_0103CDF0 FindFirstFileW,FindClose,FindClose,0_2_0103CDF0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_0102DBB0 FindFirstFileW,FindFirstFileW,FindClose,FindClose,0_2_0102DBB0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5E4E20 FindFirstFileW,FindClose,GetLastError,FindClose,0_2_6C5E4E20
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5DF260 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,0_2_6C5DF260
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C603D4B FindFirstFileExW,0_2_6C603D4B
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_0102E4E0 FindFirstFileW,GetLastError,FindClose,4_2_0102E4E0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_0102DA30 FindFirstFileW,FindFirstFileW,FindClose,FindClose,4_2_0102DA30
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeCode function: 7_2_00BE74DA FindFirstFileExW,7_2_00BE74DA
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C58BA4 __EH_prolog3_GS,FindFirstFileA,FindFirstFileW,FindFirstFileW,8_2_00C58BA4
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CBD528 FindFirstFileExA,8_2_00CBD528
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CBD7E0 FindFirstFileExW,FindClose,FindNextFileW,8_2_00CBD7E0
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CBD9C1 FindFirstFileExW,8_2_00CBD9C1
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CBD996 FindFirstFileExA,8_2_00CBD996
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_0085657C GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,17_2_0085657C
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00858E6C FindFirstFileA,FindClose,17_2_00858E6C
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00858E6A FindFirstFileA,FindClose,17_2_00858E6A
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A52298 FindFirstFileA,SetFileAttributesA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,17_2_00A52298
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_0098A698 FindFirstFileA,FindClose,17_2_0098A698
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_0098A696 FindFirstFileA,FindClose,17_2_0098A696
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_0098A7A8 FindFirstFileA,FindClose,17_2_0098A7A8
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_009D27D0 FindFirstFileA,FindClose,FileTimeToDosDateTime,17_2_009D27D0
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_0098AAB4 FindFirstFileA,GetLastError,17_2_0098AAB4
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00986B80 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,17_2_00986B80
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A4EDA0 FindFirstFileA,SetFileAttributesA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,17_2_00A4EDA0
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A98948 FindFirstFileA,FindClose,17_2_00A98948
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_00A98946 FindFirstFileA,FindClose,17_2_00A98946
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01063270 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,0_2_01063270
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_010F95F3 VirtualQuery,GetSystemInfo,0_2_010F95F3
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeThread delayed: delay time: 30000
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeThread delayed: delay time: 30000
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeThread delayed: delay time: 86400000
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CompanyNameVMware, Inc.b
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: <description>"VMware Authorization Service"</description>
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware-vmx.exe%s%c..%c%svmware-vmx-debug.exevmware-vmx-stats.exeNo ticket found
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: StartVirtualMachines%s: Failed to retrieve info from %%ALLUSERSPROFILE%%%s.
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareAutostartServiceVMAutostartRunServiceStarting service control dispatcher
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: name="VMware.VMware.vmauthd"
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[vmwarestring.dll??0string@utf@@QAE@ABV01@@Z??0string@utf@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z??0string@utf@@QAE@ABV_bstr_t@@@Z??0string@utf@@QAE@ABVubstr_t@@@Z??0string@utf@@QAE@ABVustring@Glib@@@Z??0string@utf@@QAE@PBD@Z??0string@utf@@QAE@PBDW4StringEncoding@@@Z??0string@utf@@QAE@PB_W@Z??0string@utf@@QAE@XZ??1string@utf@@QAE@XZ??4string@utf@@QAEAAV01@V01@@Z??8string@utf@@QBE_NABV01@@Z??9string@utf@@QBE_NABV01@@Z??Astring@utf@@QBEII@Z??Bstring@utf@@QBE?BVubstr_t@@XZ??Bstring@utf@@QBEABVustring@Glib@@XZ??Hstring@utf@@QBE?AV01@ABV01@@Z??Hstring@utf@@QBE?AV01@I@Z??Mstring@utf@@QBE_NABV01@@Z??Nstring@utf@@QBE_NABV01@@Z??Ostring@utf@@QBE_NABV01@@Z??Pstring@utf@@QBE_NABV01@@Z??Ystring@utf@@QAEAAV01@ABV01@@Z??Ystring@utf@@QAEAAV01@I@Z?CopyAndFree@utf@@YA?AVstring@1@PADP6AXPAX@Z@Z?CreateWithBOMBuffer@utf@@YA?AVstring@1@PBXH@Z?CreateWithLength@utf@@YA?AVstring@1@PBXHW4StringEncoding@@@Z?CreateWritableBuffer@utf@@YAXABVstring@1@AAV?$vector@DV?$allocator@D@std@@@std@@@Z?CreateWritableBuffer@utf@@YAXABVstring@1@AAV?$vector@_WV?$allocator@_W@std@@@std@@@Z?GetUtf16Cache@string@utf@@ABEPB_WXZ?IntToStr@utf@@YA?AVstring@1@_J@Z?InvalidateCache@string@utf@@AAEXXZ?Validate@utf@@YA_NABVustring@Glib@@@Z?__autoclassinit2@string@utf@@QAEXI@Z?append@string@utf@@QAEAAV12@ABV12@@Z?append@string@utf@@QAEAAV12@ABV12@II@Z?append@string@utf@@QAEAAV12@PBDI@Z?assign@string@utf@@QAEAAV12@ABV12@@Z?begin@string@utf@@QAE?AV?$ustring_Iterator@V?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@XZ?begin@string@utf@@QBE?AV?$ustring_Iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@XZ?bytes@string@utf@@QBEIXZ?c_str@string@utf@@QBEPBDXZ?clear@string@utf@@QAEXXZ?compare@string@utf@@QBEHABV12@_N@Z?compare@string@utf@@QBEHIIABV12@@Z?compareLength@string@utf@@QBEHABV12@I_N@Z?compareRange@string@utf@@QBEHIIABV12@II_N@Z?empty@string@utf@@QBE_NXZ?end@string@utf@@QAE?AV?$ustring_Iterator@V?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@XZ?end@string@utf@@QBE?AV?$ustring_Iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@XZ?endsWith@string@utf@@QBE_NABV12@_N@Z?erase@string@utf@@QAE?AV?$ustring_Iterator@V?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@V34@0@Z?erase@string@utf@@QAE?AV?$ustring_Iterator@V?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@Glib@@V34@@Z?erase@string@utf@@QAEAAV12@II@Z?find@string@utf@@QBEIABV12@I@Z?find@string@utf@@QBEIII@Z?find_first_not_of@string@utf@@QBEIABV12@I@Z?find_first_not_of@string@utf@@QBEIII@Z?find_first_of@string@utf@@QBEIABV12@I@Z?find_first_of@string@utf@@QBEIII@Z?find_last_not_of@string@utf@@QBEIABV12@I@Z?find_last_not_of@string@utf@@QBEIII@Z?find_last_of@string@utf@@QBEIABV12@I@Z?find_last_of@string@utf@@QBEIII@Z?foldCase@string@utf@@QBE?AV12@XZ?insert@string@utf@@QAEAAV
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2064937321.0000000009620000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PANIC: %s599 vmware-authd PANIC: %s
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb!!
                    Source: e-SPT Masa PPh.exe, 00000000.00000003.2476806637.0000000005564000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2091474174.0000000005564000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2080021674.00000000080B4000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2091761298.00000000080B1000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2080085319.0000000005564000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2483030591.00000000080B3000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2480939161.0000000005564000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2079666749.000000000808C000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000002.2484296430.0000000005564000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2482531295.00000000080AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwarebase.DLL
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Unicode_TrimRightvmwarebase.DLL
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware-
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 17.5.0 build-22583795VMware Workstation%s Authentication Daemon Version %u.%u for %s %s
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2391640697.00000000009FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VGXVGX/HoursBrokerVGX/HoursBroker/DrawContentVGX/Microsoft.VC90.CRTVGX/Microsoft.VC90.MFCVGX/OptimizatVGX/Optimizat/pluginsVGX/Optimizat/themesVGX/pluginsVGX/plugins/RunHoursVGX/UtilsVGX/versionVGX/BoukenVGX/BoukenPVGX/Browser_2VGX/AgentVGX/APKwait.batVGX/ATellPhonVGX/bbnn.rbgVGX/Blend.visualelementsmanifest.xmlVGX/Browser_1VGX/BseziofVGX/cbg.sigVGX/cdm.sigVGX/chrome_200_percent.pakVGX/contribscr.iniVGX/cor.sigVGX/DataTransform.iniVGX/dmEetfzcFeMLeUVbVGX/HoursBroker/CIM_ResourceAllocationSettingData.xsdVGX/HoursBroker/CIM_VirtualSystemSettingData.xsdVGX/HoursBroker/common.xsdVGX/HoursBroker/hi.pakVGX/HoursBroker/hr.pakVGX/HoursBroker/hu.pakVGX/HoursBroker/li.datVGX/HoursBroker/LICENSE.3rdVGX/HoursBroker/LICENSE.libcodecsVGX/HoursBroker/LICENSE.libdtVGX/HoursBroker/livehis.datVGX/HoursBroker/Microsoft.VC80.ATL.manifestVGX/HoursBroker/Microsoft.VC80.CRT.manifestVGX/HoursBroker/package.jsonVGX/HoursBroker/rpi.datVGX/HoursBroker/slist.datVGX/HoursBroker/versionVGX/HoursBroker/xml.xsdVGX/intchar32VGX/intchar64VGX/LastnamaVGX/LastnameVGX/LastnymcVGX/libtemp.batVGX/LostVGX/LostHeVGX/LostPVGX/LostPHeVGX/LostPSheVGX/LostSheVGX/madBasic_.bplVGX/madDisAsm_.bplVGX/madExcept_.bplVGX/Microsoft.VC80.ATL.manifestVGX/Microsoft.VC80.CRT.manifestVGX/Microsoft.VC90.CRT/Microsoft.VC90.CRT.manifestVGX/Microsoft.VC90.MFC/Microsoft.VC90.MFC.manifestVGX/Microsoft_VC90_CRT_manifestVGX/NetSpeedLogVGX/NULL.binVGX/NVIDIA_GeForce_Experience_jsonVGX/Optimizat/plugins/am.pakVGX/Optimizat/plugins/ar.pakVGX/Optimizat/plugins/bg.pakVGX/Optimizat/plugins/Microsoft.VC80.ATL.manifestVGX/Optimizat/plugins/Microsoft.VC80.CRT.manifestVGX/Optimizat/plugins/vd.icoVGX/Optimizat/plugins/versionVGX/Optimizat/themes/ca.pakVGX/Optimizat/themes/cs.pakVGX/Optimizat/themes/da.pakVGX/Optimizat/themes/isolinux.binVGX/Optimizat/themes/ovf-vmware.xsdVGX/Optimizat/themes/ovfenv-vmware.xsdVGX/Optimizat/themes/sample.flpVGX/Optimizat/vmPerfmon.hVGX/plugins/de.pakVGX/plugins/el.pakVGX/plugins/en-GB.pakVGX/plugins/en-US.pakVGX/plugins/Microsoft.VC80.ATL.manifestVGX/plugins/Microsoft.VC80.CRT.manifestVGX/plugins/RunHours/es-419.pakVGX/plugins/RunHours/es.pakVGX/plugins/RunHours/et.pakVGX/plugins/RunHours/fa.pakVGX/plugins/versionVGX/Ptuity.plxVGX/Ptuityoosty.plxVGX/qvlnk.broVGX/rbVGX/rtl120.bplVGX/settingssVGX/settingss2VGX/somextrainfo.iniVGX/SresoBooster.uiVGX/station.binVGX/SysP1.batVGX/SysP2.batVGX/Theme.icoVGX/TP.iniVGX/vcl120.bplVGX/vclx120.bplVGX/version/AARV1VGX/version/AARV2VGX/version/AuLibV1VGX/version/AuLibV2VGX/version/CharMainoV1VGX/version/CharMainoV2VGX/version/CjLibV1VGX/version/CjLibV2VGX/version/ComeOnVGX/version/globalV1VGX/version/globalV2VGX/version/QdLibV1VGX/version/QdLibV2VGX/version/qvlnkbroV1VGX/version/qvlnkbroV2VGX/version/settingV1VGX/version/settingV2VGX/version/ShellVGX/version/TOFNCVGX/version/WinCallVGX/VNL.iniVGX/WBGvisualelementsmanifestVGX/WGLogin.olgVGX/Win.rbgVGX/7z.dllVGX/APXhttp.dllVGX/APXmodule-2.0.dllVGX/BBC.exeVGX/bfcipc.dllVGX/bpchelper.dllVGX/ebHost.exeVGX/EduW
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: D:\build\ob\bora-20800274\bora\build\build\LIBRARIES\vmwarestring\win32\release\vmwarestring.pdb
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Invalid pathname (too long)Config file not found: %sVMware Server ConsoleYou need read access in order to connect with the %s. Access denied for config file: %sYou need execute access in order to connect with the %s. Access denied for config file: %s%s-fdConnect %sError connecting to %s service instance.Can't create mutex '%s' (%d)Timeout acquiring thread lock.-fdvmauthd.connectionSetupTimeoutCould not open %s process %d. (error %d)Error connecting to vmx process.No such %s process: %s
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393788768.0000000002CF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VGX\Optimizat\themes\ovf-vmware.xsdo"
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware Authorization Service
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: name="VMware.VMware.vmwarestring"
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: HttpURI_ParseAndDecodeURLvmwarebase.DLL
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: FileDescriptionVMware BasicHTTP DLLL
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware Server Console
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware-autostart.log
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Authorization and authentication service for starting and accessing virtual machinesVMware Authorization ServiceVMAuthdServiceSuccessfully registered %s.
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: FileDescriptionVMware event log sourceL
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMWARE_BASICHTTP_TRACE
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware Workstation
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 599 vmware-authd PANIC: %s
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevmware-authd.exeF
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: : SSL RequiredNFCSSL supported/tServerDaemonProtocol:SOAPVMware%s Authentication Daemon Version %u.%u%s, %s, %s, %s, %s, %s%sError retrieving thumbprintInvalid arguments to '%s%s'Login failed: token key authentication not allowed.GET TOKEN KEY failed: got %s
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware-hostd
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMWARE_HTTPSPROXYBasicHTTP: AppendRequestHeader failed to append to the request header. Insufficient memory.
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: FileDescriptionVMware string libraryL
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevmwarestring.DLLF
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: <description>"VMware string library"</description>
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: nfcnfcsslvmware-hostdPROXY service %s not found.USER too long.Password required for %s.Login with USER first.InSeCuRePassword not understood.User %s logged in.LOGIN FAILURE from %.128s, %s
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwarestring.dll
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: StartVirtualMachines
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ProductNameVMware WorkstationP
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: \VMware\VMware Workstation\vmAutoStart.xml
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 1998-2023 VMware, Inc.J
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMWARE_BASICHTTP_TRACE0bora\apps\lib\basicHttp\http.cBasicHTTP: curl_multi_init failed.
                    Source: Bor32-update-flase.exe, 00000011.00000002.2607479093.000000000076C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: D:\build\ob\bora-22583795\bora\build\build\vmware-autostart\release\win32\vmware-autostart.pdb..
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: FileDescriptionVMware Authorization ServiceL
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 1998-2022 VMware, Inc.J
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware-vmx-debug.exe
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 1998-2022 VMware, Inc.D
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMWARE_HTTPSPROXY
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware-vmx-stats.exe
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: File_CreateDirectoryvmwarebase.DLL)_strdup
                    Source: Haloonoroff.exe, 00000013.00000003.2621797033.0000000001518000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxService.exe\x
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: security.host.ruisslvmwareauthd.policy.allowRCForReadvmauthd.startupTimeoutgetpeername failed: %d tid %d
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: User not authorized for vpx agent contactvmware-vpxaUser not authorized for vmx contactConnecting socket=%s
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: D:\build\ob\bora-22583795\bora\build\build\authd\release\win32\vmware-authd.pdb--
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: InternalNamevmwarestringj#
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000002.2423551596.0000000000AC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VGX\Optimizat\themes\ovfenv-vmware.xsd
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: \\.\pipe\vmware-authdpipeCreateNamedPipe failed: %s (%d)
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: @vmware-autostartVMAutostart_InitGetVMAutostartConfigFilePathCould not get the ALLUSERSPROFILE folder path
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CompanyNameVMware, Inc.R
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: <description>"VMware event log source"</description>
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CompanyNameVMware, Inc.T
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware-client
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware-vmx.exe
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CompanyNameVMware, Inc.X
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 1998-2022 VMware, Inc.@
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware Autostart ServiceCreateService failed (%d)
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: name="VMware.VMware.basichttp"
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: name="VMware.VMware.vmauthd-log"
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware-\vmware-autostart.loga+Cannot open file '%s'
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware-vpxa
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware-autostart
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2391640697.00000000009FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: igVGX/cdm.sigVGX/chrome_200_percent.pakVGX/contribscr.iniVGX/cor.sigVGX/DataTransform.iniVGX/dmEetfzcFeMLeUVbVGX/HoursBroker/CIM_ResourceAllocationSettingData.xsdVGX/HoursBroker/CIM_VirtualSystemSettingData.xsdVGX/HoursBroker/common.xsdVGX/HoursBroker/hi.pakVGX/HoursBroker/hr.pakVGX/HoursBroker/hu.pakVGX/HoursBroker/li.datVGX/HoursBroker/LICENSE.3rdVGX/HoursBroker/LICENSE.libcodecsVGX/HoursBroker/LICENSE.libdtVGX/HoursBroker/livehis.datVGX/HoursBroker/Microsoft.VC80.ATL.manifestVGX/HoursBroker/Microsoft.VC80.CRT.manifestVGX/HoursBroker/package.jsonVGX/HoursBroker/rpi.datVGX/HoursBroker/slist.datVGX/HoursBroker/versionVGX/HoursBroker/xml.xsdVGX/intchar32VGX/intchar64VGX/LastnamaVGX/LastnameVGX/LastnymcVGX/libtemp.batVGX/LostVGX/LostHeVGX/LostPVGX/LostPHeVGX/LostPSheVGX/LostSheVGX/madBasic_.bplVGX/madDisAsm_.bplVGX/madExcept_.bplVGX/Microsoft.VC80.ATL.manifestVGX/Microsoft.VC80.CRT.manifestVGX/Microsoft.VC90.CRT/Microsoft.VC90.CRT.manifestVGX/Microsoft.VC90.MFC/Microsoft.VC90.MFC.manifestVGX/Microsoft_VC90_CRT_manifestVGX/NetSpeedLogVGX/NULL.binVGX/NVIDIA_GeForce_Experience_jsonVGX/Optimizat/plugins/am.pakVGX/Optimizat/plugins/ar.pakVGX/Optimizat/plugins/bg.pakVGX/Optimizat/plugins/Microsoft.VC80.ATL.manifestVGX/Optimizat/plugins/Microsoft.VC80.CRT.manifestVGX/Optimizat/plugins/vd.icoVGX/Optimizat/plugins/versionVGX/Optimizat/themes/ca.pakVGX/Optimizat/themes/cs.pakVGX/Optimizat/themes/da.pakVGX/Optimizat/themes/isolinux.binVGX/Optimizat/themes/ovf-vmware.xsdVGX/Optimizat/themes/ovfenv-vmware.xsdVGX/Optimizat/themes/sample.flpVGX/Optimizat/vmPerfmon.hVGX/plugins/de.pakVGX/plugins/el.pakVGX/plugins/en-GB.pakVGX/plugins/en-US.pakVGX/plugins/Microsoft.VC80.ATL.manifestVGX/plugins/Microsoft.VC80.CRT.manifestVGX/plugins/RunHours/es-419.pakVGX/plugins/RunHours/es.pakVGX/plugins/RunHours/et.pakVGX/plugins/RunHours/fa.pakVGX/plugins/versionVGX/Ptuity.plxVGX/Ptuityoosty.plxVGX/qvlnk.broVGX/rbVGX/rtl120.bplVGX/settingssVGX/settingss2VGX/somextrainfo.iniVGX/SresoBooster.uiVGX/station.binVGX/SysP1.batVGX/SysP2.batVGX/Theme.icoVGX/TP.iniVGX/vcl120.bplVGX/vclx120.bplVGX/version/AARV1VGX/version/AARV2VGX/version/AuLibV1VGX/version/AuLibV2VGX/version/CharMainoV1VGX/version/CharMainoV2VGX/version/CjLibV1VGX/version/CjLibV2VGX/version/ComeOnVGX/version/globalV1VGX/version/globalV2VGX/version/QdLibV1VGX/version/QdLibV2VGX/version/qvlnkbroV1VGX/version/qvlnkbroV2VGX/version/settingV1VGX/version/settingV2VGX/version/ShellVGX/version/TOFNCVGX/version/WinCallVGX/VNL.iniVGX/WBGvisualelementsmanifestVGX/WGLogin.olgVGX/Win.rbgVGX/7z.dllVGX/APXhttp.dllVGX/APXmodule-2.0.dllVGX/BBC.exeVGX/bfcipc.dllVGX/bpchelper.dllVGX/ebHost.exeVGX/EduWebContainer.dllVGX/Haloonoroff.exeVGX/hipslog.dllVGX/HoursBroker/DrawContent/DrawContentNoname.exeVGX/HoursBroker/lco.exeVGX/http.dllVGX/intl.dllVGX/iopdate.exeVGX/KwCommonUI.dllVGX/KwLayoutMgr.dllVGX/KwLib.dllVGX/KwLogSvr.dllVGX/libcurl.dllVGX/libEGL.dllVGX/libmini.dllVGX/MemDefrag.dllVGX/Microsoft.Bcl.AsyncInterfaces.exeVGX/Microsoft.VC90.CRT
                    Source: e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: <description>"VMware BasicHTTP DLL"</description>
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01101723 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_01101723
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_010677A0 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,OutputDebugStringW,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,0_2_010677A0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01044A60 SHGetFolderPathW,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetModuleFileNameW,SHGetSpecialFolderLocation,LoadLibraryW,GetProcAddress,GetEnvironmentVariableW,SHGetPathFromIDListW,SHGetMalloc,0_2_01044A60
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_010FC11D mov esi, dword ptr fs:[00000030h]0_2_010FC11D
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01116676 mov eax, dword ptr fs:[00000030h]0_2_01116676
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_011166BA mov eax, dword ptr fs:[00000030h]0_2_011166BA
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01107D84 mov ecx, dword ptr fs:[00000030h]0_2_01107D84
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5FBA5B mov ecx, dword ptr fs:[00000030h]0_2_6C5FBA5B
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C603ABD mov eax, dword ptr fs:[00000030h]0_2_6C603ABD
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_010FC11D mov esi, dword ptr fs:[00000030h]4_2_010FC11D
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_01116676 mov eax, dword ptr fs:[00000030h]4_2_01116676
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_011166BA mov eax, dword ptr fs:[00000030h]4_2_011166BA
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_01107D84 mov ecx, dword ptr fs:[00000030h]4_2_01107D84
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeCode function: 7_2_00BE60A8 mov eax, dword ptr fs:[00000030h]7_2_00BE60A8
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeCode function: 7_2_00BE8164 mov eax, dword ptr fs:[00000030h]7_2_00BE8164
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CA1819 mov eax, dword ptr fs:[00000030h]8_2_00CA1819
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CA18A7 mov eax, dword ptr fs:[00000030h]8_2_00CA18A7
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_010FC189 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,0_2_010FC189
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F322F0 __set_se_translator,SetUnhandledExceptionFilter,0_2_00F322F0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_010FCC0E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_010FCC0E
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00F34F40 __set_se_translator,SetUnhandledExceptionFilter,0_2_00F34F40
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01101723 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_01101723
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5EEDA5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6C5EEDA5
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5EDF73 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6C5EDF73
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5F2F96 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6C5F2F96
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F322F0 __set_se_translator,SetUnhandledExceptionFilter,4_2_00F322F0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_01101723 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_01101723
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_010FCC0E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_010FCC0E
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 4_2_00F34F40 __set_se_translator,SetUnhandledExceptionFilter,4_2_00F34F40
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeCode function: 7_2_00BE5453 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00BE5453
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeCode function: 7_2_00BE2920 SetUnhandledExceptionFilter,7_2_00BE2920
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeCode function: 7_2_00BE1EEE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00BE1EEE
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeCode function: 7_2_00BE278E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00BE278E
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeCode function: 7_2_6C202522 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_6C202522
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeCode function: 7_2_6C202644 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6C202644
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C9460E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00C9460E
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C947A4 SetUnhandledExceptionFilter,8_2_00C947A4
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00CB8B72 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00CB8B72
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: 8_2_00C93395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00C93395
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01013300 CreateFileW,CloseHandle,WriteFile,CloseHandle,ShellExecuteExW,0_2_01013300
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeProcess created: C:\Users\user\Desktop\e-SPT Masa PPh.exe "C:\Users\user\Desktop\e-SPT Masa PPh.exe" /i "C:\Program Files (x86)\WindowsInstallerIC\7AF5081\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\IkCWSTWLLRQX" SECONDSEQUENCE="1" CLIENTPROCESSID="6196" AI_MORE_CMD_LINE=1Jump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess created: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\LJBPHRBSRLCI.FNG" -o"C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B" -pIWLHTVJXHINUWUFBWIU -aos -yJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess created: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\KKVIOQVTEUTA.OKO" -o"C:\Program Files (x86)\IkCWSTWLLRQX" -pRFOLHRLVLKWUMQMLJJA -aos -yJump to behavior
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exeProcess created: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe "C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\FNCUNPTNLBMW.DNA" -o"C:\Users\user\AppData\Roaming" -pAEXIKRSDXTBGHJSHHPK -aos -yJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5E5EC0 LocalFree,LocalFree,GetSecurityDescriptorDacl,GetLastError,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,GetLastError,LocalFree,SetSecurityDescriptorDacl,FreeLibrary,0_2_6C5E5EC0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_0102A0A0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,0_2_0102A0A0
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: Fabout:blank:\kernel32.dll*winswinntwin2000win2000serverwinxpwin2003winvistawin2008win7win2008r2win8win2012win11win10GetNativeSystemInfoProgmanSHELLDLL_DefViewWorkerWSysListView32ToolbarWindow32NotifyIconOverflowWindowBUTTON;Versionopen=%s\%sgetNetBarConfig szMainkey:%s szKey:%s szValue:%s getNetBarConfig error szMainkey:%s szKey:%s
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: ]wQCFFTaskBarDlg{"fftaskbar":{"%s":1,"color":%d,"percent":%d,"align":%d,"applyType":%d}}-%s %d %d %d %dSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeGameDev.exeSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeGame.exeInstallPath%s\wegame.exeExeFileGetCommandLineWkernelBase.dllGetCmdLinentdllProgram ManagerNVIDIA GeForce OverlayDeskWindowkdeskOSRWindowCcWaterMarkWindowATL:00D719E0TXGuiFoundationFound FullScreen Windows: strWindowName=%s strWndClassName=%s hwnd=0x%xSOFTWARE\Microsoft\Windows\CurrentVersion\RunFFWallpaper.exe -silentFFWallpaperSetAutoRun %d, result: %dFolderViewTXMiniSkinLhb
                    Source: Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: tiCBaseWallPaperPlayer::RemoveAllOldWindowsCBaseWallPaperPlayer: RemoveOldWindowsEx: BasePlayerWnd=0x%xCBaseWallPaperPlayer::RemoveWindows()~CDesktopAttributesCDesktopAttributes::ExitFetchThreadCDesktopAttributes::FetchDesktopInfoThreadNew thread New start @@@@CDesktopAttributes::FetchDesktopInfoThread New exitCDesktopAttributes::FetchDesktopInfoThread New not found Program ManagerCDesktopAttributes::FetchDesktopInfoThread New begin set worker end: #### no explorer.exeCDesktopAttributes::FetchDesktopInfoThread New Err: #### no Program Manager with explorerCDesktopAttributes::monitor explorer err quit bizhiWindows
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_6C5EE56C cpuid 0_2_6C5EE56C
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: GetLocaleInfoW,GetLocaleInfoW,0_2_0105C310
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_6C606C39
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: GetLocaleInfoW,0_2_6C606D3F
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_6C606E0E
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: EnumSystemLocalesW,0_2_6C60681D
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_6C6068B0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: EnumSystemLocalesW,0_2_6C5FFB3D
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: GetLocaleInfoW,0_2_6C606B10
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_6C60648F
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: EnumSystemLocalesW,0_2_6C606737
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: EnumSystemLocalesW,0_2_6C606782
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: GetLocaleInfoW,0_2_6C600006
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: GetLocaleInfoW,GetLocaleInfoW,0_2_6C5CB370
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: EnumSystemLocalesW,8_2_00CB97C9
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: EnumSystemLocalesW,8_2_00CB98ED
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: EnumSystemLocalesW,8_2_00CB9931
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: GetLocaleInfoW,8_2_00CBA219
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,8_2_00CC335A
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: EnumSystemLocalesW,8_2_00CC35D2
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: EnumSystemLocalesW,8_2_00CC36D6
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: EnumSystemLocalesW,8_2_00CC363B
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_00CC3763
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: GetLocaleInfoW,8_2_00CC39B3
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_00CC3ADC
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: GetLocaleInfoW,8_2_00CC3BE3
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_00CC3CB0
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,17_2_00856740
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: GetLocaleInfoA,17_2_0085C6A8
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: GetLocaleInfoA,17_2_0085C6F4
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,17_2_0085684C
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: GetLocaleInfoA,17_2_0098E194
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: GetLocaleInfoA,17_2_0098E1E0
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,17_2_00986D44
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,17_2_00986E50
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,17_2_00A96054
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,17_2_00A96160
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\three_colors.jpg VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\blue.jpg VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\three_colors.jpg VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\blue.jpg VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\three_colors.jpg VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\three_colors.jpg VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\blue.jpg VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\three_colors.jpg VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\blue.jpg VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\whitesmall.jpg VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\whitesmall.jpg VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\whitesmall.jpg VolumeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_01074930 CreateNamedPipeW,CreateFileW,0_2_01074930
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_010FD64E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_010FD64E
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_010732B0 GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegDeleteValueW,RegCloseKey,RegQueryInfoKeyW,RegCloseKey,RegCloseKey,RegDeleteKeyW,RegCloseKey,RegDeleteValueW,RegCloseKey,0_2_010732B0
                    Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exeCode function: 17_2_009A72D0 GetTimeZoneInformation,17_2_009A72D0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeCode function: 0_2_00EF7AA0 GetVersionExW,GetVersionExW,IsProcessorFeaturePresent,0_2_00EF7AA0
                    Source: C:\Users\user\Desktop\e-SPT Masa PPh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                    Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure1
                    Replication Through Removable Media                    		11
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    Exploitation for Privilege Escalation                    		1
                    Deobfuscate/Decode Files or Information                    		31
                    Input Capture                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Native API                    		1
                    Create Account                    		1
                    DLL Side-Loading                    		2
                    Obfuscated Files or Information                    		LSASS Memory11
                    Peripheral Device Discovery                    		Remote Desktop Protocol1
                    Screen Capture                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts2
                    Command and Scripting Interpreter                    		2
                    Windows Service                    		1
                    Access Token Manipulation                    		1
                    Timestomp                    		Security Account Manager1
                    Account Discovery                    		SMB/Windows Admin Shares31
                    Input Capture                    		SteganographyAutomated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                    Windows Service                    		1
                    DLL Side-Loading                    		NTDS4
                    File and Directory Discovery                    		Distributed Component Object Model3
                    Clipboard Data                    		Protocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script13
                    Process Injection                    		1
                    File Deletion                    		LSA Secrets47
                    System Information Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts32
                    Masquerading                    		Cached Domain Credentials1
                    Query Registry                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items241
                    Virtualization/Sandbox Evasion                    		DCSync481
                    Security Software Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Access Token Manipulation                    		Proc Filesystem2
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt13
                    Process Injection                    		/etc/passwd and /etc/shadow241
                    Virtualization/Sandbox Evasion                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing11
                    Application Window Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                    System Owner/User Discovery                    		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                    Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled TaskEmbedded PayloadsKeylogging1
                    System Network Configuration Discovery                    		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1585779 Sample: e-SPT Masa PPh.exe Startdate: 08/01/2025 Architecture: WINDOWS Score: 92 97 Suricata IDS alerts for network traffic 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 Multi AV Scanner detection for dropped file 2->101 103 3 other signatures 2->103 8 msiexec.exe 73 100 2->8         started        11 e-SPT Masa PPh.exe 127 2->11         started        13 Bor32-update-flase.exe 2->13         started        15 Bor32-update-flase.exe 2->15         started        process3 file4 61 C:\Windows\Installer\MSIBE6.tmp, PE32 8->61 dropped 63 C:\Windows\Installer\MSIBB6.tmp, PE32 8->63 dropped 65 C:\Windows\Installer\MSIB76.tmp, PE32 8->65 dropped 73 63 other files (6 malicious) 8->73 dropped 17 fhjyy.exe 2 1 8->17         started        19 msiexec.exe 5 8->19         started        23 msiexec.exe 3 8->23         started        67 C:\Users\user\AppData\Local\...\MSIF940.tmp, PE32 11->67 dropped 75 75 other files (74 malicious) 11->75 dropped 25 e-SPT Masa PPh.exe 6 11->25         started        69 C:\Users\user\AppData\...\OTGContainer.exe, PE32 13->69 dropped 71 C:\Users\user\AppData\...710vaDesktop.exe, PE32 13->71 dropped 77 7 other malicious files 13->77 dropped 27 Haloonoroff.exe 13->27         started        process5 dnsIp6 30 e8a0d5af432b7e64DBD.exe 17->30         started        33 e8a0d5af432b7e64DBD.exe 17->33         started        35 e8a0d5af432b7e64DBD.exe 17->35         started        43 C:\Users\user\AppData\Local\...\shiF9F2.tmp, PE32 19->43 dropped 57 3 other files (none is malicious) 19->57 dropped 105 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->105 107 Query firmware table information (likely to detect VMs) 19->107 45 C:\Windows\SysWOW64\libjyy.dll, PE32 23->45 dropped 59 2 other files (none is malicious) 23->59 dropped 47 C:\Users\user\AppData\Local\Temp\shi895.tmp, PE32+ 25->47 dropped 95 154.82.113.139, 49962, 63701 ROOTNETWORKSUS Seychelles 27->95 49 C:\...\Microsoft.TransCompositib.msi (copy), PE32 27->49 dropped 51 C:\...\Microsoft.TransCompositia.msi (copy), PE32 27->51 dropped 53 C:\...\Microsoft.TransCompositio.msi (copy), PE32 27->53 dropped 55 C:\Program Files (x86)\...\VGXlong.sys, data 27->55 dropped 109 Sample is not signed and drops a device driver 27->109 file7 signatures8 process9 file10 79 C:\Users\user\AppData\Roaming\...\zlib1.dll, PE32 30->79 dropped 81 C:\Users\user\AppData\Roaming\...\zip.exe, PE32 30->81 dropped 83 C:\Users\user\AppData\Roaming\...\vmauthd.dll, PE32 30->83 dropped 91 68 other files (55 malicious) 30->91 dropped 37 conhost.exe 30->37         started        85 C:\Program Files (x86)\...\oDayProtect.dll, PE32 33->85 dropped 87 C:\Program Files (x86)\...\libcurl.dll, PE32 33->87 dropped 89 C:\Program Files (x86)\...\UPSDK.dll, PE32 33->89 dropped 93 20 other files (9 malicious) 33->93 dropped 39 conhost.exe 33->39         started        41 conhost.exe 35->41         started        process11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    e-SPT Masa PPh.exe4%VirustotalBrowse
                    e-SPT Masa PPh.exe0%ReversingLabs

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Program Files (x86)\IkCWSTWLLRQX\7z.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\Gme.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\GmeApi.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\GmeApi64.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll4%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\Hamster.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\HipsLogCenter.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\HotfixCommon.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\HotfixCommon64.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\ImAVEng.dll3%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\LeakFixHelper.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\LeakFixHelper64.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\LiveUpd360.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\MiniUI.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\NetDefender.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\NetDiagDll.dll3%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\NetSpeed.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\Netgm.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\NetmLogin.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\NetmTray.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\NetmTray64.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\NetmonEP.dll3%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\NotifyDown.dll3%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\Ntvbld64.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\PDown.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\PopSoftEng.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\QseCore.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\filemgr.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\fixsc.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\fixsc64.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\heavygate.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\hipslog.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\iNetSafe.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\iNetSafe64.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\ieplus.dll3%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\ieplus64.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\imhelper.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\ipcservice.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\jpnative32.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\jpnative64.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\leakrepair.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\libcurrant.dll3%ReversingLabsWin32.Malware.MintZard
                    C:\Program Files (x86)\IkCWSTWLLRQX\libgravity.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\libscent35.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\libzdtp.dll4%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\libzdtp64.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\lockkrnl.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\mobileflux.dll3%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\netmstart.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\np360SoftMgr.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\npaxlogin.dll2%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\ntvbld.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\pluginmgr.dll2%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\probe.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\qroscfg.dll3%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\qutmipc.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\qutmload.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\yybob\HipsdiaMain.dll42%ReversingLabsWin32.Trojan.Generic
                    C:\Program Files (x86)\IkCWSTWLLRQX\yybob\PackageMgr.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMAVProxy.dll4%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMDns.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMEventBus.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\yybob\TDPCONTROL.dll4%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\yybob\TDPINFO.dll13%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\yybob\TDPSTAT.dll0%ReversingLabs
                    C:\Program Files (x86)\IkCWSTWLLRQX\yybob\UPSDK.dll2%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://bizhi.hfnuola.com/pc/v/AfterLocalSethttps://bizhi.hfnuola.com/pc/DesktopComponent/GetPopupLi0%Avira URL Cloudsafe
                    https://www.hfnuola.com0%Avira URL Cloudsafe
                    http://www.ludashi.com00%Avira URL Cloudsafe
                    http://klog.kuwo.cn/music.ylhttp://install-log.kuwo.cn/music.ylhttp://log.kuwo.cn/music.ylrwSend0%Avira URL Cloudsafe
                    http://www.kuwo.cn00%Avira URL Cloudsafe
                    https://bizhi.hfnuola.com/pc/v/FilterPayWallpaper0%Avira URL Cloudsafe
                    http://install-log.kuwo.cn/music.yl0%Avira URL Cloudsafe
                    https://bizhi.hfnuola.com/pc/v/AfterLocalSet0%Avira URL Cloudsafe
                    http://updatestats.cd4o.com/api.php?act=update0%Avira URL Cloudsafe
                    http://www.winimage.com/zLibDll1.2.30%Avira URL Cloudsafe
                    https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic0%Avira URL Cloudsafe
                    https://bizhi.hfnuola.com/pc/desktopSubject0%Avira URL Cloudsafe
                    http://forums.iobit.com/showthread.php?t=167920%Avira URL Cloudsafe
                    http://www.super-ec.cn0%Avira URL Cloudsafe
                    https://bizhi.hfnuola.com/pc/fhbzApi/checkFile0%Avira URL Cloudsafe
                    https://bizhi.hfnuola.com/pc/agg/StartUp0%Avira URL Cloudsafe
                    http://klog.kuwo.cn/music.yl0%Avira URL Cloudsafe
                    https://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaper0%Avira URL Cloudsafe
                    https://www.itrus.com.cn00%Avira URL Cloudsafe
                    https://bizhiweb.hfnuola.com/web/advertising.html?type=0%Avira URL Cloudsafe
                    http://www.bsplayer.com0%Avira URL Cloudsafe
                    https://logs.hfnuola.com0%Avira URL Cloudsafe
                    https://idea.hfnuola.com20012rgbautoStartauto_start_slienthideDesktopIconpauseVidoset_mute_on_fullsc0%Avira URL Cloudsafe
                    https://www.hfnuola.com/select0%Avira URL Cloudsafe
                    http://stats.iotransfer.net/active.php0%Avira URL Cloudsafe
                    https://bizhiweb.hfnuola.com/web/vip.htmlhttps://bizhiweb.hfnuola.com/web/payNew.html%s?channel=%s&p0%Avira URL Cloudsafe
                    https://bizhi.hfnuola.com/pc/agg/hour0%Avira URL Cloudsafe
                    https://bizhi.hfnuola.com/pc/LockWallpaper/Gethttps://bizhi.hfnuola.com/pc/LockWallpaper/Wallpaperht0%Avira URL Cloudsafe
                    https://idea.hfnuola.com0%Avira URL Cloudsafe
                    https://bizhi.hfnuola.com/pc/v/wallpaperInfoMulti0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    bg.microsoft.map.fastly.net
                    		199.232.210.172
                    		truefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.iobit.com/appgoto.php?to=downloade8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#Bor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpfalse
                          		high
                          http://www.vmware.com/0e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            https://bizhi.hfnuola.com/pc/v/AfterLocalSetBor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.kuwo.cn0e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004A91000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004458000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000047B4000.00000004.00001000.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.iobit.com/goto.php?id=plusgp01_DBe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              https://bizhi.hfnuola.com/pc/v/FilterPayWallpaperBor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://updatestats.cd4o.com/api.php?act=updatee8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.iobit.com/appgoto.php?to=activateweb-%de8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                https://www.hfnuola.comBor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0re8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  http://stats.iobit.com/register.phpe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.indyproject.org/Bor32-update-flase.exe, 00000011.00000002.2608400203.0000000000ADD000.00000020.00000001.01000000.0000001D.sdmpfalse
                                      		high
                                      http://www.iobit.com/faq.php?product=dbe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.ludashi.com0e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.iobit.com/appgoto.php?to=vertoolde8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          http://ascstats.iobit.com/active.phpe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		high
                                            http://update.iobit.com/infofiles/db2/db2_oth.upte8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              http://cacerts.digie-SPT Masa PPh.exe, 00000004.00000003.2175397273.0000000007BA7000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2469588665.0000000007BA7000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2470340579.0000000007BAC000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2469701221.0000000007BA7000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2174931129.0000000007BA7000.00000004.00000020.00020000.00000000.sdmp, e-SPT Masa PPh.exe, 00000004.00000003.2175156779.0000000007BA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://klog.kuwo.cn/music.ylhttp://install-log.kuwo.cn/music.ylhttp://log.kuwo.cn/music.ylrwSende8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.iobit.com/appgoto.php?to=featuree8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://curl.haxx.se/Ve8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2616789229.000000006B296000.00000008.00000001.01000000.0000001F.sdmpfalse
                                                    		high
                                                    http://www.iobit.com/cloud/db/index.phpe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://collect.installeranalytics.come-SPT Masa PPh.exe, e-SPT Masa PPh.exe, 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2064937321.000000000991B000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.iobit.com/appgoto.php?to=bannerbuye8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.iobit.com/appgoto.php?to=indexe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://bizhi.hfnuola.com/pc/v/AfterLocalSethttps://bizhi.hfnuola.com/pc/DesktopComponent/GetPopupLiBor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.iobit.com/appgoto.php?to=lostcodee8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.iobit.com/appgoto.php?to=proupdatee8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#Bor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://ascstats.iobit.com/moreuse.phpe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://idb.iobit.com/check.phpe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://install-log.kuwo.cn/music.yle8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.winimage.com/zLibDll1.2.3Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://s1.driverboosterscan.com/worker.phpe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.iobit.com/goto.php?id=plusgp01_DBUe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.iobit.com/appgoto.php?to=comparee8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.iobit.com/hotquestions-db.phpe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.iobit.com/driver-booster-pro.phpe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.iobit.com/appgoto.php?to=regovermaxe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.iobit.com/appgoto.php?to=usermanuale8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0se8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.super-ec.cnBor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://schemas.micre-SPT Masa PPh.exefalse
                                                                                        		high
                                                                                        http://stats.iobit.com/active_month.phpe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.symauth.com/cps0(e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytice-SPT Masa PPh.exe, 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmp, e-SPT Masa PPh.exe, 00000000.00000003.2064937321.000000000991B000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://www.iobit.com/lostcode.phpe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://ascstats.iobit.com/other/db_temp_download.phpe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.rfc-editor.org/rfc/bcp/bcp47.txte8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://update.iobit.com/infofiles/db2/Freeware-db.upte8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.symauth.com/rpa00e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://forums.iobit.com/showthread.php?t=16792e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://www.iobit.com/appgoto.php?to=installe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.zlib.net/De8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BF1000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000005131000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zBor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://bizhi.hfnuola.com/pc/desktopSubjectBor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://www.info-zip.org/e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417147533.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2417339817.0000000003DA5000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000509D000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://bizhi.hfnuola.com/pc/agg/StartUpBor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://twitter.com/iobitsofte8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://bizhi.hfnuola.com/pc/fhbzApi/checkFileBor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://bizhiweb.hfnuola.com/web/advertising.html?type=Bor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.iobit.com/goto.php?id=dbsurveye8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://bizhi.hfnuola.com/pc/LockWallpaper/WallpaperBor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://klog.kuwo.cn/music.yle8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://www.itrus.com.cn0e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://www.360.cne8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.bsplayer.come8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://logs.hfnuola.comBor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://idea.hfnuola.com20012rgbautoStartauto_start_slienthideDesktopIconpauseVidoset_mute_on_fullscBor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.cd4o.com/drivers/e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://ocsp.sectigo.com0e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.iobit.com/appgoto.php?to=othupdatee8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.iobit.com/appgoto.php?to=feedbacke8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://bizhiweb.hfnuola.com/web/vip.htmlhttps://bizhiweb.hfnuola.com/web/payNew.html%s?channel=%s&pBor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://stats.iotransfer.net/active.phpe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://www.iobit.com/appgoto.php?to=helptranslatee8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://www.hfnuola.com/selectBor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://schemas.xmlsoap.org/soap/envelope/e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://www.sysinternals.come8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://bizhi.hfnuola.com/pc/agg/hourBor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  http://www.iobit.com/appgoto.php?to=forume8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://bizhi.hfnuola.com/pc/LockWallpaper/Gethttps://bizhi.hfnuola.com/pc/LockWallpaper/WallpaperhtBor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    http://ascstats.iobit.com/usage.phpe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2393860781.000000000332C000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0Bor32-update-flase.exe, 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://www.iobit.com/productfeedback.php?product=driver-boostere8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://idea.hfnuola.comBor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://www.iobit.com/appgoto.php?to=filerupte8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://crl.thawte.com/ThawteTimestampingCA.crl0e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000042B9000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.000000000424D000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004A91000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004458000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.00000000047B4000.00000004.00001000.00020000.00000000.sdmp, e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003ECB000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://update.iobit.com/infofiles/db2/db2_free.upte8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://sectigo.com/CPS0Be8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000004E6E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://installeranalytics.come-SPT Masa PPh.exefalse
                                                                                                                                                      		high
                                                                                                                                                      http://update.iobit.com/infofiles/db2/db2_pro.upte8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://www.iobit.com/e8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://bizhi.hfnuola.com/pc/v/wallpaperInfoMultiBor32-update-flase.exe, 00000011.00000002.2610324883.0000000002A93000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          http://www.iobit.com/appgoto.php?to=revokedkeye8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://curl.haxx.se/docs/copyright.htmlDVarFileInfo$e8a0d5af432b7e64DBD.exe, 0000000A.00000003.2440492525.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, Bor32-update-flase.exe, 00000011.00000002.2616789229.000000006B296000.00000008.00000001.01000000.0000001F.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://www.iobit.com/goto.php?id=likefb01_DBe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://www.iobit.com/appgoto.php?to=activatewebe8a0d5af432b7e64DBD.exe, 00000008.00000003.2419192906.0000000003DE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high

                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                  Public IPs

                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                  154.82.113.139
                                                                                                                                                                  		unknownSeychelles
                                                                                                                                                                  		32708ROOTNETWORKSUStrue

                                                                                                                                                                  General Information

                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                  Analysis ID:1585779
                                                                                                                                                                  Start date and time:2025-01-08 09:13:21 +01:00
                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                  Overall analysis duration:0h 13m 1s
                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                  Report type:full
                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                  Run name:Run with higher sleep bypass
                                                                                                                                                                  Number of analysed new started processes analysed:20
                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                  Number of injected processes analysed:1
                                                                                                                                                                  Technologies:
                                                                                                                                                                  • HCA enabled
                                                                                                                                                                  • EGA enabled
                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                  Sample name:e-SPT Masa PPh.exe
                                                                                                                                                                  Detection:MAL
                                                                                                                                                                  Classification:mal92.rans.troj.spyw.evad.winEXE@23/437@0/1
                                                                                                                                                                  EGA Information:
                                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                                  HCA Information:
                                                                                                                                                                  • Successful, ratio: 61%
                                                                                                                                                                  • Number of executed functions: 115
                                                                                                                                                                  • Number of non-executed functions: 134
                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                                                                  • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                                                                                                  Warnings

                                                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 199.232.210.172, 2.16.164.105, 2.16.164.72, 13.107.253.45, 4.175.87.197
                                                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                                  Simulations

                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                  No simulations

                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                  IPs

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  154.82.113.139Installer eSPT Masa PPh versi 2.0#U007e26022009.exeGet hashmaliciousBlackMoonBrowse
                                                                                                                                                                    Installer eSPT Masa PPh versi 2.0#U007e26022009.exeGet hashmaliciousBlackMoonBrowse

                                                                                                                                                                      Domains

                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                      bg.microsoft.map.fastly.net0a0#U00a0.jsGet hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                      I6la3suRdt.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                      c2.htaGet hashmaliciousRemcosBrowse
                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                      Sburkholder.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                      U02LaPwnkd.exeGet hashmaliciousValleyRATBrowse
                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                      c2.htaGet hashmaliciousRemcosBrowse
                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                      FACTURAMAIL.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                      3e18bdf74f3caef770a7edcf748bdaf0e6a4a21664e69.exeGet hashmaliciousAsyncRAT, GhostRatBrowse
                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                      Kawpow new.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • 199.232.210.172

                                                                                                                                                                      ASNs

                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                      ROOTNETWORKSUSleBwnyHIgx.exeGet hashmaliciousGhostRatBrowse
                                                                                                                                                                      • 154.82.85.107
                                                                                                                                                                      6f0slJzOrF.exeGet hashmaliciousGhostRatBrowse
                                                                                                                                                                      • 154.82.85.79
                                                                                                                                                                      m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                      • 156.236.225.1
                                                                                                                                                                      Installer eSPT Masa PPh versi 2.0#U007e26022009.exeGet hashmaliciousBlackMoonBrowse
                                                                                                                                                                      • 154.82.113.139
                                                                                                                                                                      Installer eSPT Masa PPh versi 2.0#U007e26022009.exeGet hashmaliciousBlackMoonBrowse
                                                                                                                                                                      • 154.82.113.139
                                                                                                                                                                      MicrosoftEdgeUpdateSetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • 154.82.68.34
                                                                                                                                                                      nshkarm5.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                      • 154.94.148.181
                                                                                                                                                                      x86.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • 154.82.151.143
                                                                                                                                                                      bot.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                      • 38.145.246.125

                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                      No context

                                                                                                                                                                      Dropped Files

                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                      C:\Program Files (x86)\IkCWSTWLLRQX\Gme.dllInstaller eSPT Masa PPh versi 2.0#U007e26022009.exeGet hashmaliciousBlackMoonBrowse
                                                                                                                                                                        Installer eSPT Masa PPh versi 2.0#U007e26022009.exeGet hashmaliciousBlackMoonBrowse
                                                                                                                                                                          C:\Program Files (x86)\IkCWSTWLLRQX\7z.dllInstaller eSPT Masa PPh versi 2.0#U007e26022009.exeGet hashmaliciousBlackMoonBrowse
                                                                                                                                                                            Installer eSPT Masa PPh versi 2.0#U007e26022009.exeGet hashmaliciousBlackMoonBrowse
                                                                                                                                                                              ZwmyzMxFKL.exeGet hashmaliciousBlackMoonBrowse
                                                                                                                                                                                ZwmyzMxFKL.exeGet hashmaliciousBlackMoonBrowse

                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                  C:\Config.Msi\5a0932.rbs

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):94206
                                                                                                                                                                                  Entropy (8bit):6.418312172323631
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:b/VvMFn9PKxvi12LEaWOxM9hYukoDe3RLKXUID/ERcpB31zxvSmSsW8JzY0cdyRw:UeWO0ioC3DID/ZxvpY1yRe5ObhXq
                                                                                                                                                                                  MD5:465A0B2C12217FA7100E1A362ABCCAAC
                                                                                                                                                                                  SHA1:3378F5C75F3EFAFBAA5859C661D2CF88E081FC8B
                                                                                                                                                                                  SHA-256:4AAA4C3879E80361BCE07B1FB263CE6DE89D99E3B1DC9A35853202F4C727CA22
                                                                                                                                                                                  SHA-512:97CD5715BF3579A163F8684A76FBAEF5B514D1229D5A0D6F965462A371413D72FB7FF235CC732F4C59B4D2EFAC2833DB2859F06C8164C1EE039D4097368247F6
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...@IXOS.@.....@..(Z.@.....@.....@.....@.....@.....@......&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}..Windows..DAN_127.msi.@.....@.....@.....@........&.{B27D822E-68C4-4CF6-961C-F62B0D119E2A}.....@.....@.....@.....@.......@.....@.....@.......@......Windows......Rollback..ck(W.V.n.d\O:.....RollbackCleanup..ck(W Rd..Y.N.e.N...e.N:. .[.1.].....ProcessComponents..ck(W.f.e.~.N.l.Qh...&.{0BDD925F-9555-4E0F-A320-9E414AC18B7C}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{FEAD2C16-C7B0-493E-B979-1B01A169ADEA}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{EC42FCB1-8AAF-4702-9E48-B83254BD3FB0}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{BDAF5FA3-1BA6-42D1-894D-41DA643F7A2B}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{25BC8264-C934-445D-B75A-54A198CB23F0}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{546DDB96-6B8B-4364-8020-B0224286327F}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{F6C9FDFB-FE64-4F40-A063-A4A1D40934C4}&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}.@......&.{B8

                                                                                                                                                                                  C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGXlong.sys

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):27132
                                                                                                                                                                                  Entropy (8bit):3.6633019474563406
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:RMMMMMMMjjjjjjjqqqqqqqqpppppppIIIIIIPPPPPPmmmmmmmllllllEEEEEEEES:Sffffff/
                                                                                                                                                                                  MD5:6B0A091A156DE48F452B640D9A913FCE
                                                                                                                                                                                  SHA1:0985A8C2E6341984937C60FFF99C99C8AA144BFD
                                                                                                                                                                                  SHA-256:B307DDA52334CCDE4BC443757202B2E8865414E8812A3722BC8B36E6DB95D8A0
                                                                                                                                                                                  SHA-512:60C8C9F160172499EBEBDEE8D008BE9AE31DA6BF27DC3244E1293028F447CDF0E1807DCCD6FF3FF33ED808D51468B830FBD3079BC9EBFFD294D44B76DB2A1DAB
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.8. . .3.:.1.5.:.9.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.8. . .3.:.1.5.:.9.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.8. . .3.:.1.5.:.1.0.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.8. . .3.:.1.5.:.1.0.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.8. . .3.:.1.5.:.1.0.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.8. . .3.:.1.5.:.1.0.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.8. . .3.:.1.5.:.1.0.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.8. . .3.:.1.5.:.1.1.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[..e..:.].2.0.2.5.-.1.-.8. . .3.:.1.5.:.1.1.....[..Q.[:.].....[..h..:.].P.r.o.g.r.a.m. .M.a.n.a.g.e.r.....[.

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\7z.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1390312
                                                                                                                                                                                  Entropy (8bit):6.599443687044708
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:w4wwwwscgymwef8Z8Zzj6z1el68mUi1m/ONxdDDHNCU+3kvaBW7839l5Qafgb6L1:pwwwwscgymwefyEQ/U6/NnDDHNCTeaBf
                                                                                                                                                                                  MD5:292575B19C7E7DB6F1DBC8E4D6FDFEDB
                                                                                                                                                                                  SHA1:7DBCD6D0483ADB804ADE8B2D23748A3E69197A5B
                                                                                                                                                                                  SHA-256:9036B502B65379D0FE2C3204D6954E2BB322427EDEEFAB85ECF8E98019CBC590
                                                                                                                                                                                  SHA-512:D4AF90688D412BD497B8885E154EE428AF66119D62FAF73D90ADFFC3EEF086CF3A25B0380EC6FDC8A3D2F7C7048050EF57FCEA33229A615C5DCDA8B7022FA237
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                  • Filename: Installer eSPT Masa PPh versi 2.0#U007e26022009.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: Installer eSPT Masa PPh versi 2.0#U007e26022009.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: ZwmyzMxFKL.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: ZwmyzMxFKL.exe, Detection: malicious, Browse
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0...0...0...9a.=...9c.I...9b.(...b......b.. ...b..&...9...1...9...7...0........4................1....o.1.....1...Rich0...........PE..L....x.c...........!.........~......x7...............................................~....@.........................P...|......P....p.................P,..........0...............................P...@............................................text............................... ..`.rdata..............................@..@.data...0........4..................@....rsrc.......p......................@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\FNCUNPTNLBMW.DNA

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:7-zip archive data, version 0.4
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):204
                                                                                                                                                                                  Entropy (8bit):6.524007625247223
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:uXphPJHpYvKNvarzc7Wqhd/2NZ4xJH6R5KMEL:GuvKNvKcUNgS5Y
                                                                                                                                                                                  MD5:3E08DF5CDDD1F234418DB3C19F4C9700
                                                                                                                                                                                  SHA1:67898ADFFD834CE604643B8835F0700D5A0FF4E8
                                                                                                                                                                                  SHA-256:F8FC4386A90F2C819E9CA03C7821184AC0E65457A6CDCDACC4C0E7F10034D267
                                                                                                                                                                                  SHA-512:E6580EA95E54B5F9A387E23B1425C950AEE3C59CEF02229A5CF5FD48F4F0665B2F2DE5C76465F7E54938EE47F1ACCD5F0353BACDA98042625061844811828C5F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:7z..'...d...p.......<.........G...k.L..f&*.Q....H.:\.w.......M..9.v.z.ld...|.......i...lO4...VJ.\.v|,...?K{Sp..X.3q6..rX_.8.s.^..%......oZ.....p......$.....S.\.>7..#r...B.>..#....].......n......v...

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\Gme.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):400480
                                                                                                                                                                                  Entropy (8bit):6.6249170967240625
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:ke/EYk6LSMAROeK3nzAPSayAj7+fyJHbVJMs/ubUQ3Q/p:MQ7DAvhpGs/8UQ3QB
                                                                                                                                                                                  MD5:CC4F1CDFA6A90B6152B8012E8C035DFD
                                                                                                                                                                                  SHA1:011098BADE1BD47557147B8CF3BAF4A070CB9D7C
                                                                                                                                                                                  SHA-256:7B9FF465FA54E5EDF69F0794D7CAF7ADC6D7B20534E6DA0181DC93DC062E7CCA
                                                                                                                                                                                  SHA-512:0084BADEBBAC672904BD7E19019C2D86B4745DEA26229CE82E48E0A5134DF3FA42B4948C673B17432BFE14F13A82B0BAFF3B5D861AA4AB3A951AF40793780CE1
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                  • Filename: Installer eSPT Masa PPh versi 2.0#U007e26022009.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: Installer eSPT Masa PPh versi 2.0#U007e26022009.exe, Detection: malicious, Browse
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..N>.EN>.EN>.E.qXEM>.EGF[ET>.EGFJE.>.EGFME.>.Ei..E[>.EN>.E.>.EGFDEg>.EGF\EO>.EPlZEO>.EGF_EO>.ERichN>.E................PE..L.....rZ...........!.........*......?#.......................................P......j.....@..........................m.......^..........x................5......H3..0...................................@............................................text............................... ..`.rdata..d...........................@..@.data....q...p...6...Z..............@....rsrc...x...........................@..@.reloc..PM.......N..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\GmeApi.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):427104
                                                                                                                                                                                  Entropy (8bit):6.602064716561835
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:d54WjgpIW+m/CbqwcAjoZOtjEipBiRuL9JK:avGPJbtjEY2uL7K
                                                                                                                                                                                  MD5:50B836C0E21FD4EF3F6F6102F9162FEA
                                                                                                                                                                                  SHA1:704834D4BE32AD186FD761E908CC0518AC2A8117
                                                                                                                                                                                  SHA-256:8CFC18609E75074EB0FBF3C87C1B41E263DE503083A7EBBB00643E0F05A2920E
                                                                                                                                                                                  SHA-512:B2C220F954A38B7EBC44FA60454CD8322A21714F1E3D593F32B7C4865113157965E1C8C0821F60F1865270FCB2529EBF8CDD32F1DE44A7626C0D0DB304C72644
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.p...#...#...#..T#...#..W#...#..F#Y..#..A#...#/V.#...#...#...#..H#:..#..P#...#..V#...#..S#...#Rich...#........................PE..L.....rZ...........!.........F.......c....... ............................................@.....................................x....@...............N...5...P..88..."...............................k..@............ ...............................text............................... ..`.rdata..r.... ......................@..@.data...Dm.......6..................@....rsrc........@......................@..@.reloc...Y...P...Z..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\GmeApi64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):572512
                                                                                                                                                                                  Entropy (8bit):6.263529853370218
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:Azb0JSwmBU/no1rNW23dImf/D/cnlu41T3ork5d:AH0JSwmko1rNW23df/D/cnlhp3d5d
                                                                                                                                                                                  MD5:984829AFB3ED76FABCAB8AE4BE1FF15C
                                                                                                                                                                                  SHA1:2498F20AB62E3061FB144C7CEAE5CF254D6C7095
                                                                                                                                                                                  SHA-256:F257E86E42D7546C37AEABDC7BF1D00BC09E7B26D9AF4478302FF2B872187C33
                                                                                                                                                                                  SHA-512:5270AE482E8C462B5360DD60C06D8757BE5F7E513A0A7BF993F3F088A67516AAA0A744CDBD034828D3AAF5E6EADAF630317ACF325B03E028398C7EAC12A97B04
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i...........BG@.....pC.....pR.....pU.L...........f...p\.....pD.....ZB.....pG....Rich...................PE..d.....rZ.........." .....F...:......,T...............................................V....@.....................................................x............p..Tf.......5..........pe...............................................`..X............................text....E.......F.................. ..`.rdata..Tx...`...z...J..............@..@.data............@..................@....pdata..Tf...p...h..................@..@.rsrc................l..............@..@.reloc...............r..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):572312
                                                                                                                                                                                  Entropy (8bit):6.6114481461607175
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:KmuYzDRB54CwW2U0lY4woeFuA0TpxVQ8Y3Ew+zBsPO3erF7q0zoCiJbDjdxzF5og:Ju+469PqNYsBsPTziDjLbCEGne9Z
                                                                                                                                                                                  MD5:5CC95EA39AB6D7751A1A85F832CCA011
                                                                                                                                                                                  SHA1:387B60FE4F257BA8A0F5DA566709640F972EAA3B
                                                                                                                                                                                  SHA-256:4BF5DD0ED84D6C7B4965628A22668F733C167427B20A4B56AE356205381B527F
                                                                                                                                                                                  SHA-512:6E28E6D3D1A6BF4FB046A7F03F68FE27F8A7151465412EA4126AD3DD2A9DC9C89238923E858C644892D72D318CF2112C4AE60DAE363CC5EC41DEF1663BFDD101
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                  • Rule: Mimikatz_Gen_Strings, Description: Detects Mimikatz by using some special strings, Source: C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll, Author: Florian Roth
                                                                                                                                                                                  • Rule: Mimikatz_Strings, Description: Detects Mimikatz strings, Source: C:\Program Files (x86)\IkCWSTWLLRQX\HackPatch.dll, Author: Florian Roth
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^.^.?g..?g..?g.=Nf..?g..ac..?g..ad..?g..Yb..?g..Vf..?g.=Nb..?g.<Nb..?g..G...?g..Ya..?g......?g.!ab..?g.!ac..?g.>ac..?g.>ab..?g..ab..?g..Yc..?g.....?g.....?g.H0:..?g..Yf..?g..?f.5=g.!an..?g.!ag..?g.!a...?g..?...?g.!ae..?g.Rich.?g.........................PE..L....Enc...........!.....,...|...............@............................................@.........................`p.......q.......0...r...........r...I......dK......p...............................@............@...............................text....*.......,.................. ..`.rdata...T...@...V...0..............@..@.data...D_.......$..................@....gfids..............................@..@.tls................................@...PlugImm...... ......................@....rsrc....r...0...t..................@..@.reloc..dK.......L...$..............@..B................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\Hamster.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):249768
                                                                                                                                                                                  Entropy (8bit):6.601810977306283
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:/0jvJ1SDHfvcFHDSU4/eebh4HT4dK62HPWA2F0T7z/LDdUjE2rRNq5N5EuXCRfC:/0jTSrMtceebhz32HPWnoBUw2/G5r
                                                                                                                                                                                  MD5:2EA3ACA1D36D16F0699261F77EE6ECCE
                                                                                                                                                                                  SHA1:31C6575F5EC4F48ED3939FD5484F4E3D5869D3DA
                                                                                                                                                                                  SHA-256:12B2AAA9C7222B13E97A0870006CFC498134F7182009C49FAD0281A85D5CD386
                                                                                                                                                                                  SHA-512:30057B3491807413603C5A4668D020A384548CE6F41BA9DE6C708C4BF052BE10113AE5AAF41697ACC2AB56E9674EE8DC4669584FA9F838A9359842038F82394E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...U..U..U.....U....9.U......U.*...U..T.'.U.....U.....U.....U.....U.Rich..U.........................PE..L..._wWX...........!................................................................,.....@..........................M..R....B..d.......l................5......8...`...............................@...@............................................text...o........................... ..`.rdata.."~..........................@..@.data....H...P...,...6..............@....rsrc...l............b..............@..@.reloc...,...........j..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\HipsLogCenter.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):555240
                                                                                                                                                                                  Entropy (8bit):6.523642703236138
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:RzJibra10t6DBAAxFhNngOsLOsZDvnCjN8d6HVilI5hKRPnQ0FbgB4e:CbzipngOsLOsZL38IKb4PQ0Fbje
                                                                                                                                                                                  MD5:4B481EA28EC7B065AD6C7FE7674AA363
                                                                                                                                                                                  SHA1:152FC3DA4A1DF717623E4D57476A1D72ADD7F610
                                                                                                                                                                                  SHA-256:92AA7045E70E2BBB706DCD1A1D9B41026CFA06FEDF0E48EE0CAE63B8B80084F5
                                                                                                                                                                                  SHA-512:08F8388322D3623F8DBC23DB60E0542B972754FEAB4071C0FC7382F9EBD54313A8A10E5EBAC9D72E5F4909B23A2FCB4114B44BCF47F3090B029DDEA27CFF21B3
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\O..=!..=!..=!..E...=!.Kr...=!..E...=!..o...=!..E..b=!..E...=!..= .<!..E..=!..E...=!..o...=!..E...=!.Rich.=!.........PE..L......d...........!.........V...........................................................@.............................w............................L..P,...`..4C..................................8v..@............................................text............................... ..`.rdata..............................@..@.data...\........j..................@....rsrc................@..............@..@.reloc...Z...`...\..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\HotfixCommon.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):180800
                                                                                                                                                                                  Entropy (8bit):6.720835675786583
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:zQPGqss58Kg5dqBLQ8/90/qTQPOfb7+sH1buHv/c6R2Wmjgk4Kq2iSiTHa89B:zQPB4jqBLQ86qsPOf+8RuHXc6tmv4KqZ
                                                                                                                                                                                  MD5:91D9E316BD0533C92BDE234131EC7AB4
                                                                                                                                                                                  SHA1:86D1997382E3FE81AC27B88EFE33E1773D095518
                                                                                                                                                                                  SHA-256:62BAAD0A128B580889091F015384410BD491F21BB101682557B034ACB28E00D9
                                                                                                                                                                                  SHA-512:BDD41A900EB1299815CA24FD78EE5499F20C78C5E62CAF11934A5348836C557AB402DF1D75B4932AA6E322562C8CDEBB120FC74137ED9D693AE6719C44C5718F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...................................x...........!..L.!This program cannot be run in DOS mode....$.......N .'.A.t.A.t.A.t..zt.A.tX).u.A.tX).u.A.to'.u.A.t.(.u.A.t./.u.A.t.9(t.A.t.,.u.A.t.,.u.A.tK&.u.A.tK&.u.A.t.(.u.A.t.(.u.A.to'.u.A.to'.u.A.to'.u.A.t.A.t.@.tX).u.A.t.,.u.A.t.(.u.A.t.(.u.A.t.(.u.A.t.(Bt.A.t.A*t.A.t.(.u.A.tRich.A.t........................PE..L....@W^...........!................................................................i....@.........................p'......x(..x........................7..........@...p...............................@...............8...x#..`....................text............................... ..`.rdata..tD.......F..................@..@.data...h....@......."..............@....detourcX6...`...8...*..............@..@.detourd$............b..............@....rsrc................d..............@..@.reloc...............j..............@..B................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\HotfixCommon64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):219200
                                                                                                                                                                                  Entropy (8bit):6.255426513524174
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:n7pWDP71+xRSkTt9XFD6RAtofSUAfohtDanx51K6flyT9S9:1WDP71+xR7h9XFBtofStomfK69e9S9
                                                                                                                                                                                  MD5:C64D91E0734622D550F578CAC023FE9B
                                                                                                                                                                                  SHA1:9B5F47305F02ED862BE6A8E6F6D48647F9311E84
                                                                                                                                                                                  SHA-256:9AA97B67D074D85CAFB29A0A561DFAA2416A283FC8A228B6904D63D16C8C463B
                                                                                                                                                                                  SHA-512:FD419DE7FBC7C0B9F33CD340E2DEF67849DF628799FC0507DFEB6F77DD8681232B81216D082155278EC7D158E99FB480EEAC884A8962F410321F91A89D500CBD
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$........-...L.E.L.E.L.Er.^E.L.E.$.D.L.E.$.D.L.E.*.D.L.Et%.D.L.Ev".D.L.E.!.D.L.E.!.D.L.E.+.D.L.E.+.D.L.Ev%.D.L.Ev%.D.L.E.*.D.L.E.*.D.L.E.*.D.L.E.L.ERM.E.$.D.L.E&!.D.L.Ew%.D.L.Ew%.D.L.Ew%.D.L.Ew%fE.L.E.L.E.L.Ew%.D.L.ERich.L.E........PE..d....AW^.........." .........$...... .....................................................`.........................................0.......8...x....`............... ...7...p..T...PO..p....................O..(....'............... ......0}..`....................text...0........................... ..`.rdata...q... ...r..................@..@.data................x..............@....pdata..............................@..@.detourc.h.......j..................@..@.detourd@....P......................@....rsrc........`......................@..@.reloc..T....p......................@..B................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\ImAVEng.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):175728
                                                                                                                                                                                  Entropy (8bit):6.544553321577818
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:ix5UgqxBe84iqhlPyKc4pquYWWM1qOrlhPzc8ylmyK5WodzzDi:i4pgbzTYWRZHrc9lNQzq
                                                                                                                                                                                  MD5:B8FDC03B9B84A62C5C541524DCA2E723
                                                                                                                                                                                  SHA1:5643ADAE63CA199F9C44A35F3B30947A0F8B6D21
                                                                                                                                                                                  SHA-256:1F6F3DADCC4C3096EEBFB5CE5DB979755ABA5CEB9DB18E6CA6238F05B45E5F4D
                                                                                                                                                                                  SHA-512:A31708C251967D484F242BE658E92E94D87671294CD2C959276EC3B739D46F3FC7D1140CC8F78640DBD9970EC2176633E67DD079A3182ACDCE0FA8A7DE366637
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}.G...G...G...N..U...N..=...N..~...`a~.F...`ah.L...G......N..R...N..F...Y...F...N..F...RichG...................PE..L...2..T...........!................q.....................................................@.........................@`..U...pT..x...................................p................................>..@............................................text............................... ..`.rdata...`.......b..................@..@.data...@7...p.......N..............@....rsrc................h..............@..@.reloc...'.......(...n..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\KKVIOQVTEUTA.OKO

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:7-zip archive data, version 0.4
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4838529
                                                                                                                                                                                  Entropy (8bit):7.999964247779076
                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                  SSDEEP:98304:dyuKv/wWIsvrPq9Bj51aCo01eQI3rWHVNZCbNbXew9xJePD84rzt0V:dy9v/wWIsTujqEeKVN0bNzewTkPpz2V
                                                                                                                                                                                  MD5:11C3B2492D2EFE15F6E49E06BBF6F771
                                                                                                                                                                                  SHA1:3079536DAD9E3C6992DA6E5DC31CEA4691310125
                                                                                                                                                                                  SHA-256:3B3D05AED876749A75D82D382314A20434D427BD44EE56DDB0C852C648A44040
                                                                                                                                                                                  SHA-512:A79BAD2BBAFA2A096FB5CE90605FDFD6ABE55E004932AEAE588D67E0805724D88A40CF04CAC28FD4636F0CF19BDDBD3B1954B6CD9984D03EFED06D673B48C8A8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:7z..'...$.7 .I.....A.......50.QA..j..@..3.3gl.b."..&......28>R.$..Y..j..OBR`..S..3.UqQ..2J.r.'Y...;g........hn. ..S.W..c.,.gBJ&8`r.1s$...j.{...>.3.:...^...c..cW..r,:.....}...V...5t.,..Q.k......C"..:...... .5..U..}.b.v...9....{}W]....n.....U.8z...A.8....(..r.......&*..zY..W...'n.Vh..V.-..W..K.*.S..$]y.I%.X....It........V.?!.....]..9.O...5.B.zF ..{ .B[...c..$..0C......OE.. .<>.Ht..d....F<.T.Zc....Q...).;..hX..F.....Z...8..."...Om4.X.H>...X.].h.N.9...HY.lv...fH..i.%C.V4.s.....2..^..W.9.>.x...P)....t.k`....=.J.!8K4.T..C>.M........{......8.'..d....%..R~.{..{s......RV....h..]...YQ...||..'..1.W...4.......!..H...+C..?t.Em........%...b..f.?.es.....lO....?<]..x~b-\[. .............{F.,<6....../....?..L.u...eZvx.K.#+....-X.+..~L....[O....7.]&...5C."..Q........s.?N.-....jLf8..n>....6....z..)..O.6.....0.Y....~[..r.6j BEZ..4....6..sY.P3*.w..k.U......0,.....<h.o..}9}@=.v.b8w. ...H^.^-Q..t6f..`.M}'Sd.X.,.~<.^m...(..._.D.4....C..4<(...:...<..........^.C.q.PP..

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\LJBPHRBSRLCI.FNG

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:7-zip archive data, version 0.4
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):11899681
                                                                                                                                                                                  Entropy (8bit):7.999984606834096
                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                  SSDEEP:196608:OI9kryCdze2PCDz0SSDHFzQEZtFAXiJqZ9Ne5PbwGIIxCH5aLJkER/NF7tt5R:dkrve2upkHFc0+XiJqrALLJkETtX
                                                                                                                                                                                  MD5:34C22F715FACA10EAA6D4F0C04811934
                                                                                                                                                                                  SHA1:163259AB5704779CE2A8E3BE11A7E73C4A9D36DF
                                                                                                                                                                                  SHA-256:9747A960BC2B94B447948C0A0C2BE72BF97E9C0AFA56E678CE5E5B29355D1752
                                                                                                                                                                                  SHA-512:BE6DC349F0F55CBFA39FDFC5051CAFBA46AA468C5C13DB47CAB03F3FB7A3F8AC5A1B04C31CABFAD9196534305EE310104904EAC26EB540D9853B63A8F4B37C4B
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:7z..'....z..........A..........E.l..r.I....!../.~.........5w.4.....|...Q....xt..j-.9..+N.v.To.b..9l......f..%\.....J..'..ADh...%..7J...x..b?B.......k.....l.^........H..\.X....xt.>n.v...c.... lF.I.I......eF+..Z||Aq.[h6.\...M........;I|...eN...+.y..W....?............u.>.A]..~.......YU.- ......aM.V..Cb.`.F.9XM.M.+...nT.T.%./.l=../..M..[@n...\%........N;.....i...f...+.Z|..aIa.b...r*].n...N~&..D......F.$..}....ut.ex-....O.%...MXn.u...G.$(.X..Mn\J..r.[..4.,f@&.#.)...J..}..1O.....0...G.......H..T.&.<.......$.q.j.S.....a..&.?...K}..XS....m......b..s.|...,.=...e<.K....*.wWE/......V..0g...6G,7'...<<.2Z....G@.n....R..^g....h.>A..u......m.4..U.e.....p.....4.gG....~'.s..qE?N."..>.xa.:F]..q."....[....q..D......s...#.L.mh..:s...m|...r&.....*^....v!...\. .`.*..b.s./T..g.\).eV{'..wo..x.=.L..p......%.C......H...2....o.#.! .t.....7....$..Lz.$.&0.6.f.s0...SK2.......bH..Z.&L.[#i..>...$....^M..`...W>*...a-m.;......!...}%..d0..]...O..l.F.....(....C.1.$.

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\LeakFixHelper.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):313952
                                                                                                                                                                                  Entropy (8bit):4.32348576044483
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:7cxIVD6kUS+hV/EENZH3JzJPlZ4k5O0f+BC9vCfFL:ooehV/pJzJPHM
                                                                                                                                                                                  MD5:A88A6FFF171F7FECF8668DA1EFC843DF
                                                                                                                                                                                  SHA1:E4C8B375BBECF5790B2B0444B049CCE11659D598
                                                                                                                                                                                  SHA-256:34CCCEC093F5711D1202F54BFE8756E093E4F84099EC7D609AB9658C3C941921
                                                                                                                                                                                  SHA-512:808F6E217F5E157663E66B46429636C4D811ACA7C5672EDD1B003377BB4A039265B4FB905B4ADE39D81B3E64E7793BE8278454155E8BD2EE92FB5B6F919563EE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................l.......z.....h...............}.......s.......k.......m.......h.....Rich....................PE..L.....4Y...........!................e ..............................................'H....@.........................`...K.......<........................5..............................................@...............|............................text...M........................... ..`.rdata...N.......P..................@..@.data...........j..................@....rsrc................`..............@..@.reloc...*.......,...f..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\LeakFixHelper64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):362400
                                                                                                                                                                                  Entropy (8bit):4.208790369342181
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:ZGlYJdSi2t2SwbVGMuyic94uxJmXs/wIb8n9ssWy5cdJEnpOwD7A51B8BLRPrB:0lYXSi2ttqWc/PYOy5cQnpOS51
                                                                                                                                                                                  MD5:3D01B2B5288974E922B6417FD3B02373
                                                                                                                                                                                  SHA1:5649D3E7E15D1BF707CD7C28FE9931E5620EE9ED
                                                                                                                                                                                  SHA-256:B438EF547753F91577730FFE9321563E7DD4ABBCBF056ADEE3C49906FC1EABD4
                                                                                                                                                                                  SHA-512:F0C0EEBA22F33A4C596FF1272D681E7A349AB60112FD0AF5C75E07F065F35525C332270DE0ECC171D0B4BF53C3BC79C4E40BAD0EF1A0418A2D5DE882765D2FEC
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|.|\../\../\../Uef/(../Uep/V../{./Q../\../.../Uea/i../Ueo/W../Uew/]../BOq/]../Uet/]../Rich\../........PE..d.....4Y.........." .........F......lz...............................................f....@.........................................pm..M....b..<............p..|....F...A.............................................................. ............................text...L........................... ..`.rdata...].......^..................@..@.data........p.......\..............@....pdata..|....p.......&..............@..@.rsrc................2..............@..@.reloc...............8..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\LiveUpd360.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):647184
                                                                                                                                                                                  Entropy (8bit):6.591959886632138
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:I/8iKgqct1l8h5H/30CrYXUjniBZoStkf0EOl/mvxxXiINkYF69+:NbhV0gMYnigStkMEMSxXrmYF69+
                                                                                                                                                                                  MD5:960B05116F13AE8E8B17A6BA2919BF2D
                                                                                                                                                                                  SHA1:D1A58D1F65272198D0A6657B06FAE6D27F1E156C
                                                                                                                                                                                  SHA-256:00354506D4F1DD6A1FDF9450CA4A8E799A5A420A1A47BA3E41D7B30D8D02440A
                                                                                                                                                                                  SHA-512:7A05E3178ABB8F92AA3A61F8A3156C87BD46F03F12D8EFC6CC1FEEE36B2508816E761BF6A3385BBDA2DD16EA3AB9CB4A5B899C3D844257811F0B3D9C4464713B
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............`..`..`....`.i/]..`...^..`...H.%`...B..`....`..`..`...O..`...Y..`..2_..`..`\..`...Z..`.Rich.`.................PE..L...*..b...........!.........................................................@............@.................................(...........................xC.......N.. ...............................X...@............................................text.............................. ..`.rdata..C?.......@..................@..@.data...8........2..................@....rsrc................*..............@..@.reloc..<d.......f...4..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\MiniUI.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):921160
                                                                                                                                                                                  Entropy (8bit):6.7626587126151065
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:nJtdTUbI0Ig/fMiK6hRN/IgOoWtT9nQnap:nJjUbIU/fPHhrIgBWtTFQnap
                                                                                                                                                                                  MD5:5123C3B8ADEB6192D5A6B9DC50C867B1
                                                                                                                                                                                  SHA1:6D142074A21AA50C240CE57CA19A61E104BBDF41
                                                                                                                                                                                  SHA-256:273CE954C8D33ABAAC3A0FD8546719F09718C1D91317ECF5B99181DFFA3FE26A
                                                                                                                                                                                  SHA-512:067305A8F09C480FE4A4C8609638C9A490C4EBE2782BD13C10B380DF14F76D4748EB785F44E7BCB86514718F99D07C3C6A4B43928A294B18020CB0FA589EE2A0
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S...2...2...2..f}M..2...JN..2...JR..2.......2.......2...2..3...`_..2...J_.y2...JX.%2...JI..2...`O..2...JJ..2..Rich.2..........PE..L...h..Z...........!......... ......Q........................................ .......G....@..............................................................7...P..$....................................'..@.......................@....................text............................... ..`.rdata...].......^..................@..@.data...X.... ...X..................@....rsrc................j..............@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\NetDefender.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):451480
                                                                                                                                                                                  Entropy (8bit):6.641728581015286
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:c2qfhIic6ZYk/UxdGhZi1MVv2MIbvweYsoOzpgseJUnv9it:c2qfGhz/qgodsoRenv9it
                                                                                                                                                                                  MD5:2C63554380D33E2AB153CB285E72C2F8
                                                                                                                                                                                  SHA1:1EDE14CA4003AE639AA80E2F4E90558DD1A49A7A
                                                                                                                                                                                  SHA-256:F77F9AFB3459F2D2C8FB0354317A0353ACBBF6D31988597775ADCD9AB0D80BA1
                                                                                                                                                                                  SHA-512:96F951089D907F635AF5A517AAF53FD13064ECA471DC4440B8C67147A91F11043043F102814C2E6DE8933F81F30D6AFFFCC073BF98670A8D52A5518AD89646B7
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........`.q.3.q.3.q.3B>.3.q.3...3.q.3...3kq.3..3.q.3..3.q.3.q~3.q.3...3.q.3...3.q.3...3.q.3.#.3.q.3...3.q.3Rich.q.3................PE..L....tc...........!.................}..............................................D.....@..............................................................I.......7.. ...................................@............................................text.............................. ..`.rdata..o^.......`..................@..@.data....w.......2..................@....rsrc................*..............@..@.reloc...Y.......Z...>..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\NetDiagDll.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):337736
                                                                                                                                                                                  Entropy (8bit):6.495942481063909
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:g1wCwn8QI2fm53Nx4Lj23TIae3m7jwyhb/7hjW7iBH+ljFx5mcvbKr:gmnckm5dy63TRe3XyhbNjWep+ljFx5R
                                                                                                                                                                                  MD5:22C3095414CE54C8405225E3BCAAE591
                                                                                                                                                                                  SHA1:9F0515A564B5077F49AACE011E84AF51F9973F32
                                                                                                                                                                                  SHA-256:B734DB11E973318D728FE92E112639AE5B8876C855E6507315C707D04D3E0746
                                                                                                                                                                                  SHA-512:2BE22658A038F8061B398489C357EFBA0F920FA24655A53650593D4924EE565E445D3A7CFD2C9689BC3A79E8355157004640E49B0249FCA63B3EBE11726D42A8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........T...T...T....{.V...].x.M...].n.....].i.....T......s;..O...].g.G...]...U...J.y.U...].|.U...RichT...........................PE..L....fgS...........!.........(......~........................................`...........@.............................U...l....................................,..`................................S..@............................................text............................... ..`.rdata..............................@..@.data...8Z.......0..................@....rsrc...............................@..@.reloc...A.......B..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\NetSpeed.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):499432
                                                                                                                                                                                  Entropy (8bit):6.633998530829339
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:2gz1k3fKRVIpJcADwPkUeKvd8C/RxC4MwYXlHUCMJ/TBJnt8KZ0Se+4xichK4:tMfKRGJc1tnPC4MwYXVl4/Trt8K61s2
                                                                                                                                                                                  MD5:049791828DE05D24D29EC9C8687F8B1A
                                                                                                                                                                                  SHA1:2B6D787EB078DFAE0C6718A9D99D06CEB01FB273
                                                                                                                                                                                  SHA-256:D418DDA34640521B8695642C7A7E719F173F706472617CFF4ED343FB68211862
                                                                                                                                                                                  SHA-512:7E36019A163F55932F95D33FACB216B69244DC8D5506CFD1D2E707A736AF448D7A4F78ABEAF85CF0F42E4E18B7EB1D330A9788F73773E6BE23A61C6B2981136F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............a...a...a.......a.......a.......a......a.......a.......a...`.D.a.......a.......a.......a.......a.Rich..a.........PE..L......c...........!................................................................|.....@.............................a............p...............r..P,......@F.................................(q..@...............`............................text...E........................... ..`.rdata...G.......H..................@..@.data...Xp.......,..................@....rsrc........p......................@..@.reloc..|d.......f..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\Netgm.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):343784
                                                                                                                                                                                  Entropy (8bit):6.490658338748216
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:rFp+cWO/EibdFr0Zv7U7bAb1qi8JU0Wexe/1Yd02Y+VZRg43r:rFMcWO/Eib3r8jU7Q1qi860WexexEGe
                                                                                                                                                                                  MD5:6E5F6B4D49768E131EF614DD07E5EFA5
                                                                                                                                                                                  SHA1:DBA90982727A9373C8D97E72500D89814184C7B6
                                                                                                                                                                                  SHA-256:EE326C156144EB89DE76C21C66BDA10BD22922B1A9C85615CACEE84DF355604C
                                                                                                                                                                                  SHA-512:12FF45D6F469B577E74A62B866DAE2A879751654A6627250286E3CC4F319411FE901155347DA762010F373BBEB46F2BD95E0428893242EE4707BEFA7312CF92D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............o..o..o... ..o.....o.....%o..=..o......o....o....o..o.._o.....o.....o..=..o.....o..Rich.o..........PE..L....P.d...........!.........d...............................................p....... ....@..........................Q.."....@...........Y..............P,... ...*..0...............................x...@............................................text............................... ..`.rdata..2...........................@..@.data...._...`...2...@..............@....rsrc....Y.......Z...r..............@..@.reloc...C... ...D..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\NetmLogin.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):533600
                                                                                                                                                                                  Entropy (8bit):6.567835943059589
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:OgmCH8ZkhmmpKJiv/Dn5EWomaMIhEKf3Io7fknS52:Og58GnOthL/I1nW2
                                                                                                                                                                                  MD5:5D7B815A95164AFB4A8E35240644793D
                                                                                                                                                                                  SHA1:3AA5BFB8B2EE68C33BEB3190480CBE0149C29A96
                                                                                                                                                                                  SHA-256:1158A8B493FC607354DD21E5A601760C082C00EB8B69E839E17E4A198C807418
                                                                                                                                                                                  SHA-512:95E06406294258A3F81446A17E5CF67A02EFCDB0DA257F32ECD5B48D3F00B9BE628E2F82C04856191CDFDE02474ABC62D64D4A200164D7F6149993E548C8A335
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+.o.o...o...o......n...f..w...f......f..!...HTz.~...o......f..$...f..n...q...n...f..n...Richo...........................PE..L......Z...........!.....F..........'........`...............................`......v.....@..........................U..P....G...........................5......LJ..@c..................................@............`...............................text...iD.......F.................. ..`.rdata.......`.......J..............@..@.data....r...`...8...B..............@....rsrc................z..............@..@.reloc...k.......l..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\NetmTray.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):247016
                                                                                                                                                                                  Entropy (8bit):6.914297747665078
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:LQvXrZQoI8GHJg9bb9wv/cZD9Da5TUUQJYlCXbKJOZwFSYG0GTO/X3/mCP0V:kFIZgXwvkZqUpJRGOZwFVG0X/mXV
                                                                                                                                                                                  MD5:5B4C825671418F34D95EC1F7BB55FFA1
                                                                                                                                                                                  SHA1:C0AA182B281EDB4F06BDC98D7CF413AF948AB50A
                                                                                                                                                                                  SHA-256:AA51AE325D53D586532145E0C6E702247654502C0349C5FC570D7155353B045A
                                                                                                                                                                                  SHA-512:BEC6D76883BF786F93BCA0E32A36CF21002D5E1CDC1C098628D9D50D1E8E40B0E44C6AAA07DD8B503ABA5B638D44CBFAAF6C4BFB0E9F6C8F49470D7664432F73
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L..#...p...p...p..ap...p..wpv..p..pp6..p/1.p...p...p...p..~p+..p..fp...p..`p...p..ep...pRich...p........PE..L....B.e...........!.................$....................................................@.............................]....i..........x...............P,..........`...............................HM..@............................................text............................... ..`.rdata...q.......r..................@..@.data....N......."...p..............@....menu_sh............................@....rsrc...x...........................@..@.reloc...2.......4...b..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\NetmTray64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):290024
                                                                                                                                                                                  Entropy (8bit):6.537709606383622
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:AhEzpelia8VSPgFmHKbDNATfCfzWNunIj1EpJRGOZwFVG0SJK:AhSpelaSPXMmLC7W4iOZYG0n
                                                                                                                                                                                  MD5:0F15D28EB4CCD9DADFEC0305BF5F8E2A
                                                                                                                                                                                  SHA1:04DE9FA6736978FDEFA031082C58FFCD0169861D
                                                                                                                                                                                  SHA-256:F06872A9A6A6AFB4FEA670385694EA364F271705FB89B09E4390E95752A98F25
                                                                                                                                                                                  SHA-512:955B8C3F383C66B4249510A20890C856994F2F4E9FA40C374B472B9E19AC2441A86BE67249F13E1F624AAF2F03D0F6A73F69A0E3D73178F2FC39843382D1041E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q..Hq..Hq..Hx..H...Hx..H{..Hx..HN..HVT.Hl..Hq..Hl..Hx..HR..Hx..Hp..Ho..Hp..Hx..Hp..HRichq..H........PE..d...7B.e.........." .....L...........]...............................................L....@.........................................."..]...0....................#...@..P,......P....h...............................................`..@............................text....J.......L.................. ..`.rdata..M....`.......P..............@..@.data....j...0...,..................@....pdata...#.......$...@..............@..@.menu_sh.............d..............@....rsrc................f..............@..@.reloc..L............2..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\NetmonEP.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):160584
                                                                                                                                                                                  Entropy (8bit):6.648758970829866
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:ABDE5pe7xyshJiszc1TLQXDNxLYeW54C:Aip4ysYTLcXP
                                                                                                                                                                                  MD5:EFEBB6F93832D5A7EEF3BD4EB81D4A79
                                                                                                                                                                                  SHA1:9A75E55A08422E7B6A7D695EBB0F61589B31005C
                                                                                                                                                                                  SHA-256:542928806DE9A653C52250A0AB3D7847EF9249C195C00B82E5BDEB066AE6D2DF
                                                                                                                                                                                  SHA-512:D9F276F0556539739289585B55482034BDF99F0C18917720F1AB84B870DDA3E303792CD4DF85183155BFFF8DA174EFBE8A74506197B268D632BA6916AF00E521
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m..,m...m..=m...m..+m..m.Y.m...m...m...m.."m...m..:m...m..<m...m..9m...mRich...m........PE..L......S...........!.................`...............................................................................*..V.... ..d....`...............X.......p......................................p...@............................................text...I........................... ..`.rdata..VJ.......L..................@..@.data.... ...0......................@....rsrc........`.......4..............@..@.reloc.......p.......>..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\NotifyDown.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):549488
                                                                                                                                                                                  Entropy (8bit):6.736896619735914
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:XLgRCEprkKZlVgTndpHpTVWDQZNrHIGUYmHASzK8BnWToS09:7gAEprcnLVADQbzIGHmxK+WTO
                                                                                                                                                                                  MD5:14274CF241144895CA05CD456197F573
                                                                                                                                                                                  SHA1:4D4009B0A2F7BA56C6C98DC823C41085EF4712C7
                                                                                                                                                                                  SHA-256:113562BF950B39E9466E8F646C84AAA93F6B2C89530F56913B0B36E0096239A0
                                                                                                                                                                                  SHA-512:5A8009D935EB59B10523494C6C9D0A79FD29B0FA41CBA046E9CCC60A8D2EBA05CCC23D881E121A4526371E21B7C9DB6CC62783E1A5ACAD019705970C9F52091E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y.....y.x...y.....y..J...y..J....y..x.P.y.......y.......y.....y.....y.....y.Rich.y.................PE..L....u.T...........!.........@............... ......................................j.....@......................... q.......R..T........Q...........L.......`...M...&..................................@............ ...............................text............................... ..`.rdata...R... ...T..................@..@.data....z....... ...^..............@....rsrc....Q.......R...~..............@..@.reloc...x...`...z..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\Ntvbld64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:MS-DOS executable PE32+ executable (DLL) (native) x86-64, for MS Windows, MZ for MS-DOS
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):42976
                                                                                                                                                                                  Entropy (8bit):6.2171815555231875
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:iHfqCaczo/ZinYCOd9L9KyhaM7JubDGpZRKjKj9MPgkU7:8fqT/ZWY/L9l7JheMJ
                                                                                                                                                                                  MD5:671F95CAB2B5CF121125413F250F5275
                                                                                                                                                                                  SHA1:73D99D09A3D8978A5C6DB43CEC85FB43B03B7A26
                                                                                                                                                                                  SHA-256:728A1FCDEDCA6DBD8FDDDE3F33CD64DD99853C26EF5B10D3FEF0D76D0480964B
                                                                                                                                                                                  SHA-512:4AF690AF838CEB026636931AEDE3852EAE6D83881149EF4C28CC1DD032C3F7F6A64B30171C2524512FACD40496DAB305523D20637B44EFBF0D5805D0FAD1FFCB
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ!..... ..........e..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ntvbldDXML..$............!.L.!.........`......................................................................Rich....................PE..d.....a.........." .....H...".................p..........................................@.........................................pV.......S..(.......h....p.......h..H?...........................................................................................text....F.......H.................. ..`.data........`.......N..............@...

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\PDown.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):253456
                                                                                                                                                                                  Entropy (8bit):6.554744612110189
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:OpoEWHpLJeJ8MvIucm/334RStKp7Tu975:vEsLJeJ8MvPcm/30u975
                                                                                                                                                                                  MD5:637FB39583F9C2EC81E0557970CD71AD
                                                                                                                                                                                  SHA1:ADA1137BB47DF62F48407ACC2DC713D92D13A0E0
                                                                                                                                                                                  SHA-256:330B8EC664949CB9DE5BCCE5AC248148B58DCFEED69ACD8D9CB576AAA935045E
                                                                                                                                                                                  SHA-512:F72C77D29C51CC6AC1151C919C769BF063E5BAE763033B9BF5BC713E01416ECB301A120B22A17037310E47662EA916A06AA09BB441DBDEE4032A6D59A0876ECC
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........gOT...T...T...]..B...].....]..Y...sTr.C...T......]......]..U...J...U...T...V...]..U...RichT...........................PE..L......b...........!................W...............................................j.....@.........................@L.......=..........T...............xC..........@................................!..@............................................text...)........................... ..`.rdata.............................@..@.data....H...P...(...:..............@....rsrc...T............b..............@..@.reloc...,...........j..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\PopSoftEng.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):662920
                                                                                                                                                                                  Entropy (8bit):6.526894314465185
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:+huSCyAZQUpHByI4ur32KWVyTHrpGUCiAqfoHD2AvdLnaSZCzm3slIalDoH7+F+2:+huSCySQUpHBl4uqKW2Hr9otZCCAlUHa
                                                                                                                                                                                  MD5:C3EA1FBF2B856FC25E5348C35FF51DD9
                                                                                                                                                                                  SHA1:87D8FDFDD52FA3BD59FDC7BB1E378091D0D91C16
                                                                                                                                                                                  SHA-256:6F24B8CA595B4B472320C7A104C64AAD6F0928AD4F1318D1DCFBB0C5BD488A64
                                                                                                                                                                                  SHA-512:298CE88D37E0496CDF6DADCD7D8890128B90113161311D67ED264B003D5840460FE594B8550FA46E45AF88564E4095C21B748CA3D2B497540ABEB0CAF5533820
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.............~.......~.......T.......~..........................J....~.......~.......T...............~......Rich............................PE..L... .._...........!................q........0...............................P......8.....@..........................J..N...D9...........................6......PT...3..................................@............0..(............................text............................... ..`.rdata.......0......................@..@.data....~...P...8...4..............@....rsrc................l..............@..@.reloc..Vn.......p...t..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\QKFJSGCGWGRQ

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):177
                                                                                                                                                                                  Entropy (8bit):5.2011029533052096
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:FCp/32ZmsmyR73wy82K9oYGyvA9id2sycyMcVqotTBAtoZht3wetdQQqi5xQn:F+mdR73wv9oYnvA+yLM+At2t3wgCQPxQ
                                                                                                                                                                                  MD5:E7EE8D889FBD33DED17EE00BC9E98ED0
                                                                                                                                                                                  SHA1:A153B28DBB602C58A606A44906F38128E85CD285
                                                                                                                                                                                  SHA-256:2BA624377B2B788ABF3A248D956FF743E93F06746D3D2F220A2257AD94DA540E
                                                                                                                                                                                  SHA-512:006D57BA2F48792DB028437F814618F19AC2D21EA1A1E9BDF39F5853536441B3436BAFB866917CC6708B21C58D93495501DFA5B345F55BC49FEF766812E46DF8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:[XLY]..P2=LJBPHRBSRLCI.FNG..P5=IWLHTVJXHINUWUFBWIU..P4=FNCUNPTNLBMW.DNA..P7=AEXIKRSDXTBGHJSHHPK..P3=KKVIOQVTEUTA.OKO..P6=RFOLHRLVLKWUMQMLJJA..P0=DAN127..P1=e8a0d5af432b7e64DBD..

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\QseCore.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):849224
                                                                                                                                                                                  Entropy (8bit):6.7893930691706075
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:V/Fiea85oMvk6SqMNH/U6beovEYNVXWTwROJTQ9wC1N4Lx09GpVuQ:VAF85oAk6lMNfU6beXwROJTQSC4l0KuQ
                                                                                                                                                                                  MD5:AA4E9E8A1B0B7C4126451814701A449F
                                                                                                                                                                                  SHA1:7D988C453283C345E17422FC4B2B6CCFD8200245
                                                                                                                                                                                  SHA-256:6CA0ABCD77232A5CBADE520596CAB305012ED72315C09CB5A30C3C1E96367F98
                                                                                                                                                                                  SHA-512:0738DFDE9EC2B1E23B88FDA344CFBA443705A3AD87F22629676118DF555BD395D1737066EFCC4257B8138A0D282491CBD30F36D1880CA640E7D463855C0AD63C
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........!..O..O..O.{....O.{.....O.{....O.Q;...O...L..O...J..O...K..O..O..O...K..O...J...O......O..N...O.W.F...O.W.O..O.W..O....O.W.M..O.Rich.O.........PE..L.....6]...........!................E...............................................f)....@........................../.......0..d........................6.......W..P...p...............................@............................................text............................... ..`.rdata...........0..................@..@.data....F...@...,...2..............@....rsrc................^..............@..@.reloc...W.......X...d..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\TP453990d4df32.TPL

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:7-zip archive data, version 0.4
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):719
                                                                                                                                                                                  Entropy (8bit):7.651157103123239
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12:13GQDv7sWgZDAIXQk5m/2MnB82RU+JR/DoZMIZ6XO1a/oCfGEAxTNBfJb4eWNudj:1GQDvMAIgk5meMBXfsrZ7a/ODBpdj
                                                                                                                                                                                  MD5:2322FEDC1A270A91A3584496BF609CEF
                                                                                                                                                                                  SHA1:F422C6A1AC8BA5911C2A74BCBC052D11E43A3F97
                                                                                                                                                                                  SHA-256:832BD52C260A50338ABECA0E16A65ACE58DDBCD16F5E65A30BA9362822376763
                                                                                                                                                                                  SHA-512:575891E907D02DEA426EFA6DFB9AF11A4B2C23FA7C73C85ADA4C555085A6C0B14A76500974D89D1726A6853C8836F90A112F928DEE250E86681415DD2A8242CC
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:7z..'.....b.p.......?............G.>FK.~)K..0+.B.....#.*.F..5}H.....3>...0RR1.x....T.P."X..%.BR..T*A(.|L.B..U..2.9...EW....2..R..P.[X.Z.+.3..u.....9..vOy.]kN..3E.vk.4t..]..../.}Y...zZg~.*...a..A..k.`vD.V.~.. 'w...r....<P}.`.....3v.=......5..4.qBo....q.B....?e....u.W.|y....TL`.nE;..5.&.+.S...t.."xh.. ..z.. .b...=..l.|...(.h.+..f.D...).[.uO..$._.....s.&q1.$5.R..P.....:...iNL"SX."...b...).0......*d..9/......+..C`.+.........2^.......M..j..P.+.`.5.m...X...J.As...*..S<<.S..\.......j......7H..R&\a...4$".P!..r.l..o.R.Z..............y..g.\`..#M...E.....oZ..|..K|H..f.09B.....>.....S.9b.I....s.].....i2.U*...H..zv...6.s.\.O...-=...............$.....S.V......U..1..0.#....].............[....

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\TroPox-B_Plus

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):710888
                                                                                                                                                                                  Entropy (8bit):6.630506217753264
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:5n9CCUQ0bGwLt1n/iswKJLUY2XOrEO/6awL7wU0s6OzeoXHhS6ckqIbpieFGrh1l:7+tLt1aNYrfBB6BAqZkyQgJ0VL
                                                                                                                                                                                  MD5:C4A08B391245561157AEFD0FE7C40A11
                                                                                                                                                                                  SHA1:28D15D43A1BDEBC83701AFD89E6EA9C24F90DB33
                                                                                                                                                                                  SHA-256:53D7C8F2FD109E85FC9302B7424875BAD22A148D6EDC6C7FD8E4589E97259BFA
                                                                                                                                                                                  SHA-512:24C7608346B76694BF9D8227FF6A794B26D73C0DA93FD231A2331CD371ACC86F293FB9093850F5513DFBE1D269114A56F47DCADBA11BD98C691AB38472A6CCC6
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:Ta+....................[...............................................W.osp.....r.xt.~xuu...y|...u.pu._jn.t..|............*3}...........l......l..Y...l..... 8..... 8..... 8..............&..........~;.....~;.....~;.....~;.....~;.....ip~s...........................k\..W.....d..................u...C.......Y............[......................................[..........................................+..?...........#7..k....;..+r...W..o............................W..[.............................................|.....Sw.......u.....................{...x.x..?0.......1..................[..[..x.x...Oi...K......................[......~...?....+.......A..............[..[..|w.~..+r...;...s...Y..............[..Y........................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\TroPox-E_Plus

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):15360
                                                                                                                                                                                  Entropy (8bit):5.306110093863136
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:U4MHLZo6ULkil3CtzKIoTRp6n7B56TXGy5+:U4MHLZo6ULrCtzcTRpUd5S2K+
                                                                                                                                                                                  MD5:ABE42D544B1002D50801E3075576F455
                                                                                                                                                                                  SHA1:58B6CFBB60EF6AD2734C163C4C83B04CBF617AB1
                                                                                                                                                                                  SHA-256:3D48A8F09DE2FD202BA4922D944FA7FEE03B1DF13FC3BFC22BE814937CEA52C6
                                                                                                                                                                                  SHA-512:C9B842A687FF0A6DC4E242AEB3CFB6964A7D4083A9D9A1583B1F85E949E68451C24744DDB07531DBE03B0539C9F1FDF5BE3F400D1A523325BD114633564616E4
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:Ta+....................[...............................................W.osp.....r.xt.~xuu...y|...u.pu._jn.t..|............;.9....9...9...9.~z9...9.u.>...9.u.>...9.u.>..9.u.>...9.~.>...9...9..9.u.>...9.u.>...9.u.>...9ip~s...9................k\..W.....or.....................................K............................................[..........................A..o..._F.............................{......M..C...................[B......{M..[............K................................|....................................{...x.x.......K......................[..[..x.x........k.......M..............[....|w.~......{.......C..............[..Y........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\TroPox-Z_Plus

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1390312
                                                                                                                                                                                  Entropy (8bit):6.599443687044707
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:znhMjKSFXpFEzq7zZvjyswjzYnOAjPSy36c9RCvirRMNJbd3g:jhMt/nVo2O56tibxg
                                                                                                                                                                                  MD5:C77EE913C46510A705A9DDDD91DE8302
                                                                                                                                                                                  SHA1:CB5E045FA27186B9F23E4919590387478B9343D5
                                                                                                                                                                                  SHA-256:092689651DB7B81A6816B1F78F8CF81476945D493E9566762F5791ADFC5BDA31
                                                                                                                                                                                  SHA-512:A6C080D04C92EFBF8A1A4A1D1423837B1282E4CFC0E77D9DA4BC9F78E235AA6CD8AE3468B588FD9D35BA656A7A1B27AAE805662EB6C84B053D0149855F4A6514
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:Ta+....................[...............................................W.osp.....r.xt.~xuu...y|...u.pu._jn.t..|...............K<+.K<+.K<+..@x.D<+..@~.P<+..@y.<+.y.,.<+.y./.<+.y...<+.@..H<+.@..B<+.K<(..<+.#...O<+.#./.<+.#.,..<+.#.+.H<+.#...H<+.#.).H<+.ip~sK<+.......k\..W......~.............................B.......;..........................................[.........................k...........k...................#...k..........K..............................k..[............;..7.............................|.....<..............................{...x.x.......;......................[..[..x.x...K...;...O..................[......~..............................[..[..|w.~.............Y..............[..Y................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):710888
                                                                                                                                                                                  Entropy (8bit):6.630506217753263
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:6BMGnPEAEuRNz2HuiEJe0z6h5KEuEVv4D1wEM50+OD2evinKqcQUuWnI8:6BMGnPEAEyXiEw0xXD2evincvFnn
                                                                                                                                                                                  MD5:FAE7D0A530279838C8A5731B086A081B
                                                                                                                                                                                  SHA1:6EE61EA6E44BC43A9ED78B0D92F0DBE2C91FC48B
                                                                                                                                                                                  SHA-256:EEA393BC31AE7A7DA3DBA99A60D8C3FFCCBC5B9063CC2A70111DE5A6C7113439
                                                                                                                                                                                  SHA-512:E75C8592137EDD3B74B6D8388A446D5D2739559B707C9F3DB0C78E5C30312F9FCCD9BBB727B7334114E8EDCBB2418BDC3B4C00A3A634AF339C9D4156C47314B4
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........f..............U.......U..B....U....................................................c.......c.......c.......c.......c.......Rich............................PE..L.....]d.................n...8......dB............@.......................................@.....................................d.......................P,.......g..pL..T............................L..@...............(............................text...Hl.......n.................. ..`.rdata...............r..............@..@.data...4R...0......................@....rsrc................:..............@..@.reloc...g.......h...B..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):175328
                                                                                                                                                                                  Entropy (8bit):6.879935553739908
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:jnrQnzMYywmn3h1sp7/WvCnIukR4BbxKigu/fgl1glfdjgBftJeCEEzx4N7mcr5:XQnzXtr7tbxKVuE1gQJeCEMx4p
                                                                                                                                                                                  MD5:BE4ED0D3AA0B2573927A046620106B13
                                                                                                                                                                                  SHA1:0B81544CD5E66A36D90A033F60A0ECE1CD3506A8
                                                                                                                                                                                  SHA-256:79BF3258E03FD1ACB395DC184FBE5496DFA4B3D6A3F9F4598C5DF13422CC600D
                                                                                                                                                                                  SHA-512:BD4E0447C47EEA3D457B4C0E8264C1A315EE796CF29E721E9E6B7AB396802E3CCC633488F8BEEB8D2CF42A300367F76DEDDA74174C0B687FB8A328D197132753
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............d..d..d...g..d...a...d...`..d..g..d..`..d..a..d...e..d..e..d...a..d.....d.....d...f..d.Rich..d.........PE..L....]d............................S#............@.................................>.....@.................................d8..<....p...............d...H...........*..T...........................H+..@...............$............................text............................... ..`.rdata..._.......`..................@..@.data........@.......4..............@....gfids.. ....`.......>..............@..@.rsrc........p.......@..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\filemgr.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):618728
                                                                                                                                                                                  Entropy (8bit):6.588792056328895
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:B+jJIpPUHR7IS++ZbaL/mH6yf0fvmuZqhI8XlF7YfkLfm7WUjxioncm:U++4LVs0QpFaIm7WKgoB
                                                                                                                                                                                  MD5:6E8F89DA86BB82538932DB314C2208F8
                                                                                                                                                                                  SHA1:A86C373D7BC49032F0EB7D0BB01DA74BA67B4F43
                                                                                                                                                                                  SHA-256:ABA5E0FFC2D21CB5045D13CE66F8D80862600E37431D20E999295CB07DC5EF3D
                                                                                                                                                                                  SHA-512:7EAA25D7AC722EF7687357356AC9635B80158918BDA03C3A7E49387BEACD8CD2A9A2ACFD8B5D13571453A7279772FA726A75C9DA0FD7EC6D5BAF202FB928F00C
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9..9..9.MvF..9..AE..9..AZ..9..AS.e9..AC..9..9..8..AT.v9..AB..9..kD..9..AA..9.Rich.9.........PE..L....t?e...........!.....8..........b........P......................................).....@.........................p...O............0...............D..P,...@...U...T..................................@............P..$............................text....7.......8.................. ..`.rdata..._...P...`...<..............@..@.data...|s.......(..................@....rsrc........0......................@..@.reloc...m...@...n..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\fixsc.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):147176
                                                                                                                                                                                  Entropy (8bit):6.792908985087195
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:oAhT/95cw+pUD+U7s3H9xMaZ7DdJMq5mZZEGP0V:RBADU7s3H9xnBhJyZZETV
                                                                                                                                                                                  MD5:2EEFCD3D407E4DA935E5B60EF257E153
                                                                                                                                                                                  SHA1:34F56846E9F48F9775DD8250897345B7736DE213
                                                                                                                                                                                  SHA-256:837B3DE5BF545BAB85599F0B6D36D8DFE4B3595AE94254CF7C968D1D7DA86F35
                                                                                                                                                                                  SHA-512:EA05765A18CDA52A7398E04947C8DD6828BE06B07261C612BB8E550656FF5F9EBBD37F85C07007980044D2036171227EEA978B0D0592D6D584A5DEFE53BF8968
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........J...$...$...$.e.....$......$.....$......$...I...$..._...$...%.{.$......$......$......$......$.Rich..$.........................PE..L...|Q.d...........!.....Z..........X........p...............................p......}.....@.............................l.......d....@..................P,...P..\....q.............................. ...@............p...............................text....X.......Z.................. ..`.rdata..L_...p...`...^..............@..@.data...|n.......,..................@....rsrc........@......................@..@.reloc.......P... ..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\fixsc64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):174824
                                                                                                                                                                                  Entropy (8bit):6.422260069407969
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:vjNq/3Jyz4vHAYH7EKJ3eAlNd09cd7g9EEnQHBdp5FFmvBh7P0I:vjN6yKNBJ3eAdNEEEQHB/F4BhII
                                                                                                                                                                                  MD5:ED2ACECC811ABF288316C709E2F2D943
                                                                                                                                                                                  SHA1:0CCE7CC3687CAAF59E6DEA1A90D1214782B5742E
                                                                                                                                                                                  SHA-256:C3E9F2023A28A2115D15D8DA451B8105771C4D4746F494CCF83FB28623CF724C
                                                                                                                                                                                  SHA-512:9DD510EABDB4D59B82A7492DFE6A6D11C47721DD0B7F0F22C8060063A94E36FE93A28EC19815AA68F89B1B807AAE584B304AB15D183493295B7E13E65527BEE0
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......xI~G<(..<(..<(...g..?(..5P..Q(..5P..7(..5P...(....}.>(.....=(....k.+(..<(...(..5P.."(..5P..=(.."z..=(..5P..=(..Rich<(..........PE..d...UQ.d.........." ................................................................G.....@.............................................l.......d...............x....~..P,.............................................................8............................text.............................. ..`.rdata..............................@..@.data........ ...L..................@....pdata..x............Z..............@..@.rsrc................p..............@..@.reloc..\............v..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\heavygate.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):559000
                                                                                                                                                                                  Entropy (8bit):6.789431209891293
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:OrswC3DEddri7Dj1XHmyZQNCAGTFgRJz/9i:gsP3Dwdri7DjlHECAGC//9i
                                                                                                                                                                                  MD5:EE6AA967C56CC0D0820C95D4FD89FB30
                                                                                                                                                                                  SHA1:D1C5161FB8CCA7FEDFFC1056FAB8D79309EEC01D
                                                                                                                                                                                  SHA-256:C7CC69762AE72840D200C14E652A460807F487059F7D0780E245AB36AF445B9B
                                                                                                                                                                                  SHA-512:8502D5E4BB48FE3ABCA897F293199815CE7DBB67E4983BF9A9631A4F92602289FBF08D42DC547B96E1C8338C77108019B952DAA5D682465C7C5567CCBAECEEAA
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.$PL.wPL.wPL.wY4?wJL.ww..wSL.wPL.w.L.wY4.wwL.wY4)w$L.wY48wQL.wN.>wQL.wPL=wQL.wY4;wQL.wRichPL.w........PE..L...y.`c...........!.........F......*M...............................................)....@.....................................(....P..L............>...I...`..h...0...............................0...@............................................text...|........................... ..`.rdata..............................@..@.data....B......."..................@....rsrc...L....P......................@..@.reloc..X9...`...:..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\hipslog.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):49480
                                                                                                                                                                                  Entropy (8bit):6.739956450503979
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:C2a0KRlGHkg3oqHo3eaB6e7NXQxZzYf3yvZ6/WitUDvb1PRF8oaH:n/HF3xb8KEvyE/cDj15FI
                                                                                                                                                                                  MD5:E2D837E2B4DDA87A82553631E7D5627A
                                                                                                                                                                                  SHA1:9F1A5A95B4F0AEA6F9061140F0E22EDA819A78BF
                                                                                                                                                                                  SHA-256:A5118527EE28C3C263F3FCC3346F8BCA83284E21C8149082F8D1AAA68B39EBC6
                                                                                                                                                                                  SHA-512:3FDBB618C9F49FE5C7EA81398401C5AD19EE8A215B9A3D29FC03071935E566B80560A775CEF3F1502F8447B2A2528285C8D4586C576A3E311241A06177E14C52
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$........@3..!]..!]..!].Z.\..!].lH\..!].e....!]..IY..!]..I^..!]..GY..!]..GX..!]..MX..!]..Y..!].lHY..!].lHX..!]..IX..!]..G\..!]..!\.=!].cHT..!].cH]..!].cH...!]..!..!].cH_..!].Rich.!].........................PE..L...>.?]...........!.....X...,.......Q.......p............................................@.............................t......P.......X................6...........z..p....................{......pz..@............p..(............................text....V.......X.................. ..`.rdata..~....p.......\..............@..@.data...P............x..............@....rsrc...X............z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\iNetSafe.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):383720
                                                                                                                                                                                  Entropy (8bit):6.579374990134974
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:oG1pYD09uIwtl0F1LrheKG/HYStQGz1DAOoQGEnb5bj1hFu:X7g09uRlYeKG/DHegbjs
                                                                                                                                                                                  MD5:3CE009AFF2FE459A8248693AC8DAB788
                                                                                                                                                                                  SHA1:607444A7B8AB2E17C525BBE0B28878C3BD0F8099
                                                                                                                                                                                  SHA-256:11856EE1D754D31AF95F1047CE6B68CA2395C703A995525FA5D9E4A2678D0B86
                                                                                                                                                                                  SHA-512:1AB4ECB89B07F09985B57F0D546FE6063D8ACEDE435F74075EF9A37288F7D9D19DF168AAEDB38093D88BA2E515CBDABB23F87163AC8FCF9A706448B0F4FC2774
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......d_f4 >.g >.g >.g...g->.g...g.>.g...g=>.g)F.g">.g...g%>.g.`.f4>.g.`.f.>.g.`.f.>.g)F.g">.g)F.g3>.g >.g.>.g.`.f.>.g.`.f!>.g.`.g!>.g >.g!>.g.`.f!>.gRich >.g........................PE..L.....8e...........!........."....................pe......................................@.........................0...................8...............P,.......L......p...........................0...@............................................text...}........................... ..`.rdata...O.......P..................@..@.data...p^... ...0..................@....gfids...............:..............@..@.shared.x............<..............@....rsrc...8............T..............@..@.reloc...L.......N...^..............@..B........................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\iNetSafe64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):406248
                                                                                                                                                                                  Entropy (8bit):6.190903413261375
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:OazgQG4JdLe2p+teZ3q9y/3clyMEcLeowam/xohKKJJT2pgJ1JhfQeUnZdnkewZ:HgVGemGeNlYbR2am/xolx0nZZjm
                                                                                                                                                                                  MD5:E5E4828980E5C836163382F9642D4D24
                                                                                                                                                                                  SHA1:E8BFB72EB75D20DEEA9152089B7092E07F2EF2F3
                                                                                                                                                                                  SHA-256:639EA37856839C2D5446A82441D7AB94204EE1172487EB88E9AC1CEB6261D554
                                                                                                                                                                                  SHA-512:6F621EC441CA46CC48A48056F8E278FF746ECABDAB1933C0FEE18574EE366BD9721487D6462746B6874A5B2CD4D8FC327B5089F351CE8086E10061791034794B
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........o-a..C2..C2..C2.h@3..C2.hF3Y.C2d..2..C2.f@3..C2.fG3..C2.fF3..C2.hG3..C2.hB3..C2..B2#.C2RgJ3..C2RgC3..C2Rg.2..C2...2..C2RgA3..C2Rich..C2........................PE..d...j.He.........." ................l................................................t....`..........................................J.......K.......P.......... 1......P,...`..........p...................p...(...p................................................text.............................. ..`.rdata..............................@..@.data...,F...`..."...H..............@....pdata.. 1.......2...j..............@..@.detourc.F.......H..................@..@.detourd(....@......................@....rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\ieplus.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):887648
                                                                                                                                                                                  Entropy (8bit):6.72536750906441
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:rMl3YXVguMMrGA+64Z/fOl7FPZ1ZGf4a9nCFECq3N:Q0LMe4ZHOFPXZGfNCFEzd
                                                                                                                                                                                  MD5:CFB50C3C7D74F518CA9E2828E702145E
                                                                                                                                                                                  SHA1:E38FD98574C08BCC6415E62EA7C9A380958A3D1C
                                                                                                                                                                                  SHA-256:1C8FF953478CC71166A36181ED32AE7C48B267B011240DB2C701E35D391A66EE
                                                                                                                                                                                  SHA-512:BD08332BDB78614F1CDFD2E4939B1B9400476D99B50996C17C0277ED76DB5972FAC5EC77DCD4C56459DAA11C6126DC12D66A4E59122DC9B8D89FF6DF89B83240
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%.U.K.U.K.U.K....T.K.K..R.K.....S.K.....R.K....p.K.U.J...K.\...C.K.\..v.K.\....K.\..L.K.\..T.K.K..T.K.\..T.K.RichU.K.........................PE..L....N.]...........!.....f..........................................................^]....@.................................L...,........j...........V...4...@...s.. ........................6......X6..@...............d...\...@....................text....d.......f.................. ..`.rdata...d.......f...j..............@..@.data...........p..................@....360_iep(............@..............@....tls.................B..............@....rsrc....j.......l...D..............@..@.reloc.......@......................@..B................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\ieplus64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1001320
                                                                                                                                                                                  Entropy (8bit):6.375963793592453
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:DaG9UYtX8J3EfBCMwM9E4jRcoI237MSW7/HTdPSYPJBhnHRxd/c:Dx9UdYRwM9EWI23wSWHdPTJB5dE
                                                                                                                                                                                  MD5:074CFA8CC35DC642A2B95CC96CE5357C
                                                                                                                                                                                  SHA1:CEE218C914D530BE6C9BB9531E78F2137224D5A8
                                                                                                                                                                                  SHA-256:4DE592C87C443780B5D475414196B3C5406ACEC8809EA65AF45A50E7E43462A5
                                                                                                                                                                                  SHA-512:EF776EB824F4C3152A380B3EC2858A11A96E48711C213AF905FE2B0A972F9CB4A7D83B4B96848DB0B478AF4D19623CB8AC0E5F8FC47007B39E0F16FC2E5FC851
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........../.p.|.p.|.p.|..@|.p.|.?\|.p.|.._|.p.|."N|.p.|V.v|.p.|V.t|.p.|V.s|.p.|.p.|[q.|..I|op.|..N|.q.|..X|.p.|."^|.p.|..[|.p.|Rich.p.|........................PE..d.....].........." .....V..........|................................................-....@.........................................0y..g....W....... ...j...P..H........4......8...p{......................8;..(....................p.. ....V..@....................text....T.......V.................. ..`.rdata.......p.......Z..............@..@.data............n...d..............@....pdata..H....P......................@..@.360_iep(............|..............@....tls.................~..............@....rsrc....j... ...l..................@..@.reloc..d".......$..................@..B........................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\imhelper.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):247528
                                                                                                                                                                                  Entropy (8bit):6.604794755347589
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:2Y77YOcw6BdKQYuVXsZy54tgQCkW30W9ezJQ4mRan5kiINyyT7PK0AMZcan5aj9b:n7YiJEIy54gFogRa0Nl/N1Sjl5yxAl
                                                                                                                                                                                  MD5:9B05B1F0E62DD100D385807262B84A90
                                                                                                                                                                                  SHA1:631449787D7532A855CB061E333C0712AC20E753
                                                                                                                                                                                  SHA-256:6BC0133A16C7F058E5C0B6027929DB1145D37717118DBCF24013FA4F2D79E848
                                                                                                                                                                                  SHA-512:9F43A542B38D998038D20467BB797CF789A36666F4B8154A548FD6E7BA24A20256C9A0BAB64CD43CB12BEBF704A524FE35F9652FA399237A3F0AFB3BF8670676
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*f.*n..yn..yn..y.Hmyo..yg.ny}..yI..yy..yn..y...yI..yo..yg..y*..yg.xy...yg.qys..yg.iyo..ypUoyo..yg.jyo..yRichn..y........................PE..L...N{.e...........!.................................................................N....@..........................R.......B..........................P,.......&..0...............................p...@............................................text............................... ..`.rdata..............................@..@.data....\...`.......>..............@....rsrc................Z..............@..@.reloc..h7.......8...`..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\ipcservice.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):705768
                                                                                                                                                                                  Entropy (8bit):6.685295160437571
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:S/20NCvMDhBsqLeIQA2BcMNcYB1mF5Q3LNOsbwbekwCYgLECHqa7XWpbt9o9TehK:e2KC6hBs6f2Bcm65sO8wACHqaTQJe9Tn
                                                                                                                                                                                  MD5:8B632FD2D4EA70470AF97CD5E88F74D7
                                                                                                                                                                                  SHA1:9E384D37EB586E9B187F4FFF89C2F104A7921F44
                                                                                                                                                                                  SHA-256:AFCBB8BCE2E5C8C5E9AA851941E626A62573E6054EC75C14066AD37726BB9DB6
                                                                                                                                                                                  SHA-512:5F7EA2BF6599AA9E0C44C2820F89DF0827EEBD8A037C9DF2AF516D9865BBEEAF31CAC89AF7214A59BD4B25F2BF7EB94E257AA2766F1D12892E1C34E78776F5E1
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,B..h#.h#.h#..,..j#.a[J.p#.a[U.d#.vq[.l#.a[L.K#.h#.#".a[\..#.a[[..#.a[M.i#.vqK.i#.a[N.i#.Richh#.........PE..L...X.Le...........!................L.....................................................@....................................@....p..8...............P,......Pk..`...................................@............................................text............................... ..`.rdata..............................@..@.data............6..................@....rsrc...8....p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\jpnative32.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):202472
                                                                                                                                                                                  Entropy (8bit):6.660474984647205
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:jLH6l5IoUzqiNVwzQyaT0NQgepguwz+uQJOAg0FubAIrnXrsFCAsKIP0a:SluoK7QiToQdeAOpLAFCtKha
                                                                                                                                                                                  MD5:0EA1C58DEDF685A4A1EEB1C7BD1C972D
                                                                                                                                                                                  SHA1:66CA439A737A35FC936D2C8F990AD3538D9F2CDC
                                                                                                                                                                                  SHA-256:41780A7339545676A2D587CD5BCEA9181E6FAAF3EC73C5006D7D76B47B98A6F2
                                                                                                                                                                                  SHA-512:D16B0A12EE38399C4B05F38E0CCCAFA6BD4984C353AF845337F3E5E8D64AAF3D9B1561E423C5CA59D2652EB083E92FB8832168989B34F11465AD581A39739BA7
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:gx.:gx.:gx.....7gx......gx.....'gx.h.{..gx.h.}..gx.h.|.%gx.3..=gx.:gy.Zgx...q.8gx...x.;gx.....;gx.:g.;gx...z.;gx.Rich:gx.........................PE..L......d...........!.........*.......\....................................... .......A....@.................................P...P.......................P,..........p...p..............................@...............D............................text.............................. ..`.rdata..............................@..@.data...H...........................@....rsrc...............................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\jpnative64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):247528
                                                                                                                                                                                  Entropy (8bit):6.255611405833788
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:MzlHNKfmGZoRwaQDy4ikigoh7Chpq8eFiybV:6tp9QD7ihgohCQFh
                                                                                                                                                                                  MD5:9380B590C9BE993F3F253469D0933765
                                                                                                                                                                                  SHA1:0DF57C8EA3D19DCEE142F03D0D6FF4DA7EE5BCCA
                                                                                                                                                                                  SHA-256:CB8BE7A72561A379B122AB70CAE681840009CE71C9C50B819B2B9E8CCC7A5B73
                                                                                                                                                                                  SHA-512:2277F388E10D8D579203F7546C30DD314C4BA0AEAC0CFBDBB7F393FBFE54F7ED60FBEDB31E524275112D9E1BDB9F5CB24AC02259ABBC096A81E8CE2D32B87F6A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.T...:...:...:.u.9...:.u.>...:.u.?...:.H.9...:.H.?.,.:.H.>...:.u.;...:...;.E.:...3...:...:...:......:......:...8...:.Rich..:.........................PE..d...A..d.........." .................c...............................................8....`..........................................\.......\..P.......................P,......|....&..p...........................P'...............................................text............................... ..`.rdata...U.......V..................@..@.data....'...p.......V..............@....pdata...............f..............@..@.rsrc...............................@..@.reloc..|...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\leakrepair.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):705504
                                                                                                                                                                                  Entropy (8bit):6.635093248285898
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:GngcmdomAFsBeQsv5REGqRXkgVP73MfsPF9vyt2nSyv9K:fLAFKsv5ROkgVAfsPTyEnD9K
                                                                                                                                                                                  MD5:C40E8A502AF91ACA96B85AB36CBE818B
                                                                                                                                                                                  SHA1:004141E75604502E2EA30C5760008368C36850D8
                                                                                                                                                                                  SHA-256:A10966CC2785845DC296D90EF9C97ABA865BD06DF1A8A7006A7EE53EBD2152FB
                                                                                                                                                                                  SHA-512:219630292A8CF70311F06DC1F3A99BA948E7E7BBAB937B0F5B928121838B79FE851B70650BFFD07A4F36A22E2A7B34DE4461D8F4C97FC1322026CA2C5C2E31EF
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........fP...>..>..>..v?..>..o=..>..o:..>.l;..>.0n?..>.?u;..>.....>..n:..>.j:..>.j;..>.6....>..n;..>.2n:..>..`;..>..`:..>..o;..>.2n;..>.l:..>.l8..>.l?..>..?..>.4i;..>.bj;..>..n;..>..n>..>..n...>.....>..n<..>.Rich..>.........PE..L...].$a...........!.........z............... ....{5................................b.....@.........................@...0...p........p..................H?......XS.....p...................P.......H...@............ ...............................text............................... ..`.rdata....... ......................@..@.data... 7...0......................@....rsrc........p.......&..............@..@.reloc..XS.......T..................@..B........................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\libcurrant.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):966376
                                                                                                                                                                                  Entropy (8bit):6.564045153487216
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:3lzYxkj819KdVtUSPczJfKbM1aIjvI7BxwwuDFkrwtFkUHUZ0sIPbtYUkXAJfTSH:1zge8XKdVtUSPczJfKbM1aIjvI7BxwwH
                                                                                                                                                                                  MD5:A9FF3D29AF8CCA5D3C90F17709EB0548
                                                                                                                                                                                  SHA1:7F4B69366BA3BBB7BF08206FEA672C807CC2B562
                                                                                                                                                                                  SHA-256:45E8B5F32CDE9201278500DF961133AD26AD60C531FCFD77D3D26FEFF105FFD0
                                                                                                                                                                                  SHA-512:F043D1599D57B1E86D97CA1E81CF81FF0B3C97B95F1134ABF6DEEAC615F37645A825363315F5FB2139286BB5AEF5FA26C375E829AEC897C27CEA30199310123C
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                  Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$................e......e..*...e...................g....2Y-....................i.....y......}....................}.........Rich...........PE..L......d...........!.................d..............................................`.....@......................... ...H...h...x....p..@...............P,......@j..@t..p............................t..@...............L............................text............................... ..`.rdata..............................@..@.data...............................@....rsrc...@....p......................@..@.reloc..@j.......l...$..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\libgravity.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):871144
                                                                                                                                                                                  Entropy (8bit):6.407442398411684
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:hgjR9MABH2uK50bPcjV/3WU020ZQA8NM/rmn:ghB1W3WUVeC
                                                                                                                                                                                  MD5:9A88DC21D3AC42ECA184F37297387BDF
                                                                                                                                                                                  SHA1:2F82552EF8F4B6A10356441CD158F1A0C5905913
                                                                                                                                                                                  SHA-256:466DF96D59B878EC6775ECC4D497B71CCD73CB11FBB2C2B23575EFE055BFFB75
                                                                                                                                                                                  SHA-512:1136D371771A71D329910ED9BDBF8243F74AD19FCE75F9A8712BC1E1E53EA3EF3722D4E067AB5567366D40D2637AF7E119E7E31734DDB57BCEE126CFE932C37B
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......U-.}.L...L...L..3,./.L..3,./.L..3,./.L...L...L.......L..C$./.L..w$./.L..w$./.L..C$./3L..C$./,L..3,./.L...L..]M...%./@L...%./.L...%,..L...LD..L...%./.L..Rich.L..........PE..L......c...........!.................P..............................................._....@..........................{.......|....... ..8...............P,...0...s..p&..p....................'.......&..@............................................text...U........................... ..`.rdata..............................@..@.data....}.......&...|..............@....rsrc...8.... ......................@..@.reloc...s...0...t..................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\libscent35.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):927976
                                                                                                                                                                                  Entropy (8bit):5.917840435230856
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:Syp5QtiR2fVE00WKL+YD5ndNpKrtvKXVsFpJppn72z+T73P+2QHkgFrGCZK:1POE00WKd5ndNpKrtClsFXnhT7ZAkgxO
                                                                                                                                                                                  MD5:158D719030DBD08384235B165FC211CF
                                                                                                                                                                                  SHA1:A8161B15C0BC6576829DA4BC0732794B0AB2E37C
                                                                                                                                                                                  SHA-256:BC33C91BE3D31557B16F2B91B90DE96580C3CD2510E3C3D3B77E3D4CC8DBB0B4
                                                                                                                                                                                  SHA-512:383E551FFC50D17E9A5B466E996614B5AF35BEB48A72A47CB7D5A35B68D68906E5ABADDAEABD439AA214BE28E7A27FBCA3872537D65D33CA64A53B513A924EDB
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.(e...........!..................... ........@.. .......................`.......7....@.................................P...K.... ..................P,...@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........o..P............b...............................................0..M........(....~.....X.....r...p~.........(....(G......r-..p~.........(....o....}....*....0.......... ......{....rU..p~.........(..........(....o...... ...........%......(.....%......(.....o.....o.....o......ry..p .....o.....(~...o.......o.......+.....X.....o....o....&...X......i2..o....*.0...............(.....4........(......-.r...p.....(....(....s....zr...p.....(....o....(.........(.....s|...%o~...%~

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\libzdtp.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):575720
                                                                                                                                                                                  Entropy (8bit):6.4118078561661545
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:FoblSYniV7pA1yJVyfI1+RZSihzvjZh2Tx4UTFAzmp4ZZPy1KlU1E:sfI1+RZSiz2VlTF+XHlU1E
                                                                                                                                                                                  MD5:82DE25B17C3B9D6BB253B6BE7AD2FEA1
                                                                                                                                                                                  SHA1:6F6BCF23753F161D4DE444978C3EBC003D361B2D
                                                                                                                                                                                  SHA-256:165FC9F929853B4AE8603BB0C7807456B99871A7C8E9078F95D954C466A7172D
                                                                                                                                                                                  SHA-512:71EA0FE18F1EBDA98067460E6661FC108E7116E71651B0D05FB8365BDA92E1DBF02B89D20DF6B47C7557AC52877ED8EE503373164079C0F5C62EBF16439867C4
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                  Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$....................r.i....r.k.I...r.j....c.....c............X,_........................................n....n.....n.g..........n.....Rich...........................PE..L.....(e...........!.....v... ............................................... ............@A........................@...........x.......X...............P,......lJ......p...........................p...@............................................text....t.......v.................. ..`.rdata..\l.......n...z..............@..@.data....c.......(..................@....detourc.5...p...6..................@..@.detourd$............F..............@....rsrc...X............H..............@..@.reloc..lJ.......L...N..............@..B........................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\libzdtp64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):682216
                                                                                                                                                                                  Entropy (8bit):6.095070464124169
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:rhqnA1JpofoqtokijtH2OMoVTP94CCIKGJToFTz/goFZKk:VqnALpPqXq92bEx4CCIKGJToFTz/gox
                                                                                                                                                                                  MD5:3D7564C3B97E0DCC859CE8FAE51BF196
                                                                                                                                                                                  SHA1:F6588DAA615A45E375AB4CD8153A3D9BBDC476C6
                                                                                                                                                                                  SHA-256:73D11EF506C2282DBD45C4758F6C6B1352C596B1EC684BEF30778965D0774F1B
                                                                                                                                                                                  SHA-512:C6021111CA8F0B8BBD111F85397C0F91DD2423B9168711296B484190CF5C43CABE6215AFE4533881F0F285FBB201D4974D7343E92F33681B1983BB1770110246
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........C".."LA."LA."LA...A."LA...A-"LA...A."LA.KH@."LA.KI@."LA#..A."LA.JO@."LA.JI@."LA.JH@."LA.Z.A."LA.Z.A."LA.Z.A."LA."MAd"LA.KE@."LA.KO@."LA.KL@."LA.K.A."LA.".A."LA.KN@."LARich."LA................PE..d......e.........." .........*.......^..............................................9.....`A................................................d...x.......X.......PF...<..P,..............p...........................0................ ..x............................text............................... ..`.rdata....... ......................@..@.data........0...F..................@....pdata..PF.......H...d..............@..@.detourc.h.......j..................@..@.detourd@...........................@....rsrc...X...........................@..@.reloc..............................@..B................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\lockkrnl.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):628184
                                                                                                                                                                                  Entropy (8bit):6.631864802737484
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:Q9tUcJqS8DI9baOCmIJkPI9VYxPmb3pJ3xW2orMvM79G:GWKqS4OjlPUkmrpzWdSM79G
                                                                                                                                                                                  MD5:BFF0CE8D5C44994EF19F63D63CC29EEB
                                                                                                                                                                                  SHA1:B2837190927EE952721DBD5127C426D28FED9230
                                                                                                                                                                                  SHA-256:08C6DDD72CD481672476625BAB435993F2F0C85F835B0313C593F46C49DE6781
                                                                                                                                                                                  SHA-512:F527BB56DA57CA6BACDBA7871D65E48CA6ADEFE7F61240D766A6881C301B63C60063A09FA73E8BC64F40A01AD038B446B660A8ABC7719B84F1C6FE3654551420
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........<W..]9X.]9X.]9Xh-:Y.]9Xh-<Y=]9X.5<Y.]9X.5=Y.]9X...X.]9X.5:Y.]9X.5=Y.]9X.5<Y.]9Xh-=Y.]9Xh-8Y.]9X.]8X9]9X)40Y.]9X)49Y.]9X)4.X.]9X.].X.]9X)4;Y.]9XRich.]9X........PE..L....k%b...........!.....^..........=X.......p......................................c.....@.........................`................0...............V..@?...@..8F..pp..p............................p..@............p...............................text....].......^.................. ..`.rdata..jy...p...z...b..............@..@.data....8.......(..................@....rsrc........0......................@..@.reloc..8F...@...H..................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\mobileflux.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):117064
                                                                                                                                                                                  Entropy (8bit):6.436398487030181
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:pxNcrXn306zvccqtaGYvPCa/I7206aawWKxocUoiZw+BpQR9oLMm:pXcD30gccqtanCM0Wwiw+BpQR9oL
                                                                                                                                                                                  MD5:80907BE35290D47A8C6DF50A0B44DECF
                                                                                                                                                                                  SHA1:DBDDA59DD78716AD28FD37BF2619FC183D27CAE0
                                                                                                                                                                                  SHA-256:4C4853E4F3990FFD0B3D6EB1436A885559564C1065C26490B777EC9D3586A5C4
                                                                                                                                                                                  SHA-512:09D05C3133569548F4F231F0E06F6F29D57195C927B908F973CB05ABDE6214CA1E07399CB32EA5EC02635D81409B2A8F8F6BDA21F6B51B2A02115C2DF95B3B88
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)g..)g..)g.. ./.8g.. .9.Mg.. .>..g......:g..)g..g.. .0.!g.. .(.(g..75..(g.. .+.(g..Rich)g..........PE..L...%..S...........!.....,...|......H........@.......................................O..............................P.......4u......................................0B..............................._..@............@...............................text....*.......,.................. ..`.rdata...A...@...B...0..............@..@.data..../...........r..............@....rsrc...............................@..@.reloc..~...........................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\netmstart.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):171592
                                                                                                                                                                                  Entropy (8bit):6.633100643329799
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:2g5d8g4gNv+wAGzpjdNwCR5t9Owr5HQ6UnsaP5YCnF+wFxDA:xDRpSs5t0u5wbfQ6E
                                                                                                                                                                                  MD5:FF07224F63F62ECC5C6F2DED09DEB0AF
                                                                                                                                                                                  SHA1:D3ADF969B20A3E42032E60A87DBD69834A748C1A
                                                                                                                                                                                  SHA-256:A9F37F82413889A66F7063991F5C2E6DBA05A35A245891039204A478DE318357
                                                                                                                                                                                  SHA-512:92B763A682C9F479F539AA945F245940351983EC04829FB6D614BB7ABCADE60E2205244C583F63547CF83F4819503529FF01411E08C9CBA26972222D2520AA4D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..X.y...y...y...+-..y....<..y....*..y....-.*y..5....y...y...y....#..y....;..y...+=..y....8..y..Rich.y..........................PE..L....].[...........!................F.....................................................@.........................`...........x....p...............f...7..............................................@...............4............................text............................... ..`.rdata...N.......P..................@..@.data....L... ...(..................@....rsrc........p.......8..............@..@.reloc...".......$...@..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\np360SoftMgr.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):243944
                                                                                                                                                                                  Entropy (8bit):6.56760832272308
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:YdtvVq01U5wXzfoUEwDTw3lCovmHDBYOfdv2xJ82wEdl/NPgqddBumr5365mwkq/:yNI0O4awI3AYqYEv2QIdZTJJYD1Y1a
                                                                                                                                                                                  MD5:FA85435627D31663BECB82EFFDFBE2BB
                                                                                                                                                                                  SHA1:C3D9EEA92EF90E652F500A1F900DA4E20A010C2A
                                                                                                                                                                                  SHA-256:7E0343BC0108526442E8B3FE7E538272FA6240E425BD8F318924573B59BD9DFB
                                                                                                                                                                                  SHA-512:7DA0E76E88D8E78D23E7E6BE0A184BF52DF5032113DFEBE087C3463AD990BE38CD4FD34586CCD367B381AE749F16E04573CF91E4B3D7A235A865D175FAACBDA8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................f.*......)......?.......8......}........z.....6.............(......-....Rich...........................PE..L....6.e...........!................3.....................................................@......................... G......\:..........h...............P,..........................................@...@...............<............................text...x........................... ..`.rdata...x.......z..................@..@.data....D...P.......<..............@....rsrc...h............T..............@..@.reloc...-...........\..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\npaxlogin.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):404296
                                                                                                                                                                                  Entropy (8bit):6.509440609680588
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:iwa9e5G4aES0Qux3nNj43ziT7U2mSBzRD44shPBTLaqqDL6UbwHUu:Y9exL3u0U2pBzm4sxBTrqn6Unu
                                                                                                                                                                                  MD5:630AE5740C702AF919BAED414DE8CFE3
                                                                                                                                                                                  SHA1:26A50EFF049B2DBC24BE11411032172E82B37B04
                                                                                                                                                                                  SHA-256:C3F08B4843DAF466148EE99DBD0D300B2A92BB695FCDE001E288189A3582300E
                                                                                                                                                                                  SHA-512:A714A6F13CE33D8EC31772F180F611C491110D438019D4FCD88F2EB114B41FBD28878B8B9C6BA723D892405DC825917EF1D4868FFB66069ABE49E5AF286F491F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t..,t..,t..,}.|,y..,}.`,n..,}.f,o..,t..,h..,}.v,...,}.q,...,}.g,u..,}.a,u..,}.d,u..,Richt..,........................PE..L...[AVS...........!.....N...................p...............................p............@..........................x...... f.................................. 5...s..............................8...@............p..d............................text....K.......L.................. ..`.orpc...3....`.......P.............. ..`.rdata.......p.......R..............@..@.data....Y.......:...\..............@....rsrc...............................@..@.reloc..hc.......d..................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\ntvbld.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:MS-DOS executable PE32 executable (DLL) (native) Intel 80386, for MS Windows, MZ for MS-DOS
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60896
                                                                                                                                                                                  Entropy (8bit):6.847633229504993
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:NnCuEmXB5UMI3nhKrbZCWg/0/NC8hUDVsa0T1zj9KyhaMQNDG0uKjKj9MPgkz:N7Rx5Ulll8/H+x0T1zj9lHeMy
                                                                                                                                                                                  MD5:690612154E7E5233AA980016CEAEDEDD
                                                                                                                                                                                  SHA1:9B16E2F3D799EA506AA6A8F53FA4DEB36D73F5D4
                                                                                                                                                                                  SHA-256:FFB81D34A14B5837AC713657F7892E790F85564BC2BA792025B0F9E9E0959AD7
                                                                                                                                                                                  SHA-512:1F93AF0CA40DB562F7ECDBF19A0D899044BCF1F181B03E57E6B6F2C72F532652798023612BE9DEFE6261D631D10898D30ADB28EEFF922B72734B4DB27189C210
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ!..... ..........e..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ntvbldDXML..$............!.L.!........h.T.....................q.......q.......q.......q.......q.......q.......q......Rich............PE..L......a...........!.........\......2=.............p................................s`....@.........................p...........(.......h...............H?..........................................0+..@............................................text...v........................... ..`.data....F..........................@....rsrc...h...............

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\pluginmgr.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):171848
                                                                                                                                                                                  Entropy (8bit):6.451554967739461
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:NQbFXbsJHCPNUzpNd0hq6pPyNVD/fAudYMi429OYHUMu73zE55C8f:atWpnztVLffdYLN8YHa7w
                                                                                                                                                                                  MD5:9828C8A355EA0F393260D6E3F7D511E5
                                                                                                                                                                                  SHA1:DC587D4215DC083A35E4BBEE095FB3FB07A73C33
                                                                                                                                                                                  SHA-256:B0D6D85D02E7650E03AB9AD04E90341EF6F5421DDC2AAA7AE65692944C298671
                                                                                                                                                                                  SHA-512:178D1AF5ABB116762C37714F2C142DB02BE9AF8B0C9BCD4948DE122583A9C815E1AB1F709E3167A096947CCCCD6ABEDC4BAB7ED405D207F097BD35640926205A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........xL.+L.+L.+..+M.+E..+^.+E..+1.+E..+u.+k..+].+L.+..+E..+].+E..+M.+R..+M.+E..+M.+RichL.+........................PE..L...P.LS...........!................D.....................................................@..........................2..M....'..x...................................P............................... ...@............................................text...'........................... ..`.rdata...S.......T..................@..@.data...HU...@...,...(..............@....rsrc................T..............@..@.reloc...#.......$...^..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\probe.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):304640
                                                                                                                                                                                  Entropy (8bit):6.443933218835315
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:1AXDdMpEeHyH/D1kApvwp+ZniFARcRdhAGXPR:1Az6WeHyfDOAdwp+doARcRdh5Z
                                                                                                                                                                                  MD5:BB752561CE0859324FF01369BA8D25CC
                                                                                                                                                                                  SHA1:8C42AA1FF9060E58CFFD0EE9997DF134FB3E8739
                                                                                                                                                                                  SHA-256:A243D55655789EF26972546B7DC9723953564F52AE1C46087CCC2DB96F5B8D83
                                                                                                                                                                                  SHA-512:0C493C6868F4E2D90E3FCD6B71116769F2FA2F61740BCB9671B1DEEFC4628BE05E4441CA2008F6AD3F72BAE7C14028A7565CC2FBE68478E620F3CF9418357182
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&PLYb1".b1".b1".kI..s1".kI..^1".kI...1".E.Y.o1".b1#..1".kI..n1".kI..c1".|c..c1".kI..c1".Richb1".........PE..L....r.\...........!.....`...........?.......p......................................Cd....@.........................@%..B...X........p...............n..h7......@#...r..............................(...@............p..d............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data....6...0......................@....rsrc........p.......2..............@..@.reloc...0.......2...:..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\qroscfg.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):138056
                                                                                                                                                                                  Entropy (8bit):6.637936005523512
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:LKDfRbUTKLoDy1wSSH/2Lq62enAhXx2+EKI:KJITHu1wZf2Lq62UAh6
                                                                                                                                                                                  MD5:F62317FC61CA698D45A54C0F7A8A78B8
                                                                                                                                                                                  SHA1:F61D256EA3E3DD85CE7C44DC61AACC93E720F692
                                                                                                                                                                                  SHA-256:59DC54DD624E26D07EE8A908476EE67DCC3B6BA690F566C30B5522B6DCB8EE85
                                                                                                                                                                                  SHA-512:C06E046EDB18EE40D63411AA689280A73EBBEF3CE6977C51F629C43E6A6314895BCF2270E43CB1D9DD847B33874BC812778ACCEC07ED0FBFB9791556027FFCAD
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./.j&k..uk..uk..u...ui..ub.uz..ub.uR..ub.u...ub.ux..uk..u...ub.u|..ub.uj..uu.uj..ub.uj..uRichk..u........................PE..L.....,S...........!.....N...................`...............................P.......T....@.............................L...\........ .......................0..T...0b..............................8...@............`...............................text....L.......N.................. ..`.rdata...k...`...l...R..............@..@.data....A..........................@....rsrc........ ......................@..@.reloc.......0... ..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\qutmipc.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):170856
                                                                                                                                                                                  Entropy (8bit):6.55483314591404
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:4JJiNkByXIzFu3wK672soO82qUyleRR2v6eY8lMnu+wqH6F3:477yIzFfKTsS2qUKeXC5lRR
                                                                                                                                                                                  MD5:7EE49A57339ABCC35FCDE25D3F5EE8D9
                                                                                                                                                                                  SHA1:7A7F471DADD973CA57C79C43D93828B4496570E8
                                                                                                                                                                                  SHA-256:DC477A4B41CA92D94CB7092B458F35DEF2EF6F9A0B23A237A363E341E22AEABB
                                                                                                                                                                                  SHA-512:F978F6C882D80CFD87B2EF75EBB1C18C9BFB6759D28C0F503395217373AE241E5B08212D4D42373F6B94AFFBF775959E06BD1CAD5D09C488DC139906A0D4AB4B
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$...`..R`..R`..Ri.]Rk..R.BRb..Ri.ARr..Ri.WR...RV..Rb..RV..Rc..Ri.GRq..R`..R...Ri.PRZ..Ri.FRa..R~.@Ra..Ri.ERa..RRich`..R........PE..L...f..]...........!................K.....................................................@.............................a............................f...4..............................................................d............................text............................... ..`.rdata...O.......P..................@..@.data....n... ...(..................@....rsrc................8..............@..@.reloc..<#.......$...@..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\qutmload.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):111336
                                                                                                                                                                                  Entropy (8bit):6.7222941004358425
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:PTxwTSQCdxm/78XLv6JYZeD9GIn+uowP0T:PCzCeeeYAD9E5T
                                                                                                                                                                                  MD5:8719E73BC84D506FE7F0D367AE46ED20
                                                                                                                                                                                  SHA1:D60A1FF7B2478ACDA7C5C1730E0B963594311FB9
                                                                                                                                                                                  SHA-256:C110E1FF4F233669F1E035129E137ACED1A3632D17A8302502D160DC16FA9AF0
                                                                                                                                                                                  SHA-512:AE00044E9EE7B5AF66105067877AFD68D79ECEB6C945CC07F390D15A2E1C0832C578146E6B0657FD8A29F865EC6DB78DEFEB7C1BA7E3AF0D1427EFD22A67F8B8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........z...z...z.f.'...z.....z.......z...{...z.....z.....z.......z.......z.....z.....z.Rich..z.........................PE..L...Z.Xd...........!.....Z...........A.......p...............................`............@..........................X..[...TM.......0..................P,...@..t... ...............................8%..@............................................text....Y.......Z.................. ..`.data........p.......^..............@....rsrc........0.......d..............@..@.reloc..f....@.......j..............@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):691760
                                                                                                                                                                                  Entropy (8bit):6.65005121490335
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:z9dSp9WkHCGswmfwHaG3qNeNCGWmQ47/KkRjDMfZVt1UE3HZyr9oUTB2O:Ra7HCXwmfwHRI+HWmQ4HRjDIZVt1UE3a
                                                                                                                                                                                  MD5:938C33C54819D6CE8D731B68D9C37E38
                                                                                                                                                                                  SHA1:5DEBC5AECEA887D17E342E3651006E1DB351034F
                                                                                                                                                                                  SHA-256:E705895392ACD9768F413E35545C6581B3BAC8C05DCE97BC9AF6A37BE7CB7DE3
                                                                                                                                                                                  SHA-512:16DEAF3B8C9A29B73D6530474F2A0BF5AC756D44A04D2468464FB78C9048CA9F1E1EBBCC91ADFC74963B7083B0381A47F76C70BADDEB44026C969125EA1C929A
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe, Author: Joe Security
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c..........................................@.................................6............@...............................-...p...~...........:..0T.........................................................................................text...P........................... ..`.itext..t........................... ..`.data....5.......6..................@....bss....le...............................idata...-..........................@....tls....8................................rdata..............................@..@.reloc.............................@..B.rsrc....~...p...~..................@..@.....................:..............@..@................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\FLIEAC

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2713088
                                                                                                                                                                                  Entropy (8bit):7.9358560764847
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:49152:gCE0mvBnEwvJm7T8UyHNzeBBHKZlYU13/1wUqq7vf2h0Vw:gCZmvBEqUyHcclt/mUCOa
                                                                                                                                                                                  MD5:C625FE50C8CBC877CBFAF1D5212F02C0
                                                                                                                                                                                  SHA1:90763CBEB446C7638F80851E55AF9976285DC56C
                                                                                                                                                                                  SHA-256:F8890DFA4609D9CB2CA685339468C5256356066CF91AB13C9A771A3B8A566D12
                                                                                                                                                                                  SHA-512:898703B75D27A9EE5055965BE16D7DEFA482A4199D6C008E539A0102230743AD4540945B76E78804F4CFA99D3DE79B9584D91F6C74C3FF2E6B8F4CC09E7F472C
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...SLSSSOSSSPPSS.SSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS[SSSA..AS.J...R..................................FFE.SSSSSSSB.....t5..t5..t5..x5..t59..5..t5y.~5..t5...5..t59..5..t5..u5..t5...5..t5..t5..t5...5..t5..p5..t5......t5SSSSSSSSSSSSSSSS..SS.RLSd..SSSSSSSSsSA.DRISS.SSCSSS3.S.E.SS#.SSC.SSSSCSCSSSMSSOSSSSSSSOSSSSSSSS..SSOSSSSSSMSSSSSCSSCSSSSCSSCSSSSSSCSSSC..S.SSSSC.SCMSSSSSSSSSSSSSSSSSSSSSSSSSS...SGSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS....SSSSS3.SSCSSSSSSSOSSSSSSSSSSSSSS.SSs....SSSSS.SS#.SS.SSOSSSSSSSSSSSSSS.SSs....SSSSSCSSSC.SSOSSS.SSSSSSSSSSSSS.SS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS....S....FJKH

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\HipsdiaMain.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):58368
                                                                                                                                                                                  Entropy (8bit):6.398722888372975
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:qjw1c0DJ1xDL8lCXy60KlCXy60vcbvM1id4xSu:T1HPxD2Cj00Cj0C00WxS
                                                                                                                                                                                  MD5:56867EECC2042A0FD681F3B90D365A16
                                                                                                                                                                                  SHA1:021DAC119F8E115E6DF308DB85BC8760078D9719
                                                                                                                                                                                  SHA-256:48F8313380BC6FA33172888B8FD9874A6ED5465213BACB9F8D5C2BB3AB37BAEE
                                                                                                                                                                                  SHA-512:EBB40D1E1A7F6B9E9480E544A67C9383D53A708547ACBA787BFD7C5699E491EAD7FAF714C5D84407B3D9A1DD2051205E0A299EAEECEB44422E3874C5E55CC65A
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 42%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........FJo..Jo..Jo..%.U.Ho..%.W.Oo..%.c.Ao..%.b.Ho..C.Z.Oo..Jo...o..%.f.No..%.R.Ko..%.T.Ko..RichJo..........................PE..L...83^f...........!.....2...........9.......P............................... ............@.........................@...]...L...P.......................................................................@............P..,............................text...40.......2.................. ..`.rdata.......P.......6..............@..@.data...............................@....reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\PackageMgr.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):107120
                                                                                                                                                                                  Entropy (8bit):6.416041804489009
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:ABHJ2sevEPtUiDHPsG78SkqRsEKk2UaWD+Ug1phiaeBvNdiizK3xg+rd3XjxxyhS:eHAR6tHDp/acgrItvNdiizK3xg+FXOS
                                                                                                                                                                                  MD5:773D6EC38151B301FB8E45B4043E2E9F
                                                                                                                                                                                  SHA1:475A42DD7FF0417D6826187F37AA3B5FFA65AE50
                                                                                                                                                                                  SHA-256:E15E52A68BA167C0E6683EAFA3102079BBD0262EF5BF1005FE5A3B492374F66A
                                                                                                                                                                                  SHA-512:FFDEEA69581B7C25CF5DC83A9803E94AB83D6C19254F5DE474240DAD3B630386D8D401B7A5EA25F97B1BF068D95266D53AD6324362E7CF94B1F326DAA9B5A1EF
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......L.,7.iBd.iBd.iBd...d.iBd37Ae.iBd37Fe.iBd.0Ge.iBd37Ce.iBd37Ge.iBd..d.iBd..d.iBd..d.iBd.iCd.iBd.7Ge.iBd.7Be.iBd.7.d.iBd.i.d.iBd.7@e.iBdRich.iBd........................PE..L.....3b...........!................(...............................................&.....@..........................=.......>..,....................p..p2......$.......T...................d...........@............................................text............................... ..`.rdata...P.......R..................@..@.data...$....`.......:..............@...minATL.......p.......F..............@..@.gfids...............H..............@..@.tls.................J..............@....rsrc................L..............@..@.reloc..$............^..............@..B........................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMAVProxy.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):99952
                                                                                                                                                                                  Entropy (8bit):6.458473763443854
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:ZAUmWga/j5/IEHE2BzIfjwpDvdxeR1Ay01A4F1519hTnZmjjxy:jm+JrHElE9SRuy0hFX19hTZmM
                                                                                                                                                                                  MD5:D902AF6BDCB8F3D47CC7A26B7F5AF840
                                                                                                                                                                                  SHA1:B42E2C429F60551CAFDD92F5024DA7EDEC1270EB
                                                                                                                                                                                  SHA-256:ADD79DE18ECBDEEC06D9765B2308FDBEAB3F788382A07D6235B614CA58BDA2B8
                                                                                                                                                                                  SHA-512:1D55DC22AD3317622C3AE502B4B329B25DA6EB03D5FE8D2F4F7319110A196CDF08BD5E5DBB6322D6FC12B3C4472C629F9F64523FB23928E0433F96D0C8098911
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$...J...J...J.......J...N...J...I...J.g.....J...K...J...O...J...N...J...L...J...K...J.ys....J...K...J...C...J...J...J.......J...H...J.Rich..J.........PE..L...!8.d...........!................1...............................................v.....@..........................;..T...T;.......`..`............T..p2...p..t...4...p...............................@...............0............................text...%........................... ..`.rdata...h.......j..................@..@.data........P.......8..............@....rsrc...`....`.......<..............@..@.reloc..t....p.......@..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMDns.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):51312
                                                                                                                                                                                  Entropy (8bit):6.588801090147588
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:gmaAkOI8/UgAXuuMnw415frUK5yPPTnDG3318RU7yw2MvZDGjENAMxaJ:gmPNN7wU5frbcba318aJjjxaJ
                                                                                                                                                                                  MD5:BF125A12E9CE8568AADD6A9EE11C696D
                                                                                                                                                                                  SHA1:4B8CF25506F5729D485171DECAA152B32EF2AFBF
                                                                                                                                                                                  SHA-256:72C9E45E029115541AEBA55243BED56CCB5E594E50CE26DEFDE76D35B5B892C4
                                                                                                                                                                                  SHA-512:B2FDCE478034312D7C7911F83E5A56DA505F9D5FF351CA74A8718B4256BB91DCBF341A268349DC992C7232A9B012BD986224BD650F7141261F8D38E9DCC43318
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........T...T...T...].f.X......._.......W.......B.......P....;.U....>.]...T..........v......U......U......U...RichT...........................PE..L....1.d...........!.....H...R......7L.......`......................................qi....@.........................`...4...............X...............p2......p...p...p...............................@............`..d............................text...3F.......H.................. ..`.rdata...7...`...8...L..............@..@.data...\...........................@....rsrc...X...........................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\QMEventBus.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):92272
                                                                                                                                                                                  Entropy (8bit):6.543211290485113
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:5MUmmeVWAcHeFzyWQ+lh5W0pkw01pPafkNA0tDq3NnqFBjxxP:5MUsVF6eFvPPWBw01ofkNA0E3NnsBj
                                                                                                                                                                                  MD5:23E97B1438152A4328FA97552F8B9AA1
                                                                                                                                                                                  SHA1:F95D191EB1E6DDBCA5B20FAC2D0746FEBB0B2C12
                                                                                                                                                                                  SHA-256:17CBD8771713566BEB469B300D34782986EF325582DCB575C4FB35C1FB397A9E
                                                                                                                                                                                  SHA-512:FA497B5F806D851717C920755E245E65CDBF5CEFCE0975DA33A43C88005474F87D006FFEFE111A199ABF4FC68CA640CD18709FEDFC376FC64E6D6CC272D816A7
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X\...=.N.=.N.=.N.E.N.=.N.2.N.=.NNH.O.=.NNH.O.=.NNH.O.=.NNH.O.=.N..ZN.=.N.=.N.=.N.._N.=.N.H.O(=.N.H.O.=.N.HkN.=.N.H.O.=.NRich.=.N................PE..L....2.d...........!.........z......e................................................[....@..........................&......('.......`...............6..p2...p..`.......p...........................8...@............................................text...}........................... ..`.rdata..VS.......T..................@..@.data... ....@......................@....rsrc........`.......$..............@..@.reloc..`....p.......&..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\TDPCONTROL.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1063616
                                                                                                                                                                                  Entropy (8bit):6.674869382282474
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:2ODivXdRxWmQOhfbV5l7kZLWfGPeu/PUw6WmARlXDMmH6PBzT/Cn+m4q:2OuvbfGZGGKJT/Cn+Fq
                                                                                                                                                                                  MD5:4FF45827EC92E40935F9939142CD40DC
                                                                                                                                                                                  SHA1:CAD74928F3387E6BF28C3625803706061E956B34
                                                                                                                                                                                  SHA-256:012ED8D16E9F7586FE44C0AFFE5BEA6FF68F27231A6526D439643869A103E434
                                                                                                                                                                                  SHA-512:A3DFE7976E5FFB4BA0C68E218C0924568D343E7937ABB50785107DE5E0ADC11AD58A86E02FABB455845FBE8E545E48B57A67EB647C664390ED521D255FF3BEFE
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...~/._.....................j...................@................................. ...................................{........3.......................@...........................................................................................text...0z.......|.................. ..`.itext.............................. ..`.data...D...........................@....bss.....e...@.......0...................idata...3.......4...0..............@....edata..{............d..............@..@.reloc...............f..............@..B.rsrc................V..............@..@....................................@..@........................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\TDPINFO.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32256
                                                                                                                                                                                  Entropy (8bit):7.484270190239562
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:tUqX/E3rJA4ZX6xUrLGwk9xAlvcuHnYoq7MNC3Il:tUc/+vKGnax8ESY17WkI
                                                                                                                                                                                  MD5:63F6D9FECB240388D69CB668CFE50C00
                                                                                                                                                                                  SHA1:2B67BB8AA45A9D0383E76F15E631C1131B28BB1E
                                                                                                                                                                                  SHA-256:678D6ED15F6150BFD5BA8E823CF877C32BB492E8557E107FAC77143DAD3724F1
                                                                                                                                                                                  SHA-512:176B096493206D2DADB17D778E959855DEEF0EC8D5343C09790CA6C067A338ECE44138FA9081888CAA2228A041D2A8C71B085AD8FEFAFE479505F667F6D2B7E6
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 13%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#;\.gZ2.gZ2.gZ2..F<.rZ2.Q|8..Z2..Uo.bZ2.gZ3.7Z2.Q|9.sZ2.gZ2.fZ2..E9.eZ2..E6.fZ2.RichgZ2.................PE..L.....lf...........!.............p..................................................................................0...l...........................................................................................................................UPX0.....p..............................UPX1.............v..................@....rsrc................z..............@......................................................................................................................................................................................................................................................................................................................................................................................................4.21.UPX!....

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\TDPSTAT.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):388808
                                                                                                                                                                                  Entropy (8bit):6.5956896905460125
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:B9su6Bohl2JJmgk1G8M0uQoRkQsKwxBF6CaSIU9ILZxxB5ARUWvAX+E:BSohl2JJmgk1U3QMkQsTx3paSIUixGRI
                                                                                                                                                                                  MD5:B8253F0DD523BC1E2480F11A9702411D
                                                                                                                                                                                  SHA1:61A4C65EB5D4176B00A1FF73621521C1E60D28EA
                                                                                                                                                                                  SHA-256:01CEE5C4A2E80CB3FDAD50E2009F51CA18C787BF486CE31321899CCCEDC72E0C
                                                                                                                                                                                  SHA-512:4C578003E31F08E403F4290970BC900D9F42CAA57C5B4C0ACA035D92EDC9921BF4034FC216C9860DA69054B05F98DADE5F6E218AC4BEE991BC37A3EF572FE9A0
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...8..^..........................................@..........................P..........................................c....p...........N...............<.......g..................................................Ts..P............................text...T........................... ..`.itext.............................. ..`.data....).......*..................@....bss....<X...............................idata.......p......................@....edata..c...........................@..@.reloc...g.......h..................@..B.rsrc....N.......N...d..............@..@.............P......................@..@........................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Toolbox.ico

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:MS Windows icon resource - 6 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):104864
                                                                                                                                                                                  Entropy (8bit):3.9053747079480448
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:0ePYp7777777777FaTLcbLLLLEW/+Z+Z+I1m5aaaaaaaaaMsJju5wU4XcG8jUEPE:n7sAacGgUEc
                                                                                                                                                                                  MD5:6CCA9307DEAF7B167C92BBE3D2AC59CA
                                                                                                                                                                                  SHA1:FE2A51B84BD203BA0AEA43D50D664B1632F3B0B0
                                                                                                                                                                                  SHA-256:771E0C7FF0514650DF7C62E237A8D8DDFA2D156A8B18473AE647E6684A483178
                                                                                                                                                                                  SHA-512:C1E4639BCFF0C18713116973524E7527BEE31307C33AF2048F617CE0460580A2FEE88FF6E347F87C799AC990F4BCCB97A2FCEBCB82AD4A926EE95F211A033368
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:............ .h...f... .... .........00.... ..%..v...@@.... .(B...;........ .(...F}........ .2...n...(....... ..... .....0....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................v...w..w.........u...w..w..w..w..x.......|...w..w..w...n...x...x...x...x...x...x...x...x...x...x...x...x...x...x...n...o...w...x...x...x...x...x...x...x...x...x...x...x...x...w...p...p...n..y...z...u...u...u...z...z...u...u...u...z...y...n..p.......p...s..w...w...w...w...w...w...w...w...w...w...s..p...........................m.p.p

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\UPSDK.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1165576
                                                                                                                                                                                  Entropy (8bit):6.491752155251347
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:ptf4OLWmQQ3b6ZVtecP3Ufy/ilDqzybXIZ0xKHpWq0dGcz7msH0WQWmAdA7yJBzA:tLDlDgRGxKHpSJ28TU
                                                                                                                                                                                  MD5:D75E14313FC8A0850F3190CE67509475
                                                                                                                                                                                  SHA1:74474830BC0706E5C0A8B455A4E1B47D9F1DE741
                                                                                                                                                                                  SHA-256:E5C711BDB99AB55EBD96B3636C7396566C98ACFFD03DF735A15F1E18936A718A
                                                                                                                                                                                  SHA-512:A4260F1A9A77BC41FC54532BDBF51F831004767E08150BFF95374663930BBE4FCA81790AA4578C062674557A02A698EA798CFC00F2355F6B8FA71BF2915CBAAA
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......`..........................................@..........................0.......4...............................`..e....@..v........^...............A...p...Y...................................................C...............................text...x........................... ..`.itext.............................. ..`.data....".......$..................@....bss.....Y...............................idata..v....@......................@....edata..e....`......................@..@.reloc...Y...p...Z..................@..B.rsrc....^.......^...*..............@..@.............0......................@..@........................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\libcurl.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):333824
                                                                                                                                                                                  Entropy (8bit):6.389952178495305
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:WyEhWbJNOcWd55OHSCw1ohITXVvrJGqdK2Dug6dGXLSuMAFi2TBfR:Wlu1IjOIohILJrc4Ezui2TdR
                                                                                                                                                                                  MD5:EC9483F4B8C3910B09CAAB0F6CB7CD1B
                                                                                                                                                                                  SHA1:9931AAA8E626DF273EE42F98E2FC91C2078FDC07
                                                                                                                                                                                  SHA-256:4D9CAE6E2E52270150542084AF949D7B68300E378868165FF601378A38F7048F
                                                                                                                                                                                  SHA-512:84B60FE3CD0EDE19933B37AE0EAEBA1F87174A21BC8086857E57C8729CEC88F9FEF4B50A2B870F55C858DD43B070FD22FFEC5CB6F4FD5B950D6451B05EB65565
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..S...........#................ .............$k................................. ........ .........................c.... .......`.......................p..|$...........................P......................."..h............................text...T...........................`.P`.data...t...........................@.`..rdata..L.... ......................@.`@.eh_fram............................@.0@.bss..................................`..edata..c...........................@.0@.idata....... ......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..rsrc........`......................@.0..reloc..|$...p...&..................@.0B........................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp100.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):608080
                                                                                                                                                                                  Entropy (8bit):6.297676823354886
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:koBFUsQ1H5FH3YUTd/df0RA7XkNvEKZm+aWodEEiblHN/:dFUsQ1H5FHdGKkNvEKZm+aWodEEcHN/
                                                                                                                                                                                  MD5:D029339C0F59CF662094EDDF8C42B2B5
                                                                                                                                                                                  SHA1:A0B6DE44255CE7BFADE9A5B559DD04F2972BFDC8
                                                                                                                                                                                  SHA-256:934D882EFD3C0F3F1EFBC238EF87708F3879F5BB456D30AF62F3368D58B6AA4C
                                                                                                                                                                                  SHA-512:021D9AF52E68CB7A3B0042D9ED6C9418552EE16DF966F9CCEDD458567C47D70471CB8851A69D3982D64571369664FAEEAE3BE90E2E88A909005B9CDB73679C82
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$..-`..~`..~`..~i.4~b..~{.;~c..~`..~...~..?~a..~{.9~a..~{..~P..~{..~Y..~{..~e..~{.<~a..~{.=~a..~{.:~a..~Rich`..~........................PE..d.....M.........." .........f.......q........cy..........................................@.............................................m......<....P...........=...0..P....`.......................................................................................text............................... ..`.rdata..-...........................@..@.data...0L.......8..................@....pdata...=.......>..................@..@.rsrc........P......................@..@.reloc..R....`......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp110.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):661456
                                                                                                                                                                                  Entropy (8bit):6.2479591860670896
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:akhiz9iVQi6mpiyMATITfluR3G1YdpTzYJQIbRdJN2EKZm+DWodEEt2L:WaQeIJN2EKZm+DWodEEt2L
                                                                                                                                                                                  MD5:7CAA1B97A3311EB5A695E3C9028616E7
                                                                                                                                                                                  SHA1:2A94C1CECFB957195FCBBF1C59827A12025B5615
                                                                                                                                                                                  SHA-256:27F394AE01D12F851F1DEE3632DEE3C5AFA1D267F7A96321D35FD43105B035AD
                                                                                                                                                                                  SHA-512:8818AF4D4B1DE913AAE5CB7168DCEC575EABC863852315E090245E887EF9036C81AABAF9DFF6DEE98D4CE3B6E5E5FC7819ECCF717A1D0A62DC0DF6F85B6FEEB8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.:..si..si..si~`.i..si..ri^.sis.i..si...i..sis.i..sis.i..sis.i..sis.i..sis.i..sis.i..sis.i..siRich..si................PE..d......P.........." ........."......<........................................p......L+....`..........................................3......l...<...............0E.......=... ..,....(..............................`...p............ ...............................text...:........................... ..`.rdata....... ......................@..@.data...p.... ...:..................@....pdata..0E.......F...D..............@..@.rsrc...............................@..@.reloc..FJ... ...L..................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp120.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):660128
                                                                                                                                                                                  Entropy (8bit):6.339650318935599
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:t2TOv4Zur4nRc4RwlG4xH2F+O+/i2UA3YyB2hxKM5Qrt+e2EKZm+GWodEEwIP:qRhxKM5U2EKZm+GWodEEw4
                                                                                                                                                                                  MD5:0A097D81514751B500690CE3FC3223FA
                                                                                                                                                                                  SHA1:7983F0E18D2C54416599E6C192D6D2B151A2175C
                                                                                                                                                                                  SHA-256:E299B35D1E3B87930A4F9A9EF90526534E8796B0DEF177FB2A849C27F42F1DF2
                                                                                                                                                                                  SHA-512:74639F4C2954B5959EB2254544BF2E06AB097219FC8588A4F154D1A369B0657176128C17911958C84ED55421FE89BF98C8ED36D803A07A28A7D4598DB88027CE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ca.=...n...n...n..)n...n...n...n.R?n...n..%n...n.R=n...n.R.n4..n.R.nJ..n.R.n...n.R>n...n.R9n...n.R<n...nRich...n........PE..d......V.........." .....@...................................................`.......H....`.........................................pU.. ....2..<....@...........G.......>...P.......X..................................p............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data........P...8...B..............@....pdata...G.......H...z..............@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp140.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):449280
                                                                                                                                                                                  Entropy (8bit):6.670243582402913
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:UEPa9C9VbL+3Omy5CvyOvzeOKaqhUgiW6QR7t5s03Ooc8dHkC2esGgW8g:UEPa90Vbky5CvyUeOKg03Ooc8dHkC2ed
                                                                                                                                                                                  MD5:1FB93933FD087215A3C7B0800E6BB703
                                                                                                                                                                                  SHA1:A78232C352ED06CEDD7CA5CD5CB60E61EF8D86FB
                                                                                                                                                                                  SHA-256:2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01
                                                                                                                                                                                  SHA-512:79CD448E44B5607863B3CD0F9C8E1310F7E340559495589C428A24A4AC49BEB06502D787824097BB959A1C9CB80672630DAC19A405468A0B64DB5EBD6493590E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L....(.[.........."!.....(..........`........@............................................@A.........................g.......r...........................?.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp140_1.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):31528
                                                                                                                                                                                  Entropy (8bit):6.472533190412445
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:R77JqjlI8icUYWhN5tWcS5gWZoMUekWi9pBj0HRN7RA5aWixHRN7osDhzlGs6N+E:R5D8icUlX5YYMLAWRAlypmPB
                                                                                                                                                                                  MD5:7EE2B93A97485E6222C393BFA653926B
                                                                                                                                                                                  SHA1:F4779CBFF235D21C386DA7276021F136CA233320
                                                                                                                                                                                  SHA-256:BD57D8EEF0BC3A757C5CE5F486A547C79E12482AC8E694C47A6AB794AA745F1F
                                                                                                                                                                                  SHA-512:4A4A3F56674B54683C88BD696AB5D02750E9A61F3089274FAA25E16A858805958E8BE1C391A257E73D889B1EEA30C173D0296509221D68A492A488D725C2B101
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..\4~.\4~.\4~...^4~.UL..X4~.Dz.[4~.D}.^4~.\4..v4~.D..Y4~.D{.O4~.D~.]4~.D..]4~.D|.]4~.Rich\4~.........PE..d...W8.^.........." .........$............................................................`A.........................................>..L....?..x....p.......`..4....:..(A......p...@3..T............................3..0............0..0............................text...(........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..4....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..p............8..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcp140_2.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):193832
                                                                                                                                                                                  Entropy (8bit):6.592581384064209
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:V7vC/HAiCsJCzwneNPXU7tm1hTt8KBDal8zg/0LwhORfewlMi0JHV:VTGAtweN85m1f8KBI9wfpsJH
                                                                                                                                                                                  MD5:937D6FF2B308A4594852B1FB3786E37F
                                                                                                                                                                                  SHA1:5B1236B846E22DA39C7F312499731179D9EE6130
                                                                                                                                                                                  SHA-256:261FBD00784BB828939B9B09C1931249A5C778FCEAD5B78C4B254D26CF2C201F
                                                                                                                                                                                  SHA-512:9691509872FDB42A3C02566C10550A856D36EB0569763F309C9C4592CAF573FBB3F0B6DC9F24B32A872E2E4291E06256EAE5F2A0DEB554F9241403FD19246CAC
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........94..Wg..Wg..WgVt.g..Wg..g..Wg..Sf..Wg..Tf..Wg..Vg..Wg..Vf..Wg..Rf..Wg..Wf..Wg...g..Wg..Uf..WgRich..Wg........................PE..d...W8.^.........." ................p............................................... .....`A........................................ ..................................(A...........K..T........................... L..0...............P............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcr100.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):773968
                                                                                                                                                                                  Entropy (8bit):6.901559811406837
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
                                                                                                                                                                                  MD5:0E37FBFA79D349D672456923EC5FBBE3
                                                                                                                                                                                  SHA1:4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
                                                                                                                                                                                  SHA-256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
                                                                                                                                                                                  SHA-512:2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcr110.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):849360
                                                                                                                                                                                  Entropy (8bit):6.542151190128927
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:I+9BbHqWVFlB7s2ncm9NBrqWJgS0wzsYmyy6OQ:z9d7M3nS0wV
                                                                                                                                                                                  MD5:7C3B449F661D99A9B1033A14033D2987
                                                                                                                                                                                  SHA1:6C8C572E736BC53D1B5A608D3D9F697B1BB261DA
                                                                                                                                                                                  SHA-256:AE996EDB9B050677C4F82D56092EFDC75F0ADDC97A14E2C46753E2DB3F6BD732
                                                                                                                                                                                  SHA-512:A58783F50176E97284861860628CC930A613168BE70411FABAFBE6970DCCCB8698A6D033CFC94EDF415093E51F3D6A4B1EE0F38CC81254BDCCB7EDFA2E4DB4F8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........c.O.0.O.0.O.0.O.0}O.028g0.O.0?..02N.0?..0.O.0?..0.O.0?..0wO.0?..0.O.0?..0.O.0?..0.O.0Rich.O.0........................PE..d...n..P.........." ................l3.......................................@............`..........................................E.......1..(............... g.......=......8...`6..............................P...p............0...............................text............................... ..`.rdata.......0......................@..@.data...(q.......@..................@....pdata.. g.......h...(..............@..@.rsrc...............................@..@.reloc...".......$..................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\msvcr120.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):963744
                                                                                                                                                                                  Entropy (8bit):6.63341775080164
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:lQ39+j16xw/86yY4ZOVqSs8cKPkb3vi4vwW1kCySQmWymTXY:S3tPDLfRbiow9Cyo
                                                                                                                                                                                  MD5:E2CA271748E872D1A4FD5AC5D8C998B1
                                                                                                                                                                                  SHA1:5020B343F28349DA8C3EA48FB96C0FBAB757BD5C
                                                                                                                                                                                  SHA-256:0D00BF1756A95679715E93DC82B1B31994773D029FBBD4E0E85136EF082B86A9
                                                                                                                                                                                  SHA-512:85D6BCAAF86F400000CF991DA1B8E45E79823628DC11B41D7631AA8EE93E500E7DA6E843EA04EDB44D047519DABEF96DCB641ADC2A7B3FAA5CD01E8A20B1F18E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F=&^'Su^'Su^'Su..u]'Su^'Ru.'SuSu.u.%SuSu.uo'SuSu.uh'SuSu.u.'SuSu.u_'SuSu.u_'SuSu.u_'SuRich^'Su........PE..d......V.........." .....j...:.......)..............................................+l....`.....................................................(............@...s...v...>......8...p................................2..p............................................text...eh.......j.................. ..`.rdata...9.......:...n..............@..@.data...hu.......D..................@....pdata...s...@...t..................@..@.rsrc................`..............@..@.reloc..8............d..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\oDayProtect.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):57456
                                                                                                                                                                                  Entropy (8bit):6.555119730119836
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:h4WOg3TER/nhU8Vbbb8O0WWVYgaatjJxl:h4WOg3TSr78O0WWVYg5tJ
                                                                                                                                                                                  MD5:00FCB6C9E8BD767DDE68973B831388E9
                                                                                                                                                                                  SHA1:2D35E76C390B8E2E5CA8225B3E441F5AC0300A02
                                                                                                                                                                                  SHA-256:1CC765B67D071060C71B4774C7745575775CE46E675E08620E5BAB3B21B2CE79
                                                                                                                                                                                  SHA-512:2B48701B5F4B8F1EB7FC3EB9A76370883FE6CAF45D92DA607AB164F93E0EED65D6C1369D4EA974A112C902FD0F5BAF06E7611ECB9B50BE3A599F261624B33BA5
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[..]..............3.....M......M......M......M.......{n......{k............................._.......7............Rich............PE..L...m>.d...........!.....`...R......._.......p............................................@...........................................P...............p2..............p........................... ...@............p..\............................text...._.......`.................. ..`.rdata...4...p...6...d..............@..@.data...$...........................@....shared.............................@....rsrc...P...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\vcruntime140.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):101872
                                                                                                                                                                                  Entropy (8bit):6.5661918084228725
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:RCKWZGuEK0mOLSTxoPl9GIcuZrxi4hXX9oix8H+NCIecbGShwZul:RFWY1WxgGStJ8H2CIecbG36
                                                                                                                                                                                  MD5:971DBBE854FC6AB78C095607DFAD7B5C
                                                                                                                                                                                  SHA1:1731FB947CD85F9017A95FDA1DC5E3B0F6B42CA2
                                                                                                                                                                                  SHA-256:5E197A086B6A7711BAA09AFE4EA7C68F0E777B2FF33F1DF25A21F375B7D9693A
                                                                                                                                                                                  SHA-512:B966AAB9C0D9459FADA3E5E96998292D6874A7078924EA2C171F0A1A50B0784C24CC408D00852BEC48D6A01E67E41D017684631176D3E90151EC692161F1814D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w.............t:..............................................................Rich....................PE..d.....t^.........." .........^.......................................................e....`A.........................................0..4....9.......p.......P.......L...A..............8........................... ...0............................................text...2........................... ..`.rdata...?.......@..................@..@.data...0....@.......4..............@....pdata.......P.......8..............@..@_RDATA.......`.......D..............@..@.rsrc........p.......F..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\IkCWSTWLLRQX\yybob\vcruntime140_1.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):44312
                                                                                                                                                                                  Entropy (8bit):6.623047237297825
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:vG3xRsJTKdiibUoT2zvivbXXyJWqWZ8DZX:vG7DyM22DiJMCtX
                                                                                                                                                                                  MD5:9040ED0FDF4CE7558CBFFB73D4C17761
                                                                                                                                                                                  SHA1:669C8380959984CC62B05535C18836F815308362
                                                                                                                                                                                  SHA-256:6CC4315DACEB0522816C60678344466CB452426267F70C7FAAE925361674E774
                                                                                                                                                                                  SHA-512:303143006C781260540E9D0D3739ACC33F2D54F884358C7485599DD22B87CCE9B81F68D6AD80F0F5BB1798CE54A79677152C1D3600E443E192AECD442EA0A2E4
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j&=..Hn..Hn..Hn@..n..Hn!fIo..Hn.s.n..Hn..In..Hn!fKo..Hn!fLo..Hn!fMo..Hn!fHo..Hn!f.n..Hn!fJo..HnRich..Hn........PE..d....h.].........." .....:...4.......A..............................................?.....`A.........................................j......<k..x....................l...A......(....a..8...........................0b...............P..X............................text...t9.......:.................. ..`.rdata..P ...P..."...>..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..(............j..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\DAN_127.msi

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 936, Revision Number: {B27D822E-68C4-4CF6-961C-F62B0D119E2A}, Number of Words: 0, Subject: Windows, Author: ElLGDUGELFDK, Name of Creating Application: Windows, Template: ;2052, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 12 17:35:37 2024, Last Saved Time/Date: Thu Dec 12 17:35:37 2024, Last Printed: Thu Dec 12 17:35:37 2024, Number of Pages: 450
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4526080
                                                                                                                                                                                  Entropy (8bit):6.5649194117879635
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:49152:0omhaJBcvYnZ5iXuoRNeycFTznJ95U0zjjZVeZlPjgzixI+vGYRnAWNTWw5EQbhp:WABcveycl20iuW5CfTRWXpd
                                                                                                                                                                                  MD5:7E49C843B9BE3C41508F60E1DF899C48
                                                                                                                                                                                  SHA1:EDFD6BC81E67DBC9F2B513BC0404AB73FD0F7CBB
                                                                                                                                                                                  SHA-256:EECAFC62E71A490B60B1C5A72F70794B15DB756AB879F2AA63307DFA6283367C
                                                                                                                                                                                  SHA-512:CCADE37586A0F3C9E555ED9E68534271057363B8D4F0AA10003522972EAD59A875F39E5EEC257575EF94C0469E3DD7B377032F5BF409D4C9598A7D465A5D606A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......................>...................F...........................................................................................{.......^.......0...1...2...3...4...5...6...7...8...9...:...;...........................................................................................................................................................v"..........................................................................................................................................................................z.......................4...7................................................................................... ...!..."...#...$...%...&...'...(...)...5...+...,...-......./...0...1...2...3.......=...6...8...K...9...:...;...<...@...>...?...G...A...B...C...D...E...F...I...H...J....!..|...L...M...N...O...P...Q....!..S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\FNCUNPTNLBMW.DNA

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:7-zip archive data, version 0.4
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):204
                                                                                                                                                                                  Entropy (8bit):6.524007625247223
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:uXphPJHpYvKNvarzc7Wqhd/2NZ4xJH6R5KMEL:GuvKNvKcUNgS5Y
                                                                                                                                                                                  MD5:3E08DF5CDDD1F234418DB3C19F4C9700
                                                                                                                                                                                  SHA1:67898ADFFD834CE604643B8835F0700D5A0FF4E8
                                                                                                                                                                                  SHA-256:F8FC4386A90F2C819E9CA03C7821184AC0E65457A6CDCDACC4C0E7F10034D267
                                                                                                                                                                                  SHA-512:E6580EA95E54B5F9A387E23B1425C950AEE3C59CEF02229A5CF5FD48F4F0665B2F2DE5C76465F7E54938EE47F1ACCD5F0353BACDA98042625061844811828C5F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:7z..'...d...p.......<.........G...k.L..f&*.Q....H.:\.w.......M..9.v.z.ld...|.......i...lO4...VJ.\.v|,...?K{Sp..X.3q6..rX_.8.s.^..%......oZ.....p......$.....S.\.>7..#r...B.>..#....].......n......v...

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Gme.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):400480
                                                                                                                                                                                  Entropy (8bit):6.6249170967240625
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:ke/EYk6LSMAROeK3nzAPSayAj7+fyJHbVJMs/ubUQ3Q/p:MQ7DAvhpGs/8UQ3QB
                                                                                                                                                                                  MD5:CC4F1CDFA6A90B6152B8012E8C035DFD
                                                                                                                                                                                  SHA1:011098BADE1BD47557147B8CF3BAF4A070CB9D7C
                                                                                                                                                                                  SHA-256:7B9FF465FA54E5EDF69F0794D7CAF7ADC6D7B20534E6DA0181DC93DC062E7CCA
                                                                                                                                                                                  SHA-512:0084BADEBBAC672904BD7E19019C2D86B4745DEA26229CE82E48E0A5134DF3FA42B4948C673B17432BFE14F13A82B0BAFF3B5D861AA4AB3A951AF40793780CE1
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..N>.EN>.EN>.E.qXEM>.EGF[ET>.EGFJE.>.EGFME.>.Ei..E[>.EN>.E.>.EGFDEg>.EGF\EO>.EPlZEO>.EGF_EO>.ERichN>.E................PE..L.....rZ...........!.........*......?#.......................................P......j.....@..........................m.......^..........x................5......H3..0...................................@............................................text............................... ..`.rdata..d...........................@..@.data....q...p...6...Z..............@....rsrc...x...........................@..@.reloc..PM.......N..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\GmeApi.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):427104
                                                                                                                                                                                  Entropy (8bit):6.602064716561835
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:d54WjgpIW+m/CbqwcAjoZOtjEipBiRuL9JK:avGPJbtjEY2uL7K
                                                                                                                                                                                  MD5:50B836C0E21FD4EF3F6F6102F9162FEA
                                                                                                                                                                                  SHA1:704834D4BE32AD186FD761E908CC0518AC2A8117
                                                                                                                                                                                  SHA-256:8CFC18609E75074EB0FBF3C87C1B41E263DE503083A7EBBB00643E0F05A2920E
                                                                                                                                                                                  SHA-512:B2C220F954A38B7EBC44FA60454CD8322A21714F1E3D593F32B7C4865113157965E1C8C0821F60F1865270FCB2529EBF8CDD32F1DE44A7626C0D0DB304C72644
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.p...#...#...#..T#...#..W#...#..F#Y..#..A#...#/V.#...#...#...#..H#:..#..P#...#..V#...#..S#...#Rich...#........................PE..L.....rZ...........!.........F.......c....... ............................................@.....................................x....@...............N...5...P..88..."...............................k..@............ ...............................text............................... ..`.rdata..r.... ......................@..@.data...Dm.......6..................@....rsrc........@......................@..@.reloc...Y...P...Z..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\GmeApi64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):572512
                                                                                                                                                                                  Entropy (8bit):6.263529853370218
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:Azb0JSwmBU/no1rNW23dImf/D/cnlu41T3ork5d:AH0JSwmko1rNW23df/D/cnlhp3d5d
                                                                                                                                                                                  MD5:984829AFB3ED76FABCAB8AE4BE1FF15C
                                                                                                                                                                                  SHA1:2498F20AB62E3061FB144C7CEAE5CF254D6C7095
                                                                                                                                                                                  SHA-256:F257E86E42D7546C37AEABDC7BF1D00BC09E7B26D9AF4478302FF2B872187C33
                                                                                                                                                                                  SHA-512:5270AE482E8C462B5360DD60C06D8757BE5F7E513A0A7BF993F3F088A67516AAA0A744CDBD034828D3AAF5E6EADAF630317ACF325B03E028398C7EAC12A97B04
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i...........BG@.....pC.....pR.....pU.L...........f...p\.....pD.....ZB.....pG....Rich...................PE..d.....rZ.........." .....F...:......,T...............................................V....@.....................................................x............p..Tf.......5..........pe...............................................`..X............................text....E.......F.................. ..`.rdata..Tx...`...z...J..............@..@.data............@..................@....pdata..Tf...p...h..................@..@.rsrc................l..............@..@.reloc...............r..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):572312
                                                                                                                                                                                  Entropy (8bit):6.6114481461607175
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:KmuYzDRB54CwW2U0lY4woeFuA0TpxVQ8Y3Ew+zBsPO3erF7q0zoCiJbDjdxzF5og:Ju+469PqNYsBsPTziDjLbCEGne9Z
                                                                                                                                                                                  MD5:5CC95EA39AB6D7751A1A85F832CCA011
                                                                                                                                                                                  SHA1:387B60FE4F257BA8A0F5DA566709640F972EAA3B
                                                                                                                                                                                  SHA-256:4BF5DD0ED84D6C7B4965628A22668F733C167427B20A4B56AE356205381B527F
                                                                                                                                                                                  SHA-512:6E28E6D3D1A6BF4FB046A7F03F68FE27F8A7151465412EA4126AD3DD2A9DC9C89238923E858C644892D72D318CF2112C4AE60DAE363CC5EC41DEF1663BFDD101
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                  • Rule: Mimikatz_Gen_Strings, Description: Detects Mimikatz by using some special strings, Source: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dll, Author: Florian Roth
                                                                                                                                                                                  • Rule: Mimikatz_Strings, Description: Detects Mimikatz strings, Source: C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HackPatch.dll, Author: Florian Roth
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^.^.?g..?g..?g.=Nf..?g..ac..?g..ad..?g..Yb..?g..Vf..?g.=Nb..?g.<Nb..?g..G...?g..Ya..?g......?g.!ab..?g.!ac..?g.>ac..?g.>ab..?g..ab..?g..Yc..?g.....?g.....?g.H0:..?g..Yf..?g..?f.5=g.!an..?g.!ag..?g.!a...?g..?...?g.!ae..?g.Rich.?g.........................PE..L....Enc...........!.....,...|...............@............................................@.........................`p.......q.......0...r...........r...I......dK......p...............................@............@...............................text....*.......,.................. ..`.rdata...T...@...V...0..............@..@.data...D_.......$..................@....gfids..............................@..@.tls................................@...PlugImm...... ......................@....rsrc....r...0...t..................@..@.reloc..dK.......L...$..............@..B................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Hamster.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):249768
                                                                                                                                                                                  Entropy (8bit):6.601810977306283
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:/0jvJ1SDHfvcFHDSU4/eebh4HT4dK62HPWA2F0T7z/LDdUjE2rRNq5N5EuXCRfC:/0jTSrMtceebhz32HPWnoBUw2/G5r
                                                                                                                                                                                  MD5:2EA3ACA1D36D16F0699261F77EE6ECCE
                                                                                                                                                                                  SHA1:31C6575F5EC4F48ED3939FD5484F4E3D5869D3DA
                                                                                                                                                                                  SHA-256:12B2AAA9C7222B13E97A0870006CFC498134F7182009C49FAD0281A85D5CD386
                                                                                                                                                                                  SHA-512:30057B3491807413603C5A4668D020A384548CE6F41BA9DE6C708C4BF052BE10113AE5AAF41697ACC2AB56E9674EE8DC4669584FA9F838A9359842038F82394E
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...U..U..U.....U....9.U......U.*...U..T.'.U.....U.....U.....U.....U.Rich..U.........................PE..L..._wWX...........!................................................................,.....@..........................M..R....B..d.......l................5......8...`...............................@...@............................................text...o........................... ..`.rdata.."~..........................@..@.data....H...P...,...6..............@....rsrc...l............b..............@..@.reloc...,...........j..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HipsLogCenter.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):555240
                                                                                                                                                                                  Entropy (8bit):6.523642703236138
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:RzJibra10t6DBAAxFhNngOsLOsZDvnCjN8d6HVilI5hKRPnQ0FbgB4e:CbzipngOsLOsZL38IKb4PQ0Fbje
                                                                                                                                                                                  MD5:4B481EA28EC7B065AD6C7FE7674AA363
                                                                                                                                                                                  SHA1:152FC3DA4A1DF717623E4D57476A1D72ADD7F610
                                                                                                                                                                                  SHA-256:92AA7045E70E2BBB706DCD1A1D9B41026CFA06FEDF0E48EE0CAE63B8B80084F5
                                                                                                                                                                                  SHA-512:08F8388322D3623F8DBC23DB60E0542B972754FEAB4071C0FC7382F9EBD54313A8A10E5EBAC9D72E5F4909B23A2FCB4114B44BCF47F3090B029DDEA27CFF21B3
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\O..=!..=!..=!..E...=!.Kr...=!..E...=!..o...=!..E..b=!..E...=!..= .<!..E..=!..E...=!..o...=!..E...=!.Rich.=!.........PE..L......d...........!.........V...........................................................@.............................w............................L..P,...`..4C..................................8v..@............................................text............................... ..`.rdata..............................@..@.data...\........j..................@....rsrc................@..............@..@.reloc...Z...`...\..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HotfixCommon.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):180800
                                                                                                                                                                                  Entropy (8bit):6.720835675786583
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:zQPGqss58Kg5dqBLQ8/90/qTQPOfb7+sH1buHv/c6R2Wmjgk4Kq2iSiTHa89B:zQPB4jqBLQ86qsPOf+8RuHXc6tmv4KqZ
                                                                                                                                                                                  MD5:91D9E316BD0533C92BDE234131EC7AB4
                                                                                                                                                                                  SHA1:86D1997382E3FE81AC27B88EFE33E1773D095518
                                                                                                                                                                                  SHA-256:62BAAD0A128B580889091F015384410BD491F21BB101682557B034ACB28E00D9
                                                                                                                                                                                  SHA-512:BDD41A900EB1299815CA24FD78EE5499F20C78C5E62CAF11934A5348836C557AB402DF1D75B4932AA6E322562C8CDEBB120FC74137ED9D693AE6719C44C5718F
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...................................x...........!..L.!This program cannot be run in DOS mode....$.......N .'.A.t.A.t.A.t..zt.A.tX).u.A.tX).u.A.to'.u.A.t.(.u.A.t./.u.A.t.9(t.A.t.,.u.A.t.,.u.A.tK&.u.A.tK&.u.A.t.(.u.A.t.(.u.A.to'.u.A.to'.u.A.to'.u.A.t.A.t.@.tX).u.A.t.,.u.A.t.(.u.A.t.(.u.A.t.(.u.A.t.(Bt.A.t.A*t.A.t.(.u.A.tRich.A.t........................PE..L....@W^...........!................................................................i....@.........................p'......x(..x........................7..........@...p...............................@...............8...x#..`....................text............................... ..`.rdata..tD.......F..................@..@.data...h....@......."..............@....detourcX6...`...8...*..............@..@.detourd$............b..............@....rsrc................d..............@..@.reloc...............j..............@..B................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\HotfixCommon64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):219200
                                                                                                                                                                                  Entropy (8bit):6.255426513524174
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:n7pWDP71+xRSkTt9XFD6RAtofSUAfohtDanx51K6flyT9S9:1WDP71+xR7h9XFBtofStomfK69e9S9
                                                                                                                                                                                  MD5:C64D91E0734622D550F578CAC023FE9B
                                                                                                                                                                                  SHA1:9B5F47305F02ED862BE6A8E6F6D48647F9311E84
                                                                                                                                                                                  SHA-256:9AA97B67D074D85CAFB29A0A561DFAA2416A283FC8A228B6904D63D16C8C463B
                                                                                                                                                                                  SHA-512:FD419DE7FBC7C0B9F33CD340E2DEF67849DF628799FC0507DFEB6F77DD8681232B81216D082155278EC7D158E99FB480EEAC884A8962F410321F91A89D500CBD
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$........-...L.E.L.E.L.Er.^E.L.E.$.D.L.E.$.D.L.E.*.D.L.Et%.D.L.Ev".D.L.E.!.D.L.E.!.D.L.E.+.D.L.E.+.D.L.Ev%.D.L.Ev%.D.L.E.*.D.L.E.*.D.L.E.*.D.L.E.L.ERM.E.$.D.L.E&!.D.L.Ew%.D.L.Ew%.D.L.Ew%.D.L.Ew%fE.L.E.L.E.L.Ew%.D.L.ERich.L.E........PE..d....AW^.........." .........$...... .....................................................`.........................................0.......8...x....`............... ...7...p..T...PO..p....................O..(....'............... ......0}..`....................text...0........................... ..`.rdata...q... ...r..................@..@.data................x..............@....pdata..............................@..@.detourc.h.......j..................@..@.detourd@....P......................@....rsrc........`......................@..@.reloc..T....p......................@..B................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ImAVEng.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):175728
                                                                                                                                                                                  Entropy (8bit):6.544553321577818
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:ix5UgqxBe84iqhlPyKc4pquYWWM1qOrlhPzc8ylmyK5WodzzDi:i4pgbzTYWRZHrc9lNQzq
                                                                                                                                                                                  MD5:B8FDC03B9B84A62C5C541524DCA2E723
                                                                                                                                                                                  SHA1:5643ADAE63CA199F9C44A35F3B30947A0F8B6D21
                                                                                                                                                                                  SHA-256:1F6F3DADCC4C3096EEBFB5CE5DB979755ABA5CEB9DB18E6CA6238F05B45E5F4D
                                                                                                                                                                                  SHA-512:A31708C251967D484F242BE658E92E94D87671294CD2C959276EC3B739D46F3FC7D1140CC8F78640DBD9970EC2176633E67DD079A3182ACDCE0FA8A7DE366637
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}.G...G...G...N..U...N..=...N..~...`a~.F...`ah.L...G......N..R...N..F...Y...F...N..F...RichG...................PE..L...2..T...........!................q.....................................................@.........................@`..U...pT..x...................................p................................>..@............................................text............................... ..`.rdata...`.......b..................@..@.data...@7...p.......N..............@....rsrc................h..............@..@.reloc...'.......(...n..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\KKVIOQVTEUTA.OKO

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:7-zip archive data, version 0.4
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4838529
                                                                                                                                                                                  Entropy (8bit):7.999964247779076
                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                  SSDEEP:98304:dyuKv/wWIsvrPq9Bj51aCo01eQI3rWHVNZCbNbXew9xJePD84rzt0V:dy9v/wWIsTujqEeKVN0bNzewTkPpz2V
                                                                                                                                                                                  MD5:11C3B2492D2EFE15F6E49E06BBF6F771
                                                                                                                                                                                  SHA1:3079536DAD9E3C6992DA6E5DC31CEA4691310125
                                                                                                                                                                                  SHA-256:3B3D05AED876749A75D82D382314A20434D427BD44EE56DDB0C852C648A44040
                                                                                                                                                                                  SHA-512:A79BAD2BBAFA2A096FB5CE90605FDFD6ABE55E004932AEAE588D67E0805724D88A40CF04CAC28FD4636F0CF19BDDBD3B1954B6CD9984D03EFED06D673B48C8A8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:7z..'...$.7 .I.....A.......50.QA..j..@..3.3gl.b."..&......28>R.$..Y..j..OBR`..S..3.UqQ..2J.r.'Y...;g........hn. ..S.W..c.,.gBJ&8`r.1s$...j.{...>.3.:...^...c..cW..r,:.....}...V...5t.,..Q.k......C"..:...... .5..U..}.b.v...9....{}W]....n.....U.8z...A.8....(..r.......&*..zY..W...'n.Vh..V.-..W..K.*.S..$]y.I%.X....It........V.?!.....]..9.O...5.B.zF ..{ .B[...c..$..0C......OE.. .<>.Ht..d....F<.T.Zc....Q...).;..hX..F.....Z...8..."...Om4.X.H>...X.].h.N.9...HY.lv...fH..i.%C.V4.s.....2..^..W.9.>.x...P)....t.k`....=.J.!8K4.T..C>.M........{......8.'..d....%..R~.{..{s......RV....h..]...YQ...||..'..1.W...4.......!..H...+C..?t.Em........%...b..f.?.es.....lO....?<]..x~b-\[. .............{F.,<6....../....?..L.u...eZvx.K.#+....-X.+..~L....[O....7.]&...5C."..Q........s.?N.-....jLf8..n>....6....z..)..O.6.....0.Y....~[..r.6j BEZ..4....6..sY.P3*.w..k.U......0,.....<h.o..}9}@=.v.b8w. ...H^.^-Q..t6f..`.M}'Sd.X.,.~<.^m...(..._.D.4....C..4<(...:...<..........^.C.q.PP..

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\LJBPHRBSRLCI.FNG

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:7-zip archive data, version 0.4
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):11899681
                                                                                                                                                                                  Entropy (8bit):7.999984606834096
                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                  SSDEEP:196608:OI9kryCdze2PCDz0SSDHFzQEZtFAXiJqZ9Ne5PbwGIIxCH5aLJkER/NF7tt5R:dkrve2upkHFc0+XiJqrALLJkETtX
                                                                                                                                                                                  MD5:34C22F715FACA10EAA6D4F0C04811934
                                                                                                                                                                                  SHA1:163259AB5704779CE2A8E3BE11A7E73C4A9D36DF
                                                                                                                                                                                  SHA-256:9747A960BC2B94B447948C0A0C2BE72BF97E9C0AFA56E678CE5E5B29355D1752
                                                                                                                                                                                  SHA-512:BE6DC349F0F55CBFA39FDFC5051CAFBA46AA468C5C13DB47CAB03F3FB7A3F8AC5A1B04C31CABFAD9196534305EE310104904EAC26EB540D9853B63A8F4B37C4B
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:7z..'....z..........A..........E.l..r.I....!../.~.........5w.4.....|...Q....xt..j-.9..+N.v.To.b..9l......f..%\.....J..'..ADh...%..7J...x..b?B.......k.....l.^........H..\.X....xt.>n.v...c.... lF.I.I......eF+..Z||Aq.[h6.\...M........;I|...eN...+.y..W....?............u.>.A]..~.......YU.- ......aM.V..Cb.`.F.9XM.M.+...nT.T.%./.l=../..M..[@n...\%........N;.....i...f...+.Z|..aIa.b...r*].n...N~&..D......F.$..}....ut.ex-....O.%...MXn.u...G.$(.X..Mn\J..r.[..4.,f@&.#.)...J..}..1O.....0...G.......H..T.&.<.......$.q.j.S.....a..&.?...K}..XS....m......b..s.|...,.=...e<.K....*.wWE/......V..0g...6G,7'...<<.2Z....G@.n....R..^g....h.>A..u......m.4..U.e.....p.....4.gG....~'.s..qE?N."..>.xa.:F]..q."....[....q..D......s...#.L.mh..:s...m|...r&.....*^....v!...\. .`.*..b.s./T..g.\).eV{'..wo..x.=.L..p......%.C......H...2....o.#.! .t.....7....$..Lz.$.&0.6.f.s0...SK2.......bH..Z.&L.[#i..>...$....^M..`...W>*...a-m.;......!...}%..d0..]...O..l.F.....(....C.1.$.

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\LeakFixHelper.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):313952
                                                                                                                                                                                  Entropy (8bit):4.32348576044483
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:7cxIVD6kUS+hV/EENZH3JzJPlZ4k5O0f+BC9vCfFL:ooehV/pJzJPHM
                                                                                                                                                                                  MD5:A88A6FFF171F7FECF8668DA1EFC843DF
                                                                                                                                                                                  SHA1:E4C8B375BBECF5790B2B0444B049CCE11659D598
                                                                                                                                                                                  SHA-256:34CCCEC093F5711D1202F54BFE8756E093E4F84099EC7D609AB9658C3C941921
                                                                                                                                                                                  SHA-512:808F6E217F5E157663E66B46429636C4D811ACA7C5672EDD1B003377BB4A039265B4FB905B4ADE39D81B3E64E7793BE8278454155E8BD2EE92FB5B6F919563EE
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................l.......z.....h...............}.......s.......k.......m.......h.....Rich....................PE..L.....4Y...........!................e ..............................................'H....@.........................`...K.......<........................5..............................................@...............|............................text...M........................... ..`.rdata...N.......P..................@..@.data...........j..................@....rsrc................`..............@..@.reloc...*.......,...f..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\LeakFixHelper64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):362400
                                                                                                                                                                                  Entropy (8bit):4.208790369342181
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:ZGlYJdSi2t2SwbVGMuyic94uxJmXs/wIb8n9ssWy5cdJEnpOwD7A51B8BLRPrB:0lYXSi2ttqWc/PYOy5cQnpOS51
                                                                                                                                                                                  MD5:3D01B2B5288974E922B6417FD3B02373
                                                                                                                                                                                  SHA1:5649D3E7E15D1BF707CD7C28FE9931E5620EE9ED
                                                                                                                                                                                  SHA-256:B438EF547753F91577730FFE9321563E7DD4ABBCBF056ADEE3C49906FC1EABD4
                                                                                                                                                                                  SHA-512:F0C0EEBA22F33A4C596FF1272D681E7A349AB60112FD0AF5C75E07F065F35525C332270DE0ECC171D0B4BF53C3BC79C4E40BAD0EF1A0418A2D5DE882765D2FEC
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|.|\../\../\../Uef/(../Uep/V../{./Q../\../.../Uea/i../Ueo/W../Uew/]../BOq/]../Uet/]../Rich\../........PE..d.....4Y.........." .........F......lz...............................................f....@.........................................pm..M....b..<............p..|....F...A.............................................................. ............................text...L........................... ..`.rdata...].......^..................@..@.data........p.......\..............@....pdata..|....p.......&..............@..@.rsrc................2..............@..@.reloc...............8..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\LiveUpd360.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):647184
                                                                                                                                                                                  Entropy (8bit):6.591959886632138
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:I/8iKgqct1l8h5H/30CrYXUjniBZoStkf0EOl/mvxxXiINkYF69+:NbhV0gMYnigStkMEMSxXrmYF69+
                                                                                                                                                                                  MD5:960B05116F13AE8E8B17A6BA2919BF2D
                                                                                                                                                                                  SHA1:D1A58D1F65272198D0A6657B06FAE6D27F1E156C
                                                                                                                                                                                  SHA-256:00354506D4F1DD6A1FDF9450CA4A8E799A5A420A1A47BA3E41D7B30D8D02440A
                                                                                                                                                                                  SHA-512:7A05E3178ABB8F92AA3A61F8A3156C87BD46F03F12D8EFC6CC1FEEE36B2508816E761BF6A3385BBDA2DD16EA3AB9CB4A5B899C3D844257811F0B3D9C4464713B
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............`..`..`....`.i/]..`...^..`...H.%`...B..`....`..`..`...O..`...Y..`..2_..`..`\..`...Z..`.Rich.`.................PE..L...*..b...........!.........................................................@............@.................................(...........................xC.......N.. ...............................X...@............................................text.............................. ..`.rdata..C?.......@..................@..@.data...8........2..................@....rsrc................*..............@..@.reloc..<d.......f...4..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\MiniUI.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):921160
                                                                                                                                                                                  Entropy (8bit):6.7626587126151065
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:nJtdTUbI0Ig/fMiK6hRN/IgOoWtT9nQnap:nJjUbIU/fPHhrIgBWtTFQnap
                                                                                                                                                                                  MD5:5123C3B8ADEB6192D5A6B9DC50C867B1
                                                                                                                                                                                  SHA1:6D142074A21AA50C240CE57CA19A61E104BBDF41
                                                                                                                                                                                  SHA-256:273CE954C8D33ABAAC3A0FD8546719F09718C1D91317ECF5B99181DFFA3FE26A
                                                                                                                                                                                  SHA-512:067305A8F09C480FE4A4C8609638C9A490C4EBE2782BD13C10B380DF14F76D4748EB785F44E7BCB86514718F99D07C3C6A4B43928A294B18020CB0FA589EE2A0
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S...2...2...2..f}M..2...JN..2...JR..2.......2.......2...2..3...`_..2...J_.y2...JX.%2...JI..2...`O..2...JJ..2..Rich.2..........PE..L...h..Z...........!......... ......Q........................................ .......G....@..............................................................7...P..$....................................'..@.......................@....................text............................... ..`.rdata...].......^..................@..@.data...X.... ...X..................@....rsrc................j..............@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetDefender.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):451480
                                                                                                                                                                                  Entropy (8bit):6.641728581015286
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:c2qfhIic6ZYk/UxdGhZi1MVv2MIbvweYsoOzpgseJUnv9it:c2qfGhz/qgodsoRenv9it
                                                                                                                                                                                  MD5:2C63554380D33E2AB153CB285E72C2F8
                                                                                                                                                                                  SHA1:1EDE14CA4003AE639AA80E2F4E90558DD1A49A7A
                                                                                                                                                                                  SHA-256:F77F9AFB3459F2D2C8FB0354317A0353ACBBF6D31988597775ADCD9AB0D80BA1
                                                                                                                                                                                  SHA-512:96F951089D907F635AF5A517AAF53FD13064ECA471DC4440B8C67147A91F11043043F102814C2E6DE8933F81F30D6AFFFCC073BF98670A8D52A5518AD89646B7
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........`.q.3.q.3.q.3B>.3.q.3...3.q.3...3kq.3..3.q.3..3.q.3.q~3.q.3...3.q.3...3.q.3...3.q.3.#.3.q.3...3.q.3Rich.q.3................PE..L....tc...........!.................}..............................................D.....@..............................................................I.......7.. ...................................@............................................text.............................. ..`.rdata..o^.......`..................@..@.data....w.......2..................@....rsrc................*..............@..@.reloc...Y.......Z...>..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetDiagDll.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):337736
                                                                                                                                                                                  Entropy (8bit):6.495942481063909
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:g1wCwn8QI2fm53Nx4Lj23TIae3m7jwyhb/7hjW7iBH+ljFx5mcvbKr:gmnckm5dy63TRe3XyhbNjWep+ljFx5R
                                                                                                                                                                                  MD5:22C3095414CE54C8405225E3BCAAE591
                                                                                                                                                                                  SHA1:9F0515A564B5077F49AACE011E84AF51F9973F32
                                                                                                                                                                                  SHA-256:B734DB11E973318D728FE92E112639AE5B8876C855E6507315C707D04D3E0746
                                                                                                                                                                                  SHA-512:2BE22658A038F8061B398489C357EFBA0F920FA24655A53650593D4924EE565E445D3A7CFD2C9689BC3A79E8355157004640E49B0249FCA63B3EBE11726D42A8
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........T...T...T....{.V...].x.M...].n.....].i.....T......s;..O...].g.G...]...U...J.y.U...].|.U...RichT...........................PE..L....fgS...........!.........(......~........................................`...........@.............................U...l....................................,..`................................S..@............................................text............................... ..`.rdata..............................@..@.data...8Z.......0..................@....rsrc...............................@..@.reloc...A.......B..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetSpeed.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):499432
                                                                                                                                                                                  Entropy (8bit):6.633998530829339
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:2gz1k3fKRVIpJcADwPkUeKvd8C/RxC4MwYXlHUCMJ/TBJnt8KZ0Se+4xichK4:tMfKRGJc1tnPC4MwYXVl4/Trt8K61s2
                                                                                                                                                                                  MD5:049791828DE05D24D29EC9C8687F8B1A
                                                                                                                                                                                  SHA1:2B6D787EB078DFAE0C6718A9D99D06CEB01FB273
                                                                                                                                                                                  SHA-256:D418DDA34640521B8695642C7A7E719F173F706472617CFF4ED343FB68211862
                                                                                                                                                                                  SHA-512:7E36019A163F55932F95D33FACB216B69244DC8D5506CFD1D2E707A736AF448D7A4F78ABEAF85CF0F42E4E18B7EB1D330A9788F73773E6BE23A61C6B2981136F
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............a...a...a.......a.......a.......a......a.......a.......a...`.D.a.......a.......a.......a.......a.Rich..a.........PE..L......c...........!................................................................|.....@.............................a............p...............r..P,......@F.................................(q..@...............`............................text...E........................... ..`.rdata...G.......H..................@..@.data...Xp.......,..................@....rsrc........p......................@..@.reloc..|d.......f..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Netgm.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):343784
                                                                                                                                                                                  Entropy (8bit):6.490658338748216
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:rFp+cWO/EibdFr0Zv7U7bAb1qi8JU0Wexe/1Yd02Y+VZRg43r:rFMcWO/Eib3r8jU7Q1qi860WexexEGe
                                                                                                                                                                                  MD5:6E5F6B4D49768E131EF614DD07E5EFA5
                                                                                                                                                                                  SHA1:DBA90982727A9373C8D97E72500D89814184C7B6
                                                                                                                                                                                  SHA-256:EE326C156144EB89DE76C21C66BDA10BD22922B1A9C85615CACEE84DF355604C
                                                                                                                                                                                  SHA-512:12FF45D6F469B577E74A62B866DAE2A879751654A6627250286E3CC4F319411FE901155347DA762010F373BBEB46F2BD95E0428893242EE4707BEFA7312CF92D
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............o..o..o... ..o.....o.....%o..=..o......o....o....o..o.._o.....o.....o..=..o.....o..Rich.o..........PE..L....P.d...........!.........d...............................................p....... ....@..........................Q.."....@...........Y..............P,... ...*..0...............................x...@............................................text............................... ..`.rdata..2...........................@..@.data...._...`...2...@..............@....rsrc....Y.......Z...r..............@..@.reloc...C... ...D..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmLogin.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):533600
                                                                                                                                                                                  Entropy (8bit):6.567835943059589
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:OgmCH8ZkhmmpKJiv/Dn5EWomaMIhEKf3Io7fknS52:Og58GnOthL/I1nW2
                                                                                                                                                                                  MD5:5D7B815A95164AFB4A8E35240644793D
                                                                                                                                                                                  SHA1:3AA5BFB8B2EE68C33BEB3190480CBE0149C29A96
                                                                                                                                                                                  SHA-256:1158A8B493FC607354DD21E5A601760C082C00EB8B69E839E17E4A198C807418
                                                                                                                                                                                  SHA-512:95E06406294258A3F81446A17E5CF67A02EFCDB0DA257F32ECD5B48D3F00B9BE628E2F82C04856191CDFDE02474ABC62D64D4A200164D7F6149993E548C8A335
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+.o.o...o...o......n...f..w...f......f..!...HTz.~...o......f..$...f..n...q...n...f..n...Richo...........................PE..L......Z...........!.....F..........'........`...............................`......v.....@..........................U..P....G...........................5......LJ..@c..................................@............`...............................text...iD.......F.................. ..`.rdata.......`.......J..............@..@.data....r...`...8...B..............@....rsrc................z..............@..@.reloc...k.......l..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmTray.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):247016
                                                                                                                                                                                  Entropy (8bit):6.914297747665078
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:LQvXrZQoI8GHJg9bb9wv/cZD9Da5TUUQJYlCXbKJOZwFSYG0GTO/X3/mCP0V:kFIZgXwvkZqUpJRGOZwFVG0X/mXV
                                                                                                                                                                                  MD5:5B4C825671418F34D95EC1F7BB55FFA1
                                                                                                                                                                                  SHA1:C0AA182B281EDB4F06BDC98D7CF413AF948AB50A
                                                                                                                                                                                  SHA-256:AA51AE325D53D586532145E0C6E702247654502C0349C5FC570D7155353B045A
                                                                                                                                                                                  SHA-512:BEC6D76883BF786F93BCA0E32A36CF21002D5E1CDC1C098628D9D50D1E8E40B0E44C6AAA07DD8B503ABA5B638D44CBFAAF6C4BFB0E9F6C8F49470D7664432F73
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L..#...p...p...p..ap...p..wpv..p..pp6..p/1.p...p...p...p..~p+..p..fp...p..`p...p..ep...pRich...p........PE..L....B.e...........!.................$....................................................@.............................]....i..........x...............P,..........`...............................HM..@............................................text............................... ..`.rdata...q.......r..................@..@.data....N......."...p..............@....menu_sh............................@....rsrc...x...........................@..@.reloc...2.......4...b..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmTray64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):290024
                                                                                                                                                                                  Entropy (8bit):6.537709606383622
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:AhEzpelia8VSPgFmHKbDNATfCfzWNunIj1EpJRGOZwFVG0SJK:AhSpelaSPXMmLC7W4iOZYG0n
                                                                                                                                                                                  MD5:0F15D28EB4CCD9DADFEC0305BF5F8E2A
                                                                                                                                                                                  SHA1:04DE9FA6736978FDEFA031082C58FFCD0169861D
                                                                                                                                                                                  SHA-256:F06872A9A6A6AFB4FEA670385694EA364F271705FB89B09E4390E95752A98F25
                                                                                                                                                                                  SHA-512:955B8C3F383C66B4249510A20890C856994F2F4E9FA40C374B472B9E19AC2441A86BE67249F13E1F624AAF2F03D0F6A73F69A0E3D73178F2FC39843382D1041E
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q..Hq..Hq..Hx..H...Hx..H{..Hx..HN..HVT.Hl..Hq..Hl..Hx..HR..Hx..Hp..Ho..Hp..Hx..Hp..HRichq..H........PE..d...7B.e.........." .....L...........]...............................................L....@.........................................."..]...0....................#...@..P,......P....h...............................................`..@............................text....J.......L.................. ..`.rdata..M....`.......P..............@..@.data....j...0...,..................@....pdata...#.......$...@..............@..@.menu_sh.............d..............@....rsrc................f..............@..@.reloc..L............2..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NetmonEP.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):160584
                                                                                                                                                                                  Entropy (8bit):6.648758970829866
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:ABDE5pe7xyshJiszc1TLQXDNxLYeW54C:Aip4ysYTLcXP
                                                                                                                                                                                  MD5:EFEBB6F93832D5A7EEF3BD4EB81D4A79
                                                                                                                                                                                  SHA1:9A75E55A08422E7B6A7D695EBB0F61589B31005C
                                                                                                                                                                                  SHA-256:542928806DE9A653C52250A0AB3D7847EF9249C195C00B82E5BDEB066AE6D2DF
                                                                                                                                                                                  SHA-512:D9F276F0556539739289585B55482034BDF99F0C18917720F1AB84B870DDA3E303792CD4DF85183155BFFF8DA174EFBE8A74506197B268D632BA6916AF00E521
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m..,m...m..=m...m..+m..m.Y.m...m...m...m.."m...m..:m...m..<m...m..9m...mRich...m........PE..L......S...........!.................`...............................................................................*..V.... ..d....`...............X.......p......................................p...@............................................text...I........................... ..`.rdata..VJ.......L..................@..@.data.... ...0......................@....rsrc........`.......4..............@..@.reloc.......p.......>..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\NotifyDown.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):549488
                                                                                                                                                                                  Entropy (8bit):6.736896619735914
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:XLgRCEprkKZlVgTndpHpTVWDQZNrHIGUYmHASzK8BnWToS09:7gAEprcnLVADQbzIGHmxK+WTO
                                                                                                                                                                                  MD5:14274CF241144895CA05CD456197F573
                                                                                                                                                                                  SHA1:4D4009B0A2F7BA56C6C98DC823C41085EF4712C7
                                                                                                                                                                                  SHA-256:113562BF950B39E9466E8F646C84AAA93F6B2C89530F56913B0B36E0096239A0
                                                                                                                                                                                  SHA-512:5A8009D935EB59B10523494C6C9D0A79FD29B0FA41CBA046E9CCC60A8D2EBA05CCC23D881E121A4526371E21B7C9DB6CC62783E1A5ACAD019705970C9F52091E
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y.....y.x...y.....y..J...y..J....y..x.P.y.......y.......y.....y.....y.....y.Rich.y.................PE..L....u.T...........!.........@............... ......................................j.....@......................... q.......R..T........Q...........L.......`...M...&..................................@............ ...............................text............................... ..`.rdata...R... ...T..................@..@.data....z....... ...^..............@....rsrc....Q.......R...~..............@..@.reloc...x...`...z..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\Ntvbld64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:MS-DOS executable PE32+ executable (DLL) (native) x86-64, for MS Windows, MZ for MS-DOS
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):42976
                                                                                                                                                                                  Entropy (8bit):6.2171815555231875
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:iHfqCaczo/ZinYCOd9L9KyhaM7JubDGpZRKjKj9MPgkU7:8fqT/ZWY/L9l7JheMJ
                                                                                                                                                                                  MD5:671F95CAB2B5CF121125413F250F5275
                                                                                                                                                                                  SHA1:73D99D09A3D8978A5C6DB43CEC85FB43B03B7A26
                                                                                                                                                                                  SHA-256:728A1FCDEDCA6DBD8FDDDE3F33CD64DD99853C26EF5B10D3FEF0D76D0480964B
                                                                                                                                                                                  SHA-512:4AF690AF838CEB026636931AEDE3852EAE6D83881149EF4C28CC1DD032C3F7F6A64B30171C2524512FACD40496DAB305523D20637B44EFBF0D5805D0FAD1FFCB
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ!..... ..........e..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ntvbldDXML..$............!.L.!.........`......................................................................Rich....................PE..d.....a.........." .....H...".................p..........................................@.........................................pV.......S..(.......h....p.......h..H?...........................................................................................text....F.......H.................. ..`.data........`.......N..............@...

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\PDown.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):253456
                                                                                                                                                                                  Entropy (8bit):6.554744612110189
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:OpoEWHpLJeJ8MvIucm/334RStKp7Tu975:vEsLJeJ8MvPcm/30u975
                                                                                                                                                                                  MD5:637FB39583F9C2EC81E0557970CD71AD
                                                                                                                                                                                  SHA1:ADA1137BB47DF62F48407ACC2DC713D92D13A0E0
                                                                                                                                                                                  SHA-256:330B8EC664949CB9DE5BCCE5AC248148B58DCFEED69ACD8D9CB576AAA935045E
                                                                                                                                                                                  SHA-512:F72C77D29C51CC6AC1151C919C769BF063E5BAE763033B9BF5BC713E01416ECB301A120B22A17037310E47662EA916A06AA09BB441DBDEE4032A6D59A0876ECC
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........gOT...T...T...]..B...].....]..Y...sTr.C...T......]......]..U...J...U...T...V...]..U...RichT...........................PE..L......b...........!................W...............................................j.....@.........................@L.......=..........T...............xC..........@................................!..@............................................text...)........................... ..`.rdata.............................@..@.data....H...P...(...:..............@....rsrc...T............b..............@..@.reloc...,...........j..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\PopSoftEng.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):662920
                                                                                                                                                                                  Entropy (8bit):6.526894314465185
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:+huSCyAZQUpHByI4ur32KWVyTHrpGUCiAqfoHD2AvdLnaSZCzm3slIalDoH7+F+2:+huSCySQUpHBl4uqKW2Hr9otZCCAlUHa
                                                                                                                                                                                  MD5:C3EA1FBF2B856FC25E5348C35FF51DD9
                                                                                                                                                                                  SHA1:87D8FDFDD52FA3BD59FDC7BB1E378091D0D91C16
                                                                                                                                                                                  SHA-256:6F24B8CA595B4B472320C7A104C64AAD6F0928AD4F1318D1DCFBB0C5BD488A64
                                                                                                                                                                                  SHA-512:298CE88D37E0496CDF6DADCD7D8890128B90113161311D67ED264B003D5840460FE594B8550FA46E45AF88564E4095C21B748CA3D2B497540ABEB0CAF5533820
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.............~.......~.......T.......~..........................J....~.......~.......T...............~......Rich............................PE..L... .._...........!................q........0...............................P......8.....@..........................J..N...D9...........................6......PT...3..................................@............0..(............................text............................... ..`.rdata.......0......................@..@.data....~...P...8...4..............@....rsrc................l..............@..@.reloc..Vn.......p...t..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\QKFJSGCGWGRQ

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):177
                                                                                                                                                                                  Entropy (8bit):5.2011029533052096
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:FCp/32ZmsmyR73wy82K9oYGyvA9id2sycyMcVqotTBAtoZht3wetdQQqi5xQn:F+mdR73wv9oYnvA+yLM+At2t3wgCQPxQ
                                                                                                                                                                                  MD5:E7EE8D889FBD33DED17EE00BC9E98ED0
                                                                                                                                                                                  SHA1:A153B28DBB602C58A606A44906F38128E85CD285
                                                                                                                                                                                  SHA-256:2BA624377B2B788ABF3A248D956FF743E93F06746D3D2F220A2257AD94DA540E
                                                                                                                                                                                  SHA-512:006D57BA2F48792DB028437F814618F19AC2D21EA1A1E9BDF39F5853536441B3436BAFB866917CC6708B21C58D93495501DFA5B345F55BC49FEF766812E46DF8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:[XLY]..P2=LJBPHRBSRLCI.FNG..P5=IWLHTVJXHINUWUFBWIU..P4=FNCUNPTNLBMW.DNA..P7=AEXIKRSDXTBGHJSHHPK..P3=KKVIOQVTEUTA.OKO..P6=RFOLHRLVLKWUMQMLJJA..P0=DAN127..P1=e8a0d5af432b7e64DBD..

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\QseCore.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):849224
                                                                                                                                                                                  Entropy (8bit):6.7893930691706075
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:V/Fiea85oMvk6SqMNH/U6beovEYNVXWTwROJTQ9wC1N4Lx09GpVuQ:VAF85oAk6lMNfU6beXwROJTQSC4l0KuQ
                                                                                                                                                                                  MD5:AA4E9E8A1B0B7C4126451814701A449F
                                                                                                                                                                                  SHA1:7D988C453283C345E17422FC4B2B6CCFD8200245
                                                                                                                                                                                  SHA-256:6CA0ABCD77232A5CBADE520596CAB305012ED72315C09CB5A30C3C1E96367F98
                                                                                                                                                                                  SHA-512:0738DFDE9EC2B1E23B88FDA344CFBA443705A3AD87F22629676118DF555BD395D1737066EFCC4257B8138A0D282491CBD30F36D1880CA640E7D463855C0AD63C
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........!..O..O..O.{....O.{.....O.{....O.Q;...O...L..O...J..O...K..O..O..O...K..O...J...O......O..N...O.W.F...O.W.O..O.W..O....O.W.M..O.Rich.O.........PE..L.....6]...........!................E...............................................f)....@........................../.......0..d........................6.......W..P...p...............................@............................................text............................... ..`.rdata...........0..................@..@.data....F...@...,...2..............@....rsrc................^..............@..@.reloc...W.......X...d..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\TP453990d4df32.TPL

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:7-zip archive data, version 0.4
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):719
                                                                                                                                                                                  Entropy (8bit):7.651157103123239
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12:13GQDv7sWgZDAIXQk5m/2MnB82RU+JR/DoZMIZ6XO1a/oCfGEAxTNBfJb4eWNudj:1GQDvMAIgk5meMBXfsrZ7a/ODBpdj
                                                                                                                                                                                  MD5:2322FEDC1A270A91A3584496BF609CEF
                                                                                                                                                                                  SHA1:F422C6A1AC8BA5911C2A74BCBC052D11E43A3F97
                                                                                                                                                                                  SHA-256:832BD52C260A50338ABECA0E16A65ACE58DDBCD16F5E65A30BA9362822376763
                                                                                                                                                                                  SHA-512:575891E907D02DEA426EFA6DFB9AF11A4B2C23FA7C73C85ADA4C555085A6C0B14A76500974D89D1726A6853C8836F90A112F928DEE250E86681415DD2A8242CC
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:7z..'.....b.p.......?............G.>FK.~)K..0+.B.....#.*.F..5}H.....3>...0RR1.x....T.P."X..%.BR..T*A(.|L.B..U..2.9...EW....2..R..P.[X.Z.+.3..u.....9..vOy.]kN..3E.vk.4t..]..../.}Y...zZg~.*...a..A..k.`vD.V.~.. 'w...r....<P}.`.....3v.=......5..4.qBo....q.B....?e....u.W.|y....TL`.nE;..5.&.+.S...t.."xh.. ..z.. .b...=..l.|...(.h.+..f.D...).[.uO..$._.....s.&q1.$5.R..P.....:...iNL"SX."...b...).0......*d..9/......+..C`.+.........2^.......M..j..P.+.`.5.m...X...J.As...*..S<<.S..\.......j......7H..R&\a...4$".P!..r.l..o.R.Z..............y..g.\`..#M...E.....oZ..|..K|H..f.09B.....>.....S.9b.I....s.].....i2.U*...H..zv...6.s.\.O...-=...............$.....S.V......U..1..0.#....].............[....

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\TroPox-B_Plus

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):710888
                                                                                                                                                                                  Entropy (8bit):6.630506217753264
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:5n9CCUQ0bGwLt1n/iswKJLUY2XOrEO/6awL7wU0s6OzeoXHhS6ckqIbpieFGrh1l:7+tLt1aNYrfBB6BAqZkyQgJ0VL
                                                                                                                                                                                  MD5:C4A08B391245561157AEFD0FE7C40A11
                                                                                                                                                                                  SHA1:28D15D43A1BDEBC83701AFD89E6EA9C24F90DB33
                                                                                                                                                                                  SHA-256:53D7C8F2FD109E85FC9302B7424875BAD22A148D6EDC6C7FD8E4589E97259BFA
                                                                                                                                                                                  SHA-512:24C7608346B76694BF9D8227FF6A794B26D73C0DA93FD231A2331CD371ACC86F293FB9093850F5513DFBE1D269114A56F47DCADBA11BD98C691AB38472A6CCC6
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:Ta+....................[...............................................W.osp.....r.xt.~xuu...y|...u.pu._jn.t..|............*3}...........l......l..Y...l..... 8..... 8..... 8..............&..........~;.....~;.....~;.....~;.....~;.....ip~s...........................k\..W.....d..................u...C.......Y............[......................................[..........................................+..?...........#7..k....;..+r...W..o............................W..[.............................................|.....Sw.......u.....................{...x.x..?0.......1..................[..[..x.x...Oi...K......................[......~...?....+.......A..............[..[..|w.~..+r...;...s...Y..............[..Y........................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\TroPox-E_Plus

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):15360
                                                                                                                                                                                  Entropy (8bit):5.306110093863136
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:U4MHLZo6ULkil3CtzKIoTRp6n7B56TXGy5+:U4MHLZo6ULrCtzcTRpUd5S2K+
                                                                                                                                                                                  MD5:ABE42D544B1002D50801E3075576F455
                                                                                                                                                                                  SHA1:58B6CFBB60EF6AD2734C163C4C83B04CBF617AB1
                                                                                                                                                                                  SHA-256:3D48A8F09DE2FD202BA4922D944FA7FEE03B1DF13FC3BFC22BE814937CEA52C6
                                                                                                                                                                                  SHA-512:C9B842A687FF0A6DC4E242AEB3CFB6964A7D4083A9D9A1583B1F85E949E68451C24744DDB07531DBE03B0539C9F1FDF5BE3F400D1A523325BD114633564616E4
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:Ta+....................[...............................................W.osp.....r.xt.~xuu...y|...u.pu._jn.t..|............;.9....9...9...9.~z9...9.u.>...9.u.>...9.u.>..9.u.>...9.~.>...9...9..9.u.>...9.u.>...9.u.>...9ip~s...9................k\..W.....or.....................................K............................................[..........................A..o..._F.............................{......M..C...................[B......{M..[............K................................|....................................{...x.x.......K......................[..[..x.x........k.......M..............[....|w.~......{.......C..............[..Y........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\TroPox-Z_Plus

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1390312
                                                                                                                                                                                  Entropy (8bit):6.599443687044707
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:znhMjKSFXpFEzq7zZvjyswjzYnOAjPSy36c9RCvirRMNJbd3g:jhMt/nVo2O56tibxg
                                                                                                                                                                                  MD5:C77EE913C46510A705A9DDDD91DE8302
                                                                                                                                                                                  SHA1:CB5E045FA27186B9F23E4919590387478B9343D5
                                                                                                                                                                                  SHA-256:092689651DB7B81A6816B1F78F8CF81476945D493E9566762F5791ADFC5BDA31
                                                                                                                                                                                  SHA-512:A6C080D04C92EFBF8A1A4A1D1423837B1282E4CFC0E77D9DA4BC9F78E235AA6CD8AE3468B588FD9D35BA656A7A1B27AAE805662EB6C84B053D0149855F4A6514
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:Ta+....................[...............................................W.osp.....r.xt.~xuu...y|...u.pu._jn.t..|...............K<+.K<+.K<+..@x.D<+..@~.P<+..@y.<+.y.,.<+.y./.<+.y...<+.@..H<+.@..B<+.K<(..<+.#...O<+.#./.<+.#.,..<+.#.+.H<+.#...H<+.#.).H<+.ip~sK<+.......k\..W......~.............................B.......;..........................................[.........................k...........k...................#...k..........K..............................k..[............;..7.............................|.....<..............................{...x.x.......;......................[..[..x.x...K...;...O..................[......~..............................[..[..|w.~.............Y..............[..Y................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\fhjyy.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):175328
                                                                                                                                                                                  Entropy (8bit):6.879935553739908
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:jnrQnzMYywmn3h1sp7/WvCnIukR4BbxKigu/fgl1glfdjgBftJeCEEzx4N7mcr5:XQnzXtr7tbxKVuE1gQJeCEMx4p
                                                                                                                                                                                  MD5:BE4ED0D3AA0B2573927A046620106B13
                                                                                                                                                                                  SHA1:0B81544CD5E66A36D90A033F60A0ECE1CD3506A8
                                                                                                                                                                                  SHA-256:79BF3258E03FD1ACB395DC184FBE5496DFA4B3D6A3F9F4598C5DF13422CC600D
                                                                                                                                                                                  SHA-512:BD4E0447C47EEA3D457B4C0E8264C1A315EE796CF29E721E9E6B7AB396802E3CCC633488F8BEEB8D2CF42A300367F76DEDDA74174C0B687FB8A328D197132753
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............d..d..d...g..d...a...d...`..d..g..d..`..d..a..d...e..d..e..d...a..d.....d.....d...f..d.Rich..d.........PE..L....]d............................S#............@.................................>.....@.................................d8..<....p...............d...H...........*..T...........................H+..@...............$............................text............................... ..`.rdata..._.......`..................@..@.data........@.......4..............@....gfids.. ....`.......>..............@..@.rsrc........p.......@..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\filemgr.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):618728
                                                                                                                                                                                  Entropy (8bit):6.588792056328895
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:B+jJIpPUHR7IS++ZbaL/mH6yf0fvmuZqhI8XlF7YfkLfm7WUjxioncm:U++4LVs0QpFaIm7WKgoB
                                                                                                                                                                                  MD5:6E8F89DA86BB82538932DB314C2208F8
                                                                                                                                                                                  SHA1:A86C373D7BC49032F0EB7D0BB01DA74BA67B4F43
                                                                                                                                                                                  SHA-256:ABA5E0FFC2D21CB5045D13CE66F8D80862600E37431D20E999295CB07DC5EF3D
                                                                                                                                                                                  SHA-512:7EAA25D7AC722EF7687357356AC9635B80158918BDA03C3A7E49387BEACD8CD2A9A2ACFD8B5D13571453A7279772FA726A75C9DA0FD7EC6D5BAF202FB928F00C
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9..9..9.MvF..9..AE..9..AZ..9..AS.e9..AC..9..9..8..AT.v9..AB..9..kD..9..AA..9.Rich.9.........PE..L....t?e...........!.....8..........b........P......................................).....@.........................p...O............0...............D..P,...@...U...T..................................@............P..$............................text....7.......8.................. ..`.rdata..._...P...`...<..............@..@.data...|s.......(..................@....rsrc........0......................@..@.reloc...m...@...n..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\fixsc.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):147176
                                                                                                                                                                                  Entropy (8bit):6.792908985087195
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:oAhT/95cw+pUD+U7s3H9xMaZ7DdJMq5mZZEGP0V:RBADU7s3H9xnBhJyZZETV
                                                                                                                                                                                  MD5:2EEFCD3D407E4DA935E5B60EF257E153
                                                                                                                                                                                  SHA1:34F56846E9F48F9775DD8250897345B7736DE213
                                                                                                                                                                                  SHA-256:837B3DE5BF545BAB85599F0B6D36D8DFE4B3595AE94254CF7C968D1D7DA86F35
                                                                                                                                                                                  SHA-512:EA05765A18CDA52A7398E04947C8DD6828BE06B07261C612BB8E550656FF5F9EBBD37F85C07007980044D2036171227EEA978B0D0592D6D584A5DEFE53BF8968
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........J...$...$...$.e.....$......$.....$......$...I...$..._...$...%.{.$......$......$......$......$.Rich..$.........................PE..L...|Q.d...........!.....Z..........X........p...............................p......}.....@.............................l.......d....@..................P,...P..\....q.............................. ...@............p...............................text....X.......Z.................. ..`.rdata..L_...p...`...^..............@..@.data...|n.......,..................@....rsrc........@......................@..@.reloc.......P... ..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\fixsc64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):174824
                                                                                                                                                                                  Entropy (8bit):6.422260069407969
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:vjNq/3Jyz4vHAYH7EKJ3eAlNd09cd7g9EEnQHBdp5FFmvBh7P0I:vjN6yKNBJ3eAdNEEEQHB/F4BhII
                                                                                                                                                                                  MD5:ED2ACECC811ABF288316C709E2F2D943
                                                                                                                                                                                  SHA1:0CCE7CC3687CAAF59E6DEA1A90D1214782B5742E
                                                                                                                                                                                  SHA-256:C3E9F2023A28A2115D15D8DA451B8105771C4D4746F494CCF83FB28623CF724C
                                                                                                                                                                                  SHA-512:9DD510EABDB4D59B82A7492DFE6A6D11C47721DD0B7F0F22C8060063A94E36FE93A28EC19815AA68F89B1B807AAE584B304AB15D183493295B7E13E65527BEE0
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......xI~G<(..<(..<(...g..?(..5P..Q(..5P..7(..5P...(....}.>(.....=(....k.+(..<(...(..5P.."(..5P..=(.."z..=(..5P..=(..Rich<(..........PE..d...UQ.d.........." ................................................................G.....@.............................................l.......d...............x....~..P,.............................................................8............................text.............................. ..`.rdata..............................@..@.data........ ...L..................@....pdata..x............Z..............@..@.rsrc................p..............@..@.reloc..\............v..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\heavygate.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):559000
                                                                                                                                                                                  Entropy (8bit):6.789431209891293
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:OrswC3DEddri7Dj1XHmyZQNCAGTFgRJz/9i:gsP3Dwdri7DjlHECAGC//9i
                                                                                                                                                                                  MD5:EE6AA967C56CC0D0820C95D4FD89FB30
                                                                                                                                                                                  SHA1:D1C5161FB8CCA7FEDFFC1056FAB8D79309EEC01D
                                                                                                                                                                                  SHA-256:C7CC69762AE72840D200C14E652A460807F487059F7D0780E245AB36AF445B9B
                                                                                                                                                                                  SHA-512:8502D5E4BB48FE3ABCA897F293199815CE7DBB67E4983BF9A9631A4F92602289FBF08D42DC547B96E1C8338C77108019B952DAA5D682465C7C5567CCBAECEEAA
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.$PL.wPL.wPL.wY4?wJL.ww..wSL.wPL.w.L.wY4.wwL.wY4)w$L.wY48wQL.wN.>wQL.wPL=wQL.wY4;wQL.wRichPL.w........PE..L...y.`c...........!.........F......*M...............................................)....@.....................................(....P..L............>...I...`..h...0...............................0...@............................................text...|........................... ..`.rdata..............................@..@.data....B......."..................@....rsrc...L....P......................@..@.reloc..X9...`...:..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\hipslog.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):49480
                                                                                                                                                                                  Entropy (8bit):6.739956450503979
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:C2a0KRlGHkg3oqHo3eaB6e7NXQxZzYf3yvZ6/WitUDvb1PRF8oaH:n/HF3xb8KEvyE/cDj15FI
                                                                                                                                                                                  MD5:E2D837E2B4DDA87A82553631E7D5627A
                                                                                                                                                                                  SHA1:9F1A5A95B4F0AEA6F9061140F0E22EDA819A78BF
                                                                                                                                                                                  SHA-256:A5118527EE28C3C263F3FCC3346F8BCA83284E21C8149082F8D1AAA68B39EBC6
                                                                                                                                                                                  SHA-512:3FDBB618C9F49FE5C7EA81398401C5AD19EE8A215B9A3D29FC03071935E566B80560A775CEF3F1502F8447B2A2528285C8D4586C576A3E311241A06177E14C52
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$........@3..!]..!]..!].Z.\..!].lH\..!].e....!]..IY..!]..I^..!]..GY..!]..GX..!]..MX..!]..Y..!].lHY..!].lHX..!]..IX..!]..G\..!]..!\.=!].cHT..!].cH]..!].cH...!]..!..!].cH_..!].Rich.!].........................PE..L...>.?]...........!.....X...,.......Q.......p............................................@.............................t......P.......X................6...........z..p....................{......pz..@............p..(............................text....V.......X.................. ..`.rdata..~....p.......\..............@..@.data...P............x..............@....rsrc...X............z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\iNetSafe.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):383720
                                                                                                                                                                                  Entropy (8bit):6.579374990134974
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:oG1pYD09uIwtl0F1LrheKG/HYStQGz1DAOoQGEnb5bj1hFu:X7g09uRlYeKG/DHegbjs
                                                                                                                                                                                  MD5:3CE009AFF2FE459A8248693AC8DAB788
                                                                                                                                                                                  SHA1:607444A7B8AB2E17C525BBE0B28878C3BD0F8099
                                                                                                                                                                                  SHA-256:11856EE1D754D31AF95F1047CE6B68CA2395C703A995525FA5D9E4A2678D0B86
                                                                                                                                                                                  SHA-512:1AB4ECB89B07F09985B57F0D546FE6063D8ACEDE435F74075EF9A37288F7D9D19DF168AAEDB38093D88BA2E515CBDABB23F87163AC8FCF9A706448B0F4FC2774
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......d_f4 >.g >.g >.g...g->.g...g.>.g...g=>.g)F.g">.g...g%>.g.`.f4>.g.`.f.>.g.`.f.>.g)F.g">.g)F.g3>.g >.g.>.g.`.f.>.g.`.f!>.g.`.g!>.g >.g!>.g.`.f!>.gRich >.g........................PE..L.....8e...........!........."....................pe......................................@.........................0...................8...............P,.......L......p...........................0...@............................................text...}........................... ..`.rdata...O.......P..................@..@.data...p^... ...0..................@....gfids...............:..............@..@.shared.x............<..............@....rsrc...8............T..............@..@.reloc...L.......N...^..............@..B........................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\iNetSafe64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):406248
                                                                                                                                                                                  Entropy (8bit):6.190903413261375
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:OazgQG4JdLe2p+teZ3q9y/3clyMEcLeowam/xohKKJJT2pgJ1JhfQeUnZdnkewZ:HgVGemGeNlYbR2am/xolx0nZZjm
                                                                                                                                                                                  MD5:E5E4828980E5C836163382F9642D4D24
                                                                                                                                                                                  SHA1:E8BFB72EB75D20DEEA9152089B7092E07F2EF2F3
                                                                                                                                                                                  SHA-256:639EA37856839C2D5446A82441D7AB94204EE1172487EB88E9AC1CEB6261D554
                                                                                                                                                                                  SHA-512:6F621EC441CA46CC48A48056F8E278FF746ECABDAB1933C0FEE18574EE366BD9721487D6462746B6874A5B2CD4D8FC327B5089F351CE8086E10061791034794B
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........o-a..C2..C2..C2.h@3..C2.hF3Y.C2d..2..C2.f@3..C2.fG3..C2.fF3..C2.hG3..C2.hB3..C2..B2#.C2RgJ3..C2RgC3..C2Rg.2..C2...2..C2RgA3..C2Rich..C2........................PE..d...j.He.........." ................l................................................t....`..........................................J.......K.......P.......... 1......P,...`..........p...................p...(...p................................................text.............................. ..`.rdata..............................@..@.data...,F...`..."...H..............@....pdata.. 1.......2...j..............@..@.detourc.F.......H..................@..@.detourd(....@......................@....rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ieplus.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):887648
                                                                                                                                                                                  Entropy (8bit):6.72536750906441
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:rMl3YXVguMMrGA+64Z/fOl7FPZ1ZGf4a9nCFECq3N:Q0LMe4ZHOFPXZGfNCFEzd
                                                                                                                                                                                  MD5:CFB50C3C7D74F518CA9E2828E702145E
                                                                                                                                                                                  SHA1:E38FD98574C08BCC6415E62EA7C9A380958A3D1C
                                                                                                                                                                                  SHA-256:1C8FF953478CC71166A36181ED32AE7C48B267B011240DB2C701E35D391A66EE
                                                                                                                                                                                  SHA-512:BD08332BDB78614F1CDFD2E4939B1B9400476D99B50996C17C0277ED76DB5972FAC5EC77DCD4C56459DAA11C6126DC12D66A4E59122DC9B8D89FF6DF89B83240
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%.U.K.U.K.U.K....T.K.K..R.K.....S.K.....R.K....p.K.U.J...K.\...C.K.\..v.K.\....K.\..L.K.\..T.K.K..T.K.\..T.K.RichU.K.........................PE..L....N.]...........!.....f..........................................................^]....@.................................L...,........j...........V...4...@...s.. ........................6......X6..@...............d...\...@....................text....d.......f.................. ..`.rdata...d.......f...j..............@..@.data...........p..................@....360_iep(............@..............@....tls.................B..............@....rsrc....j.......l...D..............@..@.reloc.......@......................@..B................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ieplus64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1001320
                                                                                                                                                                                  Entropy (8bit):6.375963793592453
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:DaG9UYtX8J3EfBCMwM9E4jRcoI237MSW7/HTdPSYPJBhnHRxd/c:Dx9UdYRwM9EWI23wSWHdPTJB5dE
                                                                                                                                                                                  MD5:074CFA8CC35DC642A2B95CC96CE5357C
                                                                                                                                                                                  SHA1:CEE218C914D530BE6C9BB9531E78F2137224D5A8
                                                                                                                                                                                  SHA-256:4DE592C87C443780B5D475414196B3C5406ACEC8809EA65AF45A50E7E43462A5
                                                                                                                                                                                  SHA-512:EF776EB824F4C3152A380B3EC2858A11A96E48711C213AF905FE2B0A972F9CB4A7D83B4B96848DB0B478AF4D19623CB8AC0E5F8FC47007B39E0F16FC2E5FC851
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........../.p.|.p.|.p.|..@|.p.|.?\|.p.|.._|.p.|."N|.p.|V.v|.p.|V.t|.p.|V.s|.p.|.p.|[q.|..I|op.|..N|.q.|..X|.p.|."^|.p.|..[|.p.|Rich.p.|........................PE..d.....].........." .....V..........|................................................-....@.........................................0y..g....W....... ...j...P..H........4......8...p{......................8;..(....................p.. ....V..@....................text....T.......V.................. ..`.rdata.......p.......Z..............@..@.data............n...d..............@....pdata..H....P......................@..@.360_iep(............|..............@....tls.................~..............@....rsrc....j... ...l..................@..@.reloc..d".......$..................@..B........................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\imhelper.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):247528
                                                                                                                                                                                  Entropy (8bit):6.604794755347589
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:2Y77YOcw6BdKQYuVXsZy54tgQCkW30W9ezJQ4mRan5kiINyyT7PK0AMZcan5aj9b:n7YiJEIy54gFogRa0Nl/N1Sjl5yxAl
                                                                                                                                                                                  MD5:9B05B1F0E62DD100D385807262B84A90
                                                                                                                                                                                  SHA1:631449787D7532A855CB061E333C0712AC20E753
                                                                                                                                                                                  SHA-256:6BC0133A16C7F058E5C0B6027929DB1145D37717118DBCF24013FA4F2D79E848
                                                                                                                                                                                  SHA-512:9F43A542B38D998038D20467BB797CF789A36666F4B8154A548FD6E7BA24A20256C9A0BAB64CD43CB12BEBF704A524FE35F9652FA399237A3F0AFB3BF8670676
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*f.*n..yn..yn..y.Hmyo..yg.ny}..yI..yy..yn..y...yI..yo..yg..y*..yg.xy...yg.qys..yg.iyo..ypUoyo..yg.jyo..yRichn..y........................PE..L...N{.e...........!.................................................................N....@..........................R.......B..........................P,.......&..0...............................p...@............................................text............................... ..`.rdata..............................@..@.data....\...`.......>..............@....rsrc................Z..............@..@.reloc..h7.......8...`..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ipcservice.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):705768
                                                                                                                                                                                  Entropy (8bit):6.685295160437571
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:S/20NCvMDhBsqLeIQA2BcMNcYB1mF5Q3LNOsbwbekwCYgLECHqa7XWpbt9o9TehK:e2KC6hBs6f2Bcm65sO8wACHqaTQJe9Tn
                                                                                                                                                                                  MD5:8B632FD2D4EA70470AF97CD5E88F74D7
                                                                                                                                                                                  SHA1:9E384D37EB586E9B187F4FFF89C2F104A7921F44
                                                                                                                                                                                  SHA-256:AFCBB8BCE2E5C8C5E9AA851941E626A62573E6054EC75C14066AD37726BB9DB6
                                                                                                                                                                                  SHA-512:5F7EA2BF6599AA9E0C44C2820F89DF0827EEBD8A037C9DF2AF516D9865BBEEAF31CAC89AF7214A59BD4B25F2BF7EB94E257AA2766F1D12892E1C34E78776F5E1
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,B..h#.h#.h#..,..j#.a[J.p#.a[U.d#.vq[.l#.a[L.K#.h#.#".a[\..#.a[[..#.a[M.i#.vqK.i#.a[N.i#.Richh#.........PE..L...X.Le...........!................L.....................................................@....................................@....p..8...............P,......Pk..`...................................@............................................text............................... ..`.rdata..............................@..@.data............6..................@....rsrc...8....p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\jpnative32.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):202472
                                                                                                                                                                                  Entropy (8bit):6.660474984647205
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:jLH6l5IoUzqiNVwzQyaT0NQgepguwz+uQJOAg0FubAIrnXrsFCAsKIP0a:SluoK7QiToQdeAOpLAFCtKha
                                                                                                                                                                                  MD5:0EA1C58DEDF685A4A1EEB1C7BD1C972D
                                                                                                                                                                                  SHA1:66CA439A737A35FC936D2C8F990AD3538D9F2CDC
                                                                                                                                                                                  SHA-256:41780A7339545676A2D587CD5BCEA9181E6FAAF3EC73C5006D7D76B47B98A6F2
                                                                                                                                                                                  SHA-512:D16B0A12EE38399C4B05F38E0CCCAFA6BD4984C353AF845337F3E5E8D64AAF3D9B1561E423C5CA59D2652EB083E92FB8832168989B34F11465AD581A39739BA7
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:gx.:gx.:gx.....7gx......gx.....'gx.h.{..gx.h.}..gx.h.|.%gx.3..=gx.:gy.Zgx...q.8gx...x.;gx.....;gx.:g.;gx...z.;gx.Rich:gx.........................PE..L......d...........!.........*.......\....................................... .......A....@.................................P...P.......................P,..........p...p..............................@...............D............................text.............................. ..`.rdata..............................@..@.data...H...........................@....rsrc...............................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\jpnative64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):247528
                                                                                                                                                                                  Entropy (8bit):6.255611405833788
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:MzlHNKfmGZoRwaQDy4ikigoh7Chpq8eFiybV:6tp9QD7ihgohCQFh
                                                                                                                                                                                  MD5:9380B590C9BE993F3F253469D0933765
                                                                                                                                                                                  SHA1:0DF57C8EA3D19DCEE142F03D0D6FF4DA7EE5BCCA
                                                                                                                                                                                  SHA-256:CB8BE7A72561A379B122AB70CAE681840009CE71C9C50B819B2B9E8CCC7A5B73
                                                                                                                                                                                  SHA-512:2277F388E10D8D579203F7546C30DD314C4BA0AEAC0CFBDBB7F393FBFE54F7ED60FBEDB31E524275112D9E1BDB9F5CB24AC02259ABBC096A81E8CE2D32B87F6A
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.T...:...:...:.u.9...:.u.>...:.u.?...:.H.9...:.H.?.,.:.H.>...:.u.;...:...;.E.:...3...:...:...:......:......:...8...:.Rich..:.........................PE..d...A..d.........." .................c...............................................8....`..........................................\.......\..P.......................P,......|....&..p...........................P'...............................................text............................... ..`.rdata...U.......V..................@..@.data....'...p.......V..............@....pdata...............f..............@..@.rsrc...............................@..@.reloc..|...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\leakrepair.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):705504
                                                                                                                                                                                  Entropy (8bit):6.635093248285898
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:GngcmdomAFsBeQsv5REGqRXkgVP73MfsPF9vyt2nSyv9K:fLAFKsv5ROkgVAfsPTyEnD9K
                                                                                                                                                                                  MD5:C40E8A502AF91ACA96B85AB36CBE818B
                                                                                                                                                                                  SHA1:004141E75604502E2EA30C5760008368C36850D8
                                                                                                                                                                                  SHA-256:A10966CC2785845DC296D90EF9C97ABA865BD06DF1A8A7006A7EE53EBD2152FB
                                                                                                                                                                                  SHA-512:219630292A8CF70311F06DC1F3A99BA948E7E7BBAB937B0F5B928121838B79FE851B70650BFFD07A4F36A22E2A7B34DE4461D8F4C97FC1322026CA2C5C2E31EF
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........fP...>..>..>..v?..>..o=..>..o:..>.l;..>.0n?..>.?u;..>.....>..n:..>.j:..>.j;..>.6....>..n;..>.2n:..>..`;..>..`:..>..o;..>.2n;..>.l:..>.l8..>.l?..>..?..>.4i;..>.bj;..>..n;..>..n>..>..n...>.....>..n<..>.Rich..>.........PE..L...].$a...........!.........z............... ....{5................................b.....@.........................@...0...p........p..................H?......XS.....p...................P.......H...@............ ...............................text............................... ..`.rdata....... ......................@..@.data... 7...0......................@....rsrc........p.......&..............@..@.reloc..XS.......T..................@..B........................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libcurrant.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):966376
                                                                                                                                                                                  Entropy (8bit):6.564045153487216
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:3lzYxkj819KdVtUSPczJfKbM1aIjvI7BxwwuDFkrwtFkUHUZ0sIPbtYUkXAJfTSH:1zge8XKdVtUSPczJfKbM1aIjvI7BxwwH
                                                                                                                                                                                  MD5:A9FF3D29AF8CCA5D3C90F17709EB0548
                                                                                                                                                                                  SHA1:7F4B69366BA3BBB7BF08206FEA672C807CC2B562
                                                                                                                                                                                  SHA-256:45E8B5F32CDE9201278500DF961133AD26AD60C531FCFD77D3D26FEFF105FFD0
                                                                                                                                                                                  SHA-512:F043D1599D57B1E86D97CA1E81CF81FF0B3C97B95F1134ABF6DEEAC615F37645A825363315F5FB2139286BB5AEF5FA26C375E829AEC897C27CEA30199310123C
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$................e......e..*...e...................g....2Y-....................i.....y......}....................}.........Rich...........PE..L......d...........!.................d..............................................`.....@......................... ...H...h...x....p..@...............P,......@j..@t..p............................t..@...............L............................text............................... ..`.rdata..............................@..@.data...............................@....rsrc...@....p......................@..@.reloc..@j.......l...$..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libgravity.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):871144
                                                                                                                                                                                  Entropy (8bit):6.407442398411684
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:hgjR9MABH2uK50bPcjV/3WU020ZQA8NM/rmn:ghB1W3WUVeC
                                                                                                                                                                                  MD5:9A88DC21D3AC42ECA184F37297387BDF
                                                                                                                                                                                  SHA1:2F82552EF8F4B6A10356441CD158F1A0C5905913
                                                                                                                                                                                  SHA-256:466DF96D59B878EC6775ECC4D497B71CCD73CB11FBB2C2B23575EFE055BFFB75
                                                                                                                                                                                  SHA-512:1136D371771A71D329910ED9BDBF8243F74AD19FCE75F9A8712BC1E1E53EA3EF3722D4E067AB5567366D40D2637AF7E119E7E31734DDB57BCEE126CFE932C37B
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......U-.}.L...L...L..3,./.L..3,./.L..3,./.L...L...L.......L..C$./.L..w$./.L..w$./.L..C$./3L..C$./,L..3,./.L...L..]M...%./@L...%./.L...%,..L...LD..L...%./.L..Rich.L..........PE..L......c...........!.................P..............................................._....@..........................{.......|....... ..8...............P,...0...s..p&..p....................'.......&..@............................................text...U........................... ..`.rdata..............................@..@.data....}.......&...|..............@....rsrc...8.... ......................@..@.reloc...s...0...t..................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libscent35.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):927976
                                                                                                                                                                                  Entropy (8bit):5.917840435230856
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:Syp5QtiR2fVE00WKL+YD5ndNpKrtvKXVsFpJppn72z+T73P+2QHkgFrGCZK:1POE00WKd5ndNpKrtClsFXnhT7ZAkgxO
                                                                                                                                                                                  MD5:158D719030DBD08384235B165FC211CF
                                                                                                                                                                                  SHA1:A8161B15C0BC6576829DA4BC0732794B0AB2E37C
                                                                                                                                                                                  SHA-256:BC33C91BE3D31557B16F2B91B90DE96580C3CD2510E3C3D3B77E3D4CC8DBB0B4
                                                                                                                                                                                  SHA-512:383E551FFC50D17E9A5B466E996614B5AF35BEB48A72A47CB7D5A35B68D68906E5ABADDAEABD439AA214BE28E7A27FBCA3872537D65D33CA64A53B513A924EDB
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.(e...........!..................... ........@.. .......................`.......7....@.................................P...K.... ..................P,...@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........o..P............b...............................................0..M........(....~.....X.....r...p~.........(....(G......r-..p~.........(....o....}....*....0.......... ......{....rU..p~.........(..........(....o...... ...........%......(.....%......(.....o.....o.....o......ry..p .....o.....(~...o.......o.......+.....X.....o....o....&...X......i2..o....*.0...............(.....4........(......-.r...p.....(....(....s....zr...p.....(....o....(.........(.....s|...%o~...%~

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libzdtp.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):575720
                                                                                                                                                                                  Entropy (8bit):6.4118078561661545
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:FoblSYniV7pA1yJVyfI1+RZSihzvjZh2Tx4UTFAzmp4ZZPy1KlU1E:sfI1+RZSiz2VlTF+XHlU1E
                                                                                                                                                                                  MD5:82DE25B17C3B9D6BB253B6BE7AD2FEA1
                                                                                                                                                                                  SHA1:6F6BCF23753F161D4DE444978C3EBC003D361B2D
                                                                                                                                                                                  SHA-256:165FC9F929853B4AE8603BB0C7807456B99871A7C8E9078F95D954C466A7172D
                                                                                                                                                                                  SHA-512:71EA0FE18F1EBDA98067460E6661FC108E7116E71651B0D05FB8365BDA92E1DBF02B89D20DF6B47C7557AC52877ED8EE503373164079C0F5C62EBF16439867C4
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$....................r.i....r.k.I...r.j....c.....c............X,_........................................n....n.....n.g..........n.....Rich...........................PE..L.....(e...........!.....v... ............................................... ............@A........................@...........x.......X...............P,......lJ......p...........................p...@............................................text....t.......v.................. ..`.rdata..\l.......n...z..............@..@.data....c.......(..................@....detourc.5...p...6..................@..@.detourd$............F..............@....rsrc...X............H..............@..@.reloc..lJ.......L...N..............@..B........................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\libzdtp64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):682216
                                                                                                                                                                                  Entropy (8bit):6.095070464124169
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:rhqnA1JpofoqtokijtH2OMoVTP94CCIKGJToFTz/goFZKk:VqnALpPqXq92bEx4CCIKGJToFTz/gox
                                                                                                                                                                                  MD5:3D7564C3B97E0DCC859CE8FAE51BF196
                                                                                                                                                                                  SHA1:F6588DAA615A45E375AB4CD8153A3D9BBDC476C6
                                                                                                                                                                                  SHA-256:73D11EF506C2282DBD45C4758F6C6B1352C596B1EC684BEF30778965D0774F1B
                                                                                                                                                                                  SHA-512:C6021111CA8F0B8BBD111F85397C0F91DD2423B9168711296B484190CF5C43CABE6215AFE4533881F0F285FBB201D4974D7343E92F33681B1983BB1770110246
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........C".."LA."LA."LA...A."LA...A-"LA...A."LA.KH@."LA.KI@."LA#..A."LA.JO@."LA.JI@."LA.JH@."LA.Z.A."LA.Z.A."LA.Z.A."LA."MAd"LA.KE@."LA.KO@."LA.KL@."LA.K.A."LA.".A."LA.KN@."LARich."LA................PE..d......e.........." .........*.......^..............................................9.....`A................................................d...x.......X.......PF...<..P,..............p...........................0................ ..x............................text............................... ..`.rdata....... ......................@..@.data........0...F..................@....pdata..PF.......H...d..............@..@.detourc.h.......j..................@..@.detourd@...........................@....rsrc...X...........................@..@.reloc..............................@..B................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\lockkrnl.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):628184
                                                                                                                                                                                  Entropy (8bit):6.631864802737484
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:Q9tUcJqS8DI9baOCmIJkPI9VYxPmb3pJ3xW2orMvM79G:GWKqS4OjlPUkmrpzWdSM79G
                                                                                                                                                                                  MD5:BFF0CE8D5C44994EF19F63D63CC29EEB
                                                                                                                                                                                  SHA1:B2837190927EE952721DBD5127C426D28FED9230
                                                                                                                                                                                  SHA-256:08C6DDD72CD481672476625BAB435993F2F0C85F835B0313C593F46C49DE6781
                                                                                                                                                                                  SHA-512:F527BB56DA57CA6BACDBA7871D65E48CA6ADEFE7F61240D766A6881C301B63C60063A09FA73E8BC64F40A01AD038B446B660A8ABC7719B84F1C6FE3654551420
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........<W..]9X.]9X.]9Xh-:Y.]9Xh-<Y=]9X.5<Y.]9X.5=Y.]9X...X.]9X.5:Y.]9X.5=Y.]9X.5<Y.]9Xh-=Y.]9Xh-8Y.]9X.]8X9]9X)40Y.]9X)49Y.]9X)4.X.]9X.].X.]9X)4;Y.]9XRich.]9X........PE..L....k%b...........!.....^..........=X.......p......................................c.....@.........................`................0...............V..@?...@..8F..pp..p............................p..@............p...............................text....].......^.................. ..`.rdata..jy...p...z...b..............@..@.data....8.......(..................@....rsrc........0......................@..@.reloc..8F...@...H..................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\mobileflux.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):117064
                                                                                                                                                                                  Entropy (8bit):6.436398487030181
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:pxNcrXn306zvccqtaGYvPCa/I7206aawWKxocUoiZw+BpQR9oLMm:pXcD30gccqtanCM0Wwiw+BpQR9oL
                                                                                                                                                                                  MD5:80907BE35290D47A8C6DF50A0B44DECF
                                                                                                                                                                                  SHA1:DBDDA59DD78716AD28FD37BF2619FC183D27CAE0
                                                                                                                                                                                  SHA-256:4C4853E4F3990FFD0B3D6EB1436A885559564C1065C26490B777EC9D3586A5C4
                                                                                                                                                                                  SHA-512:09D05C3133569548F4F231F0E06F6F29D57195C927B908F973CB05ABDE6214CA1E07399CB32EA5EC02635D81409B2A8F8F6BDA21F6B51B2A02115C2DF95B3B88
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)g..)g..)g.. ./.8g.. .9.Mg.. .>..g......:g..)g..g.. .0.!g.. .(.(g..75..(g.. .+.(g..Rich)g..........PE..L...%..S...........!.....,...|......H........@.......................................O..............................P.......4u......................................0B..............................._..@............@...............................text....*.......,.................. ..`.rdata...A...@...B...0..............@..@.data..../...........r..............@....rsrc...............................@..@.reloc..~...........................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\netmstart.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):171592
                                                                                                                                                                                  Entropy (8bit):6.633100643329799
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:2g5d8g4gNv+wAGzpjdNwCR5t9Owr5HQ6UnsaP5YCnF+wFxDA:xDRpSs5t0u5wbfQ6E
                                                                                                                                                                                  MD5:FF07224F63F62ECC5C6F2DED09DEB0AF
                                                                                                                                                                                  SHA1:D3ADF969B20A3E42032E60A87DBD69834A748C1A
                                                                                                                                                                                  SHA-256:A9F37F82413889A66F7063991F5C2E6DBA05A35A245891039204A478DE318357
                                                                                                                                                                                  SHA-512:92B763A682C9F479F539AA945F245940351983EC04829FB6D614BB7ABCADE60E2205244C583F63547CF83F4819503529FF01411E08C9CBA26972222D2520AA4D
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..X.y...y...y...+-..y....<..y....*..y....-.*y..5....y...y...y....#..y....;..y...+=..y....8..y..Rich.y..........................PE..L....].[...........!................F.....................................................@.........................`...........x....p...............f...7..............................................@...............4............................text............................... ..`.rdata...N.......P..................@..@.data....L... ...(..................@....rsrc........p.......8..............@..@.reloc...".......$...@..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\np360SoftMgr.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):243944
                                                                                                                                                                                  Entropy (8bit):6.56760832272308
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:YdtvVq01U5wXzfoUEwDTw3lCovmHDBYOfdv2xJ82wEdl/NPgqddBumr5365mwkq/:yNI0O4awI3AYqYEv2QIdZTJJYD1Y1a
                                                                                                                                                                                  MD5:FA85435627D31663BECB82EFFDFBE2BB
                                                                                                                                                                                  SHA1:C3D9EEA92EF90E652F500A1F900DA4E20A010C2A
                                                                                                                                                                                  SHA-256:7E0343BC0108526442E8B3FE7E538272FA6240E425BD8F318924573B59BD9DFB
                                                                                                                                                                                  SHA-512:7DA0E76E88D8E78D23E7E6BE0A184BF52DF5032113DFEBE087C3463AD990BE38CD4FD34586CCD367B381AE749F16E04573CF91E4B3D7A235A865D175FAACBDA8
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................f.*......)......?.......8......}........z.....6.............(......-....Rich...........................PE..L....6.e...........!................3.....................................................@......................... G......\:..........h...............P,..........................................@...@...............<............................text...x........................... ..`.rdata...x.......z..................@..@.data....D...P.......<..............@....rsrc...h............T..............@..@.reloc...-...........\..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\npaxlogin.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):404296
                                                                                                                                                                                  Entropy (8bit):6.509440609680588
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:iwa9e5G4aES0Qux3nNj43ziT7U2mSBzRD44shPBTLaqqDL6UbwHUu:Y9exL3u0U2pBzm4sxBTrqn6Unu
                                                                                                                                                                                  MD5:630AE5740C702AF919BAED414DE8CFE3
                                                                                                                                                                                  SHA1:26A50EFF049B2DBC24BE11411032172E82B37B04
                                                                                                                                                                                  SHA-256:C3F08B4843DAF466148EE99DBD0D300B2A92BB695FCDE001E288189A3582300E
                                                                                                                                                                                  SHA-512:A714A6F13CE33D8EC31772F180F611C491110D438019D4FCD88F2EB114B41FBD28878B8B9C6BA723D892405DC825917EF1D4868FFB66069ABE49E5AF286F491F
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t..,t..,t..,}.|,y..,}.`,n..,}.f,o..,t..,h..,}.v,...,}.q,...,}.g,u..,}.a,u..,}.d,u..,Richt..,........................PE..L...[AVS...........!.....N...................p...............................p............@..........................x...... f.................................. 5...s..............................8...@............p..d............................text....K.......L.................. ..`.orpc...3....`.......P.............. ..`.rdata.......p.......R..............@..@.data....Y.......:...\..............@....rsrc...............................@..@.reloc..hc.......d..................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\ntvbld.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:MS-DOS executable PE32 executable (DLL) (native) Intel 80386, for MS Windows, MZ for MS-DOS
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60896
                                                                                                                                                                                  Entropy (8bit):6.847633229504993
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:NnCuEmXB5UMI3nhKrbZCWg/0/NC8hUDVsa0T1zj9KyhaMQNDG0uKjKj9MPgkz:N7Rx5Ulll8/H+x0T1zj9lHeMy
                                                                                                                                                                                  MD5:690612154E7E5233AA980016CEAEDEDD
                                                                                                                                                                                  SHA1:9B16E2F3D799EA506AA6A8F53FA4DEB36D73F5D4
                                                                                                                                                                                  SHA-256:FFB81D34A14B5837AC713657F7892E790F85564BC2BA792025B0F9E9E0959AD7
                                                                                                                                                                                  SHA-512:1F93AF0CA40DB562F7ECDBF19A0D899044BCF1F181B03E57E6B6F2C72F532652798023612BE9DEFE6261D631D10898D30ADB28EEFF922B72734B4DB27189C210
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ!..... ..........e..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ntvbldDXML..$............!.L.!........h.T.....................q.......q.......q.......q.......q.......q.......q......Rich............PE..L......a...........!.........\......2=.............p................................s`....@.........................p...........(.......h...............H?..........................................0+..@............................................text...v........................... ..`.data....F..........................@....rsrc...h...............

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\pluginmgr.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):171848
                                                                                                                                                                                  Entropy (8bit):6.451554967739461
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:NQbFXbsJHCPNUzpNd0hq6pPyNVD/fAudYMi429OYHUMu73zE55C8f:atWpnztVLffdYLN8YHa7w
                                                                                                                                                                                  MD5:9828C8A355EA0F393260D6E3F7D511E5
                                                                                                                                                                                  SHA1:DC587D4215DC083A35E4BBEE095FB3FB07A73C33
                                                                                                                                                                                  SHA-256:B0D6D85D02E7650E03AB9AD04E90341EF6F5421DDC2AAA7AE65692944C298671
                                                                                                                                                                                  SHA-512:178D1AF5ABB116762C37714F2C142DB02BE9AF8B0C9BCD4948DE122583A9C815E1AB1F709E3167A096947CCCCD6ABEDC4BAB7ED405D207F097BD35640926205A
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........xL.+L.+L.+..+M.+E..+^.+E..+1.+E..+u.+k..+].+L.+..+E..+].+E..+M.+R..+M.+E..+M.+RichL.+........................PE..L...P.LS...........!................D.....................................................@..........................2..M....'..x...................................P............................... ...@............................................text...'........................... ..`.rdata...S.......T..................@..@.data...HU...@...,...(..............@....rsrc................T..............@..@.reloc...#.......$...^..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\probe.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):304640
                                                                                                                                                                                  Entropy (8bit):6.443933218835315
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:1AXDdMpEeHyH/D1kApvwp+ZniFARcRdhAGXPR:1Az6WeHyfDOAdwp+doARcRdh5Z
                                                                                                                                                                                  MD5:BB752561CE0859324FF01369BA8D25CC
                                                                                                                                                                                  SHA1:8C42AA1FF9060E58CFFD0EE9997DF134FB3E8739
                                                                                                                                                                                  SHA-256:A243D55655789EF26972546B7DC9723953564F52AE1C46087CCC2DB96F5B8D83
                                                                                                                                                                                  SHA-512:0C493C6868F4E2D90E3FCD6B71116769F2FA2F61740BCB9671B1DEEFC4628BE05E4441CA2008F6AD3F72BAE7C14028A7565CC2FBE68478E620F3CF9418357182
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&PLYb1".b1".b1".kI..s1".kI..^1".kI...1".E.Y.o1".b1#..1".kI..n1".kI..c1".|c..c1".kI..c1".Richb1".........PE..L....r.\...........!.....`...........?.......p......................................Cd....@.........................@%..B...X........p...............n..h7......@#...r..............................(...@............p..d............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data....6...0......................@....rsrc........p.......2..............@..@.reloc...0.......2...:..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\qroscfg.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):138056
                                                                                                                                                                                  Entropy (8bit):6.637936005523512
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:LKDfRbUTKLoDy1wSSH/2Lq62enAhXx2+EKI:KJITHu1wZf2Lq62UAh6
                                                                                                                                                                                  MD5:F62317FC61CA698D45A54C0F7A8A78B8
                                                                                                                                                                                  SHA1:F61D256EA3E3DD85CE7C44DC61AACC93E720F692
                                                                                                                                                                                  SHA-256:59DC54DD624E26D07EE8A908476EE67DCC3B6BA690F566C30B5522B6DCB8EE85
                                                                                                                                                                                  SHA-512:C06E046EDB18EE40D63411AA689280A73EBBEF3CE6977C51F629C43E6A6314895BCF2270E43CB1D9DD847B33874BC812778ACCEC07ED0FBFB9791556027FFCAD
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./.j&k..uk..uk..u...ui..ub.uz..ub.uR..ub.u...ub.ux..uk..u...ub.u|..ub.uj..uu.uj..ub.uj..uRichk..u........................PE..L.....,S...........!.....N...................`...............................P.......T....@.............................L...\........ .......................0..T...0b..............................8...@............`...............................text....L.......N.................. ..`.rdata...k...`...l...R..............@..@.data....A..........................@....rsrc........ ......................@..@.reloc.......0... ..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\qutmipc.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):170856
                                                                                                                                                                                  Entropy (8bit):6.55483314591404
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:4JJiNkByXIzFu3wK672soO82qUyleRR2v6eY8lMnu+wqH6F3:477yIzFfKTsS2qUKeXC5lRR
                                                                                                                                                                                  MD5:7EE49A57339ABCC35FCDE25D3F5EE8D9
                                                                                                                                                                                  SHA1:7A7F471DADD973CA57C79C43D93828B4496570E8
                                                                                                                                                                                  SHA-256:DC477A4B41CA92D94CB7092B458F35DEF2EF6F9A0B23A237A363E341E22AEABB
                                                                                                                                                                                  SHA-512:F978F6C882D80CFD87B2EF75EBB1C18C9BFB6759D28C0F503395217373AE241E5B08212D4D42373F6B94AFFBF775959E06BD1CAD5D09C488DC139906A0D4AB4B
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$...`..R`..R`..Ri.]Rk..R.BRb..Ri.ARr..Ri.WR...RV..Rb..RV..Rc..Ri.GRq..R`..R...Ri.PRZ..Ri.FRa..R~.@Ra..Ri.ERa..RRich`..R........PE..L...f..]...........!................K.....................................................@.............................a............................f...4..............................................................d............................text............................... ..`.rdata...O.......P..................@..@.data....n... ...(..................@....rsrc................8..............@..@.reloc..<#.......$...@..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\7AF5081\qutmload.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):111336
                                                                                                                                                                                  Entropy (8bit):6.7222941004358425
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:PTxwTSQCdxm/78XLv6JYZeD9GIn+uowP0T:PCzCeeeYAD9E5T
                                                                                                                                                                                  MD5:8719E73BC84D506FE7F0D367AE46ED20
                                                                                                                                                                                  SHA1:D60A1FF7B2478ACDA7C5C1730E0B963594311FB9
                                                                                                                                                                                  SHA-256:C110E1FF4F233669F1E035129E137ACED1A3632D17A8302502D160DC16FA9AF0
                                                                                                                                                                                  SHA-512:AE00044E9EE7B5AF66105067877AFD68D79ECEB6C945CC07F390D15A2E1C0832C578146E6B0657FD8A29F865EC6DB78DEFEB7C1BA7E3AF0D1427EFD22A67F8B8
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........z...z...z.f.'...z.....z.......z...{...z.....z.....z.......z.......z.....z.....z.Rich..z.........................PE..L...Z.Xd...........!.....Z...........A.......p...............................`............@..........................X..[...TM.......0..................P,...@..t... ...............................8%..@............................................text....Y.......Z.................. ..`.data........p.......^..............@....rsrc........0.......d..............@..@.reloc..f....@.......j..............@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files (x86)\WindowsInstallerIC\holder0.aiph

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):42733846
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                  MD5:6226B504352339D1F6D3ADB0D02119B0
                                                                                                                                                                                  SHA1:B415E19CFA4555BDE778C695626D752732A739FE
                                                                                                                                                                                  SHA-256:011540BA483A93324CFD6E720745F80246633A118AB2DDDEC16B4BDDE1E4DF94
                                                                                                                                                                                  SHA-512:EE3CB529DD63E3F2C0782C18F32798021E72B6AC4B1BB30704202195710FD7C981FE2123B4C99A6C1AF60BE1E5B734665394F64466201D11AAF8504E114B43D2
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):71954
                                                                                                                                                                                  Entropy (8bit):7.996617769952133
                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                  SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                                                                                                  MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                                                                                                  SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                                                                                                  SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                                                                                                  SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):328
                                                                                                                                                                                  Entropy (8bit):3.2401865105070096
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:kK/vT9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:nvqDImsLNkPlE99SNxAhUe/3
                                                                                                                                                                                  MD5:280DC4E9D653298330792336CBA3F6A7
                                                                                                                                                                                  SHA1:69096E26A1438C27C0073F09BB9E33122887D97A
                                                                                                                                                                                  SHA-256:94CFA53CFA9887EDD5EE57E391417B410F0FB718309D298A3C7F4C51A2CDC940
                                                                                                                                                                                  SHA-512:7CD5FEC56370A55871A3FEB7B663BDF6ED8982CFB6F30650BE1BD020AB4A3F4A8B0A63801C3F44EB402D64FFA1F07518864448AFFF4F2EDC0263D23634221738
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:p...... ...........N.a..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                                                                                                                  C:\Users\user\AppData\Local\AdvinstAnalytics\6627be3e20a59ade4c1add8b\1.1.6\tracking.ini

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:modified
                                                                                                                                                                                  Size (bytes):27
                                                                                                                                                                                  Entropy (8bit):4.088220835496803
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:1EyEeBn:1BEYn
                                                                                                                                                                                  MD5:4AE8A010782B10391BA0AF6F4DC3B667
                                                                                                                                                                                  SHA1:48999DD7C62D642974049463C4418457572177D5
                                                                                                                                                                                  SHA-256:C0B2445FCAA83FA4F12DCCEB286EAEB5D278E06DC27E549F49E1547B36A046D5
                                                                                                                                                                                  SHA-512:96C1551461FDAFFDF8B9F37198FB2BC1CD18B0B27494E94705DD6A2AA1F4EA17C5014E0F2C54E6B436D796BED334FD6AD637D374804ED1815488D4801FC183E6
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:[General]..Active = false..

                                                                                                                                                                                  C:\Users\user\AppData\Local\AdvinstAnalytics\6627be3e20a59ade4c1add8b\1.1.6\{5E4B56B0-5930-4DD6-88AC-7304D35B0E63}.session

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):33470
                                                                                                                                                                                  Entropy (8bit):3.706230541393569
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:Qne1zLTTetUnZkJcrli1ISAYRHnZx5Rh2qyPMx3dARzeWENH76A1SPVw:YE2
                                                                                                                                                                                  MD5:E8860091BAC5A35F3A45DDE4202D2348
                                                                                                                                                                                  SHA1:E657E9C00AACA1885AE327974E2FA3935BA34124
                                                                                                                                                                                  SHA-256:4781AA6CD06AE3D0AB071E9BEEECB39BA258A4FA70549BEE9CD4CDDB695A3F49
                                                                                                                                                                                  SHA-512:56F11D0C4A789B12AEB46672310654119A6DFB4BC46CE61721F3DA53581793BBF801004E77FFE00A6060DBB92A4FE2016EBB24E0D77F9C3ACB94EF4096CA9892
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..[.H.i.t. .{.3.B.B.5.E.7.0.6.-.3.C.E.7.-.4.3.E.6.-.8.2.B.4.-.5.C.3.D.3.5.B.6.4.6.B.9.}.].....Q.u.e.u.e. .T.i.m.e. .=. .0.....H.i.t. .T.y.p.e. .=. .l.i.f.e.c.y.c.l.e.....L.i.f.e. .c.o.n.t.r.o.l. .=. .s.t.a.r.t.....P.r.o.t.o.c.o.l. .V.e.r.s.i.o.n. .=. .3.....A.p.p.l.i.c.a.t.i.o.n. .I.D. .=. .6.6.2.7.b.e.3.e.2.0.a.5.9.a.d.e.4.c.1.a.d.d.8.b.....A.p.p.l.i.c.a.t.i.o.n. .V.e.r.s.i.o.n. .=. .1...1...6.....C.l.i.e.n.t. .I.D. .=. .9.3.5.B.3.7.D.0.6.1.E.4.3.3.2.C.2.5.2.D.D.0.F.1.4.1.F.F.9.D.B.7.4.8.E.2.0.C.4.0.....S.e.s.s.i.o.n. .I.D. .=. .{.5.E.4.B.5.6.B.0.-.5.9.3.0.-.4.D.D.6.-.8.8.A.C.-.7.3.0.4.D.3.5.B.0.E.6.3.}.........[.H.i.t. .{.4.E.D.3.4.F.4.A.-.F.C.D.0.-.4.8.3.F.-.8.F.7.6.-.B.E.4.1.E.B.2.1.2.D.E.F.}.].....Q.u.e.u.e. .T.i.m.e. .=. .0.....H.i.t. .T.y.p.e. .=. .i.n.s.t.a.l.l.t.y.p.e.....V.a.l.u.e. .=. .i.n.s.t.a.l.l.....P.r.o.t.o.c.o.l. .V.e.r.s.i.o.n. .=. .3.....A.p.p.l.i.c.a.t.i.o.n. .I.D. .=. .6.6.2.7.b.e.3.e.2.0.a.5.9.a.d.e.4.c.1.a.d.d.8.b.....A.p.p.l.i.c.a.t.i.o.n. .V.e.r.s.i.o.n. .=. .

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\1736324108\....\Microsoft.TransCompositio.msi (copy)

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exe
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):174304
                                                                                                                                                                                  Entropy (8bit):6.858552596804119
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:Q0HJ5wo1/MJjozYJimE2BamDKigu/fgl1glfdjgBftJeCE5vLEnM7QrRz:/J5wUmhkmDKVuE1gQJeCERLG1F
                                                                                                                                                                                  MD5:0D318144BD23BA1A72CC06FE19CB3F0C
                                                                                                                                                                                  SHA1:91A270D8E872EA2A185309CA9CE5D9F08047809E
                                                                                                                                                                                  SHA-256:60503684F39425C5505805A282EB010ECB8148BBF7EFE9BBA9CF33C507AF7F3A
                                                                                                                                                                                  SHA-512:A3F3C7D84644B13868AC324947C2D678620E341E368B781D45F244A53F448D6B24BE7B50AC9908728DFBBB74214FCB46902137910E907F14F601518C0EFD215B
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.A...A...A...,...H...,...;...,...Y...z...S...z...S...z...d...,...D...A...........C.......@...A...@.......@...RichA...........PE..L...V.]d.............................#............@.................................Z.....@.................................48..<....p..0............`...H...........*..T............................+..@...............$............................text............................... ..`.rdata...^.......`..................@..@.data........@.......2..............@....gfids.......`.......<..............@..@.rsrc...0....p.......>..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\27557\....\Microsoft.TransCompositia.msi (copy)

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):157184
                                                                                                                                                                                  Entropy (8bit):6.4699325010744015
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:tJpAAXru5+rs45R7H0fABoTRo3hJjfP8mr:tJpAAXru4Fj6soT2LM0
                                                                                                                                                                                  MD5:C50F56319C92BC129039E3860294AB5D
                                                                                                                                                                                  SHA1:470ED2516A0FF86F25C7CEBE3084E238CA8879A7
                                                                                                                                                                                  SHA-256:56E8A343602DDDC6D7B6A787827801A3D2BA69ABAF1C61874EF9286C2D288C6B
                                                                                                                                                                                  SHA-512:20451481425424167EDF4D8C1562EBD7619D5FA0D4BB46C1C30840C9E63C617F94B281C294E3FBEDD290A76C543E4A1C3518B8E66D919743B9CC1F966D8E0CE0
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`. ...s...s...s.w.s...s.w3sr..s.y.s...s...s...s.w2s...s.w.s...s.w.s...sRich...s........................PE..L.....#g...........!......................................................................@..........................=.......6..<...................................................................0...@...............0............................text...C........................... ..`.rdata...^.......`..................@..@.data....:...@.......,..............@....reloc..$........ ...F..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\27557\....\Microsoft.TransCompositib.msi (copy)

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):667648
                                                                                                                                                                                  Entropy (8bit):6.655676024268379
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:G36HjCm6ltuRXQ/g+hVfW2LDzeLA5rJWutAWQSHOALXB:VCm6ltuRXKg+hVfWkDEA5tDuyX
                                                                                                                                                                                  MD5:BA4ED2E6B25A8C9EDA3DA4CE85A5054D
                                                                                                                                                                                  SHA1:C3B2EF12347E0C5206B4C3959FA96CD7F064F10C
                                                                                                                                                                                  SHA-256:31370AB9ECAFEA8528D0C844C34B7721042C93A8E45278C4452B62ABAADE9182
                                                                                                                                                                                  SHA-512:87C10EA2B82D79BD96CA453D808D937841A45CEE331E5914E5B9A7D6665BB41864D90E08E47F4000C1EEBC64F1E4035B010F545B2068B3604A7B8C87F1D30DBB
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........xt..............a.......a..W....a.......l.......l.......l.......a..............*l......*l......*l......*l......Rich............PE..L....+.f...........!.....f................................................................@.....................................(.... .......................0...K...[..............................8[..@............................................text...cd.......f.................. ..`.rdata...Z.......\...j..............@..@.data....2..........................@....rsrc........ ......................@..@.reloc...K...0...L..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\5941890\....\TemporaryFile (copy)

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):58368
                                                                                                                                                                                  Entropy (8bit):6.398722888372975
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:qjw1c0DJ1xDL8lCXy60KlCXy60vcbvM1id4xSu:T1HPxD2Cj00Cj0C00WxS
                                                                                                                                                                                  MD5:56867EECC2042A0FD681F3B90D365A16
                                                                                                                                                                                  SHA1:021DAC119F8E115E6DF308DB85BC8760078D9719
                                                                                                                                                                                  SHA-256:48F8313380BC6FA33172888B8FD9874A6ED5465213BACB9F8D5C2BB3AB37BAEE
                                                                                                                                                                                  SHA-512:EBB40D1E1A7F6B9E9480E544A67C9383D53A708547ACBA787BFD7C5699E491EAD7FAF714C5D84407B3D9A1DD2051205E0A299EAEECEB44422E3874C5E55CC65A
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........FJo..Jo..Jo..%.U.Ho..%.W.Oo..%.c.Ao..%.b.Ho..C.Z.Oo..Jo...o..%.f.No..%.R.Ko..%.T.Ko..RichJo..........................PE..L...83^f...........!.....2...........9.......P............................... ............@.........................@...]...L...P.......................................................................@............P..,............................text...40.......2.................. ..`.rdata.......P.......6..............@..@.data...............................@....reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\5941921\....\TemporaryFile (copy)

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32256
                                                                                                                                                                                  Entropy (8bit):7.484270190239562
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:tUqX/E3rJA4ZX6xUrLGwk9xAlvcuHnYoq7MNC3Il:tUc/+vKGnax8ESY17WkI
                                                                                                                                                                                  MD5:63F6D9FECB240388D69CB668CFE50C00
                                                                                                                                                                                  SHA1:2B67BB8AA45A9D0383E76F15E631C1131B28BB1E
                                                                                                                                                                                  SHA-256:678D6ED15F6150BFD5BA8E823CF877C32BB492E8557E107FAC77143DAD3724F1
                                                                                                                                                                                  SHA-512:176B096493206D2DADB17D778E959855DEEF0EC8D5343C09790CA6C067A338ECE44138FA9081888CAA2228A041D2A8C71B085AD8FEFAFE479505F667F6D2B7E6
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#;\.gZ2.gZ2.gZ2..F<.rZ2.Q|8..Z2..Uo.bZ2.gZ3.7Z2.Q|9.sZ2.gZ2.fZ2..E9.eZ2..E6.fZ2.RichgZ2.................PE..L.....lf...........!.............p..................................................................................0...l...........................................................................................................................UPX0.....p..............................UPX1.............v..................@....rsrc................z..............@......................................................................................................................................................................................................................................................................................................................................................................................................4.21.UPX!....

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\5941953\....\TemporaryFile (copy)

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):177
                                                                                                                                                                                  Entropy (8bit):5.2011029533052096
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:FCp/32ZmsmyR73wy82K9oYGyvA9id2sycyMcVqotTBAtoZht3wetdQQqi5xQn:F+mdR73wv9oYnvA+yLM+At2t3wgCQPxQ
                                                                                                                                                                                  MD5:E7EE8D889FBD33DED17EE00BC9E98ED0
                                                                                                                                                                                  SHA1:A153B28DBB602C58A606A44906F38128E85CD285
                                                                                                                                                                                  SHA-256:2BA624377B2B788ABF3A248D956FF743E93F06746D3D2F220A2257AD94DA540E
                                                                                                                                                                                  SHA-512:006D57BA2F48792DB028437F814618F19AC2D21EA1A1E9BDF39F5853536441B3436BAFB866917CC6708B21C58D93495501DFA5B345F55BC49FEF766812E46DF8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:[XLY]..P2=LJBPHRBSRLCI.FNG..P5=IWLHTVJXHINUWUFBWIU..P4=FNCUNPTNLBMW.DNA..P7=AEXIKRSDXTBGHJSHHPK..P3=KKVIOQVTEUTA.OKO..P6=RFOLHRLVLKWUMQMLJJA..P0=DAN127..P1=e8a0d5af432b7e64DBD..

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\5941984\....\TemporaryFile (copy)

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1390312
                                                                                                                                                                                  Entropy (8bit):6.599443687044708
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:w4wwwwscgymwef8Z8Zzj6z1el68mUi1m/ONxdDDHNCU+3kvaBW7839l5Qafgb6L1:pwwwwscgymwefyEQ/U6/NnDDHNCTeaBf
                                                                                                                                                                                  MD5:292575B19C7E7DB6F1DBC8E4D6FDFEDB
                                                                                                                                                                                  SHA1:7DBCD6D0483ADB804ADE8B2D23748A3E69197A5B
                                                                                                                                                                                  SHA-256:9036B502B65379D0FE2C3204D6954E2BB322427EDEEFAB85ECF8E98019CBC590
                                                                                                                                                                                  SHA-512:D4AF90688D412BD497B8885E154EE428AF66119D62FAF73D90ADFFC3EEF086CF3A25B0380EC6FDC8A3D2F7C7048050EF57FCEA33229A615C5DCDA8B7022FA237
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0...0...0...9a.=...9c.I...9b.(...b......b.. ...b..&...9...1...9...7...0........4................1....o.1.....1...Rich0...........PE..L....x.c...........!.........~......x7...............................................~....@.........................P...|......P....p.................P,..........0...............................P...@............................................text............................... ..`.rdata..............................@..@.data...0........4..................@....rsrc.......p......................@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\5942906\....\TemporaryFile (copy)

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2713088
                                                                                                                                                                                  Entropy (8bit):7.9358560764847
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:49152:gCE0mvBnEwvJm7T8UyHNzeBBHKZlYU13/1wUqq7vf2h0Vw:gCZmvBEqUyHcclt/mUCOa
                                                                                                                                                                                  MD5:C625FE50C8CBC877CBFAF1D5212F02C0
                                                                                                                                                                                  SHA1:90763CBEB446C7638F80851E55AF9976285DC56C
                                                                                                                                                                                  SHA-256:F8890DFA4609D9CB2CA685339468C5256356066CF91AB13C9A771A3B8A566D12
                                                                                                                                                                                  SHA-512:898703B75D27A9EE5055965BE16D7DEFA482A4199D6C008E539A0102230743AD4540945B76E78804F4CFA99D3DE79B9584D91F6C74C3FF2E6B8F4CC09E7F472C
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...SLSSSOSSSPPSS.SSSSSSS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS[SSSA..AS.J...R..................................FFE.SSSSSSSB.....t5..t5..t5..x5..t59..5..t5y.~5..t5...5..t59..5..t5..u5..t5...5..t5..t5..t5...5..t5..p5..t5......t5SSSSSSSSSSSSSSSS..SS.RLSd..SSSSSSSSsSA.DRISS.SSCSSS3.S.E.SS#.SSC.SSSSCSCSSSMSSOSSSSSSSOSSSSSSSS..SSOSSSSSSMSSSSSCSSCSSSSCSSCSSSSSSCSSSC..S.SSSSC.SCMSSSSSSSSSSSSSSSSSSSSSSSSSS...SGSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS....SSSSS3.SSCSSSSSSSOSSSSSSSSSSSSSS.SSs....SSSSS.SS#.SS.SSOSSSSSSSSSSSSSS.SSs....SSSSSCSSSC.SSOSSS.SSSSSSSSSSSSS.SS.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS....S....FJKH

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\5942937\....\TemporaryFile (copy)

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):333824
                                                                                                                                                                                  Entropy (8bit):6.389952178495305
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:WyEhWbJNOcWd55OHSCw1ohITXVvrJGqdK2Dug6dGXLSuMAFi2TBfR:Wlu1IjOIohILJrc4Ezui2TdR
                                                                                                                                                                                  MD5:EC9483F4B8C3910B09CAAB0F6CB7CD1B
                                                                                                                                                                                  SHA1:9931AAA8E626DF273EE42F98E2FC91C2078FDC07
                                                                                                                                                                                  SHA-256:4D9CAE6E2E52270150542084AF949D7B68300E378868165FF601378A38F7048F
                                                                                                                                                                                  SHA-512:84B60FE3CD0EDE19933B37AE0EAEBA1F87174A21BC8086857E57C8729CEC88F9FEF4B50A2B870F55C858DD43B070FD22FFEC5CB6F4FD5B950D6451B05EB65565
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..S...........#................ .............$k................................. ........ .........................c.... .......`.......................p..|$...........................P......................."..h............................text...T...........................`.P`.data...t...........................@.`..rdata..L.... ......................@.`@.eh_fram............................@.0@.bss..................................`..edata..c...........................@.0@.idata....... ......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..rsrc........`......................@.0..reloc..|$...p...&..................@.0B........................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\5942968\....\TemporaryFile (copy)

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1063616
                                                                                                                                                                                  Entropy (8bit):6.674869382282474
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:2ODivXdRxWmQOhfbV5l7kZLWfGPeu/PUw6WmARlXDMmH6PBzT/Cn+m4q:2OuvbfGZGGKJT/Cn+Fq
                                                                                                                                                                                  MD5:4FF45827EC92E40935F9939142CD40DC
                                                                                                                                                                                  SHA1:CAD74928F3387E6BF28C3625803706061E956B34
                                                                                                                                                                                  SHA-256:012ED8D16E9F7586FE44C0AFFE5BEA6FF68F27231A6526D439643869A103E434
                                                                                                                                                                                  SHA-512:A3DFE7976E5FFB4BA0C68E218C0924568D343E7937ABB50785107DE5E0ADC11AD58A86E02FABB455845FBE8E545E48B57A67EB647C664390ED521D255FF3BEFE
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...~/._.....................j...................@................................. ...................................{........3.......................@...........................................................................................text...0z.......|.................. ..`.itext.............................. ..`.data...D...........................@....bss.....e...@.......0...................idata...3.......4...0..............@....edata..{............d..............@..@.reloc...............f..............@..B.rsrc................V..............@..@....................................@..@........................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\5943000\....\TemporaryFile (copy)

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):388808
                                                                                                                                                                                  Entropy (8bit):6.5956896905460125
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:B9su6Bohl2JJmgk1G8M0uQoRkQsKwxBF6CaSIU9ILZxxB5ARUWvAX+E:BSohl2JJmgk1U3QMkQsTx3paSIUixGRI
                                                                                                                                                                                  MD5:B8253F0DD523BC1E2480F11A9702411D
                                                                                                                                                                                  SHA1:61A4C65EB5D4176B00A1FF73621521C1E60D28EA
                                                                                                                                                                                  SHA-256:01CEE5C4A2E80CB3FDAD50E2009F51CA18C787BF486CE31321899CCCEDC72E0C
                                                                                                                                                                                  SHA-512:4C578003E31F08E403F4290970BC900D9F42CAA57C5B4C0ACA035D92EDC9921BF4034FC216C9860DA69054B05F98DADE5F6E218AC4BEE991BC37A3EF572FE9A0
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...8..^..........................................@..........................P..........................................c....p...........N...............<.......g..................................................Ts..P............................text...T........................... ..`.itext.............................. ..`.data....).......*..................@....bss....<X...............................idata.......p......................@....edata..c...........................@..@.reloc...g.......h..................@..B.rsrc....N.......N...d..............@..@.............P......................@..@........................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\5943031\....\TemporaryFile (copy)

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1165576
                                                                                                                                                                                  Entropy (8bit):6.491752155251347
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:ptf4OLWmQQ3b6ZVtecP3Ufy/ilDqzybXIZ0xKHpWq0dGcz7msH0WQWmAdA7yJBzA:tLDlDgRGxKHpSJ28TU
                                                                                                                                                                                  MD5:D75E14313FC8A0850F3190CE67509475
                                                                                                                                                                                  SHA1:74474830BC0706E5C0A8B455A4E1B47D9F1DE741
                                                                                                                                                                                  SHA-256:E5C711BDB99AB55EBD96B3636C7396566C98ACFFD03DF735A15F1E18936A718A
                                                                                                                                                                                  SHA-512:A4260F1A9A77BC41FC54532BDBF51F831004767E08150BFF95374663930BBE4FCA81790AA4578C062674557A02A698EA798CFC00F2355F6B8FA71BF2915CBAAA
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......`..........................................@..........................0.......4...............................`..e....@..v........^...............A...p...Y...................................................C...............................text...x........................... ..`.itext.............................. ..`.data....".......$..................@....bss.....Y...............................idata..v....@......................@....edata..e....`......................@..@.reloc...Y...p...Z..................@..B.rsrc....^.......^...*..............@..@.............0......................@..@........................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\New

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):15086
                                                                                                                                                                                  Entropy (8bit):2.9169468593135157
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:+f+OFx/DgstjfDaf///////aorGbaX8PSccl1q12xfnW1orsKc:+WqDgOQ///////aoZsP+/qAVnWursKc
                                                                                                                                                                                  MD5:1E80DE80CEFEE55D7CFDA0DF2EDCF3B2
                                                                                                                                                                                  SHA1:6E567D732354BBB21F9A57BBB72730C497F35380
                                                                                                                                                                                  SHA-256:4E64F4E40D8CBFF082B37186C831AF4B49E3131C62C00A0CF53E0A6E7E24AC2B
                                                                                                                                                                                  SHA-512:5EFEA023B18FFD5B87A19837BA2C72C179B55B7C3071B773A032C63D7268DBE25E2902AE8B111AD83A4F005346B378C7A75033ADAEE90805BCB4FEC2822E54C0
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\Up

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):15086
                                                                                                                                                                                  Entropy (8bit):2.7901346596966383
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:+n5lkX/1//AJffffPTb6ylHJxnSfFN5pM2C:+5lkX/K
                                                                                                                                                                                  MD5:FD64F54DB4CBF736A6FC0D7049F5991E
                                                                                                                                                                                  SHA1:24D42FB471AAA7BCD54D7CCB36480F5ADD9B31D4
                                                                                                                                                                                  SHA-256:C269353D19D50E2688DB102FEF8226CA492DB17133043D7EB5420EE8542D571C
                                                                                                                                                                                  SHA-512:EC622AFAB084016F144864967A41D647E813282CB058F0F11E203865C0C175BA182E325A6D5164580FF00757C8475B61DE89CCC8E892E1B030E51B03AD4EAFB4
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\WHelp.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):83968
                                                                                                                                                                                  Entropy (8bit):6.283009388320045
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:Qi12LEaWOxM9hYukoDe3RLKXUID/ERcpB31zxvSmSsW8JzY0cdyRe5fOXbhX:WWO0ioC3DID/ZxvpY1yRe5ObhX
                                                                                                                                                                                  MD5:0CD6E3C177AE2D5491D06F05748147D1
                                                                                                                                                                                  SHA1:18934C204E18D3DB17EC07A8B67A79DE38A24D6B
                                                                                                                                                                                  SHA-256:C6168948683071FF85C9504F988B72B1F341A7BF4A77E1591F827AEF1514B805
                                                                                                                                                                                  SHA-512:B66663DB171976DBAE987A994B887F687CC807402A95D55802EDE2BB23907B360C9548B40F4D6D59C05B32CC7E8E77081F5B1703B27E2CD0664DA15C490DD5E4
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........w...$...$...$...%...$...%x..$...%...$...%...$...%...$...%...$...%...$...$...$;..%...$;..%...$;..%...$Rich...$................PE..L.....Zg...........!................,.....................................................@..........................;..P....<..<............................p..@...`/..8....................0......./..@...............8............................text............................... ..`.rdata...c.......d..................@..@.data...`....P......................@....reloc..@....p.......8..............@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\blue.jpg

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 355x304, components 3
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):7379
                                                                                                                                                                                  Entropy (8bit):7.675014430898698
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:Zs7nc2Efd4WLNlTSGJG8J+F1sGaPEl1M5np44DE4wA2A+fHDeGWhzrd7yf8TJWpC:ZsA2DqTRUUQMT4LxjPWhzrNyiFI5Ip
                                                                                                                                                                                  MD5:6F1B5342D1B781596A4FEC79112DCB0C
                                                                                                                                                                                  SHA1:08BDEDC9F65FC3A5F6D13D3EF0502769ABE4BD05
                                                                                                                                                                                  SHA-256:3986699B9B4BE2F8C1747A37E74943F78870623701F08C90CAA007B4DE17924C
                                                                                                                                                                                  SHA-512:FAE8A651E1DAF872A24FAE87D477F286CAD599DC232A716DBBAD7F091236DA80C71C30B990B6E2F4FF7E06D4414876DB756B452272A9A3E4B3EC1BC32B9E30D5
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......JFIF.....d.d......Ducky.......U......Adobe.d.................................................................................................................................................0.c.......................................................................................!1AQ..aq..r....."2BR.S...b.....#3C.%...c$4TE..&..d.Ue...5F.......................!1Q.."A.R....B.a..............?...}.)I..k....[.W.........z.(..`*...[.`*..P.kC|.U...V*.R..X.)5J...).|.c)..[O.....S.k...wo$.9r......>e.l..8nH.o..}is...{.....8jH....Os..r7$r....F.s..rk]3....;.e...d..8..%...o.W.Y>rk]3......b...?..9..g...|.........5..x9/w.~....u.....|#.}..,.o4...&.........Q]....+).....tq..\...w....~0...r......T.......j..|#..._1...y.}.........>d..<;.y.}..&.?W.......2.....%..E..&.....;...!.....yoW/po..W.hmt......#...v..........o7..R'Uv....O..~a..{..y.......m_....|...t....}.........>..D......x.|..6..~..a..>m..~w..oW..Hm'..L.8......vV...nG..w..s.[....3.....<BN..}.If...&..&......|..s..c}..

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\cmdlinkarrow

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:MS Windows icon resource - 3 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2862
                                                                                                                                                                                  Entropy (8bit):3.160430651939096
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:QFFZ+f+zd+kHeNTM9/+Xz++++++++YWWS0i6I:QFFEw4Xc+D++++++++ypi9
                                                                                                                                                                                  MD5:983358CE03817F1CA404BEFBE1E4D96A
                                                                                                                                                                                  SHA1:75CE6CE80606BBB052DD35351ED95435892BAF8D
                                                                                                                                                                                  SHA-256:7F0121322785C107BFDFE343E49F06C604C719BAFF849D07B6E099675D173961
                                                                                                                                                                                  SHA-512:BDEE6E81A9C15AC23684C9F654D11CC0DB683774367401AA2C240D57751534B1E5A179FE4042286402B6030467DB82EEDBF0586C427FAA9B29BD5EF74B807F3E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..............(...6...........h...^......... .h.......(....... .........................................................................................................................................................wv....."""""o.."""""o..www""......"/.....""......"/......r.........................?...........................................?......(....... ..................................................."..... .". .6.-.9.;.<.;.D.3.,...4...9...O.,.Q.$.M.2.S.:.\.1.U.$._.1.F.G.I.A.`.@.w.q...|...q...{.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\complete.ico

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):15086
                                                                                                                                                                                  Entropy (8bit):5.432735724336821
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:lN3tnZnyRZF64hc28fwy+aXE25b6K0FHQHVd42oJ2zwZlaw484:lN37Yai8IaD5T0FHQHg29wZla04
                                                                                                                                                                                  MD5:3EAFE3AE99BF33E9F59D970F21EBEF39
                                                                                                                                                                                  SHA1:E9895CB920FDEB8907CE37D9666D4999A1DE5D2F
                                                                                                                                                                                  SHA-256:5F6C78970EE7E3D668EB8A4ACB5D251C76599424A0B0372E7665527516D4C312
                                                                                                                                                                                  SHA-512:8983717D464AC046A8A272276E90D3D1FD7900D2D89998FC332E420ECA4F01FCFBABB390667B4324C549D0655E62E181E3E7BEED514C5B9B67D0F8D480A9388D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......00......h...6...00..............00.... ..%..F...(...0...`..........................................................................................................................................wwww........................p..p........w...........p.w...p....x.....p.....pp........wx.............p....................q..............................................................................................wwww...............................................................................................................................o.....p.................o.....p..............................................................................wwww........................p.......................p......................pp.....p.................p......w.............q........ww`h....................wwp.........p..........wwwwp..................wwwwwwp.....p...wwww....wwwwwwww.gp..............wwwwwwwww...............wwwwwwxwwp..............wwwwwwx.ww..............wwwwwwx.wwp...........

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\custom.ico

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):15086
                                                                                                                                                                                  Entropy (8bit):5.4001074083138745
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:lN3tnFnyRZF64BiTfwy+aXE25b6K0FHQHVd4RhE2zwZlaw484:lN3XYa5TIaD5T0FHQHgRfwZla04
                                                                                                                                                                                  MD5:1B5701D7F753135C22CC1AE694FFAF4B
                                                                                                                                                                                  SHA1:966BDEF4159022FCC8740B6EB75B8D7AC4212504
                                                                                                                                                                                  SHA-256:AEBA695175ED96D3EDE9FE30E486DF59C64A5FD802C15CB67F55E03A0537CD13
                                                                                                                                                                                  SHA-512:4069B6AC1E51703687E0C17EA83527A258FF0C4BB4DC8051C96E5F98A7902C3301B89A5D2B55872711F85F528B0FB9BAEAF94E93B49B0A48BB8912E06A204EAC
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......00......h...6...00..............00.... ..%..F...(...0...`..........................................................................................................................................wwww........................p..p........w...........p.w...p....x.....p.....pp........wx.............p....................q..............................................................................................wwww...............................................................................................................................o.....p.................o.....p..............................................................................wwww........................p.......................p.......................p.....p.................p......w................p.....ww`h..............p.....wwp.........p.....p....wwwwp..............p...wwwwwwp.....p...wwww....wwwwwwww.gp..............wwwwwwwww...............wwwwwwxwwp..............wwwwwwx.ww..............wwwwwwx.wwp...........

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\exclamation.ico

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:MS Windows icon resource - 2 icons, 48x48, 8 bits/pixel, 48x48, 32 bits/pixel
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):13430
                                                                                                                                                                                  Entropy (8bit):4.339511276304085
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:KYvlkFEXFYU2+yCvIFA13cJ/rrrrrpbEn5UnanjPRZfZy1wvI8:bVXuzd6IF0czwNPDZfI8
                                                                                                                                                                                  MD5:93D722FA20A988A5C257A58BF155DC66
                                                                                                                                                                                  SHA1:30C0D19F02CB39F8804DAFE6AF483A09C76E2338
                                                                                                                                                                                  SHA-256:F587867EED0BEC33EF150F3A8525BDE9B6746C705543874E56653AA80EA53225
                                                                                                                                                                                  SHA-512:BFB91739AE7432DD7D0A919F15B5B721E733675C3C2A4D5238C9955A6517DD4653042FA444F2D2627508908F6DA7DE0FBF22F37CF1A60476F59CBF254F62F736
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......00..........&...00.... ..%......(...0...`....................................-...<...I...L...P...S...S...T...G...@...K...V...W...Z...\...]..._...C..*^...`...`...f...a...f..&e.."f..*n..)v..3w..5v..2x..7|..8}..<}..B}..._...e...k...a...m...p...t...r...z......5...M{..............,...0...+... ...,...<...?...<...:.......................................;.......-...!...-...................................................#...#...*...6...5...;...'.../...#...(...,...(...,...:...;...6...1...:...A...@...K...J...L...B...A...S...D...K...V...\...R...M...M...K...M...e...`...`...k...d...m...s...z...Y...e...}.......z...J...G...J...B...E...V..._...]...U...[...Y...Q...L...G...F...B...M...J...P...[...R...\...P...Z...b...i...e...b...l...f...u...~...b...k...g...m...c...s...z...5...<...C...J...N...T...Z...U...X...]...g...c...m...c...h...z...s...z...t...}...i...r...u...t...~.....................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\externalui.ico

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):15086
                                                                                                                                                                                  Entropy (8bit):5.036354960673055
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:q4lYOUfhBJ1gqASunI8FoQaaJ+nkt0p1b+v:q4leXXArnI8FoVa4nP0
                                                                                                                                                                                  MD5:235E54EB7ACEA02DC322F4065498165D
                                                                                                                                                                                  SHA1:AD825997EC58A33A164B471FE3BD4B7C74614D9A
                                                                                                                                                                                  SHA-256:B294EDF73CC936610CC81BCA6B95D1C7D6091595EC074C6B334ECA45D2DC354F
                                                                                                                                                                                  SHA-512:5AC20371FD09E6A1F8C134FB24C045C36D835544D04E681FB6A51ADFF12A6BF8225C53D865B601EA5452024ABE7C02204A759B317D7410CF59F66ADFBE089D5C
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......00......h...6...00..............00.... ..%..F...(...0...`........................................................................................................................................www................p..........................h.....p.........................................................................................................................p.......................p............................wwwwp..................wwwwwp..................wwwwwp..................wwwwwp..............p....wwww.................................................................wwwwwwwp....p........p.............wp.....................wwwp......p....wwwwwwp..wwwww.w.w...............wwwwww..................wwwwwwwp.....x..........wwwwwxww.....x..........wwwwwx.wp....x..........wwwwww.ww....x..........wwwwww.ww....x..........wwwwwwxwww...x..........wwwwwwwwwp...x..........wwwwwwwwwp...x............wwwwwwpp...x.........wp.......xp...x........x..........p...x...............wq..p...x.

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\info

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):15086
                                                                                                                                                                                  Entropy (8bit):3.347251063198798
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:+h7OMtMrJbDG0UDLHMrhmZ1galQpAAAAAAAAAAAS55qjOlr9n:+6g0uyi1ZQpAAAAAAAAAAASXqjOp9n
                                                                                                                                                                                  MD5:8595D2A2D58310B448729E28649443D6
                                                                                                                                                                                  SHA1:08C1DF6FBF692F21157B2276EB1988AC732FF93C
                                                                                                                                                                                  SHA-256:27F13C4829994B214BB1A26EEF474DA67C521FD429536CB8421BA2F7C3E02B5F
                                                                                                                                                                                  SHA-512:AE409B8F210067AC194875E8EBF6A04797DF64FA92874646957B2213FB4A4F7DA2427EF1ED8D35CD2832B2A065E050298BAC0FC99C2A81DE4A569A417C2A1037
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%.....................................................................................................................{...............................................................................................................................................................................................rqr............................................................................................................................................................................................rqr............................................................................................................................................................................................tst............................................................................................................................................................................}................yxy...................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\info.ico

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:MS Windows icon resource - 6 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):22486
                                                                                                                                                                                  Entropy (8bit):5.511908704029649
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:0DT6aNn0CgAevbxezcSptuGH0BJ1cBYehJjbQypQ6X8rdb:/aNn0DAoN4c8HH031/QQ6XWZ
                                                                                                                                                                                  MD5:FD535E63F539EACB3F11D03B52B39A80
                                                                                                                                                                                  SHA1:A7F8C942E5672F2972C82210A38CC8861435F643
                                                                                                                                                                                  SHA-256:0086BC01150989F553A0A4AE0E14926C6E247CEDDA312E1F946AE35D575742AB
                                                                                                                                                                                  SHA-512:716EAB95B5535D54359D12C9786F5A53F9560126D2C48EB1A94DB5BD383363B43EA686AC421080564B54450DA35AF9CE3E11CECD485AAF27C0CEAEE7836F4518
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......00..........f... ......................h.......00.... ..%...... .... ......B........ .h...nS..(...0...`....................................B...C...D...F!..H#..I#..J%..L&..N)..Q+..S-..U/..V5..W1..Y3..Y4..[5..\7..]7..]9.._:.._<..c?..`9..c=..d>..d=..`@..eC..fB..gD..hA..iF..kF..lG..kN..kI..lJ..oK..nL..jC..lE..oG..qO..pH..rN..rM..tO..uO..sK..uM..wO..pT..sP..vW..w]..tQ..wT..yV..xQ..zQ..{U..zT..|T..{Y..}Z..~Z..~X...\..}U..}d..[..^..^.._..W..Y..Y..[..]..\..]..]..].._..f..l..`..q..w..u..t..x..}..{...b..`..b..b..e..g..`..d..e..k..i..n..i..m..q..u..x.....z........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\lzmaextractor.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):22880
                                                                                                                                                                                  Entropy (8bit):6.92037593808898
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:mawk1/Nr4ErjZawvawljSJv62X2Ip4FmnqjdAA1m5wMvaSu7/n4M0Id:ma/F4wywlOJh2Ip4Eqxf1mlv2jnrd
                                                                                                                                                                                  MD5:7751BEE42B08F9E12E304226B287BFDB
                                                                                                                                                                                  SHA1:0113E391AC93385C2C043E49031BF331855E872F
                                                                                                                                                                                  SHA-256:C717C8EDD7E1C4480FA1C0CDD4219D1FA8AC8A83748FA6104817CB12C6BC5B06
                                                                                                                                                                                  SHA-512:AEEAD0D2FE111263B83B263EBABD3916A2FE51EC9721A4530B3FDD8A0CAA915C99779138BF49EA54A8F001E946F23A883D9F0D03BB45401F6E2A47C8BAE7F784
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Er9B$.jB$.jB$.j.V.kM$.jB$.jr$.j...kG$.j...kC$.j...jC$.jB$.jC$.j...kC$.jRichB$.j........PE..L......e.........."!...'............@........ ...............................`.......w....@E........................p".......$.......@..h...............`=...P..`....!..p............................................ ..X............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...h....@......................@..@.reloc..`....P......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\minbackground.jpg

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 760x100, components 3
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):15366
                                                                                                                                                                                  Entropy (8bit):7.95557428882131
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:ZsgYb2FNX3lLAvWkoFQVHunMJkaCxzpsEo9fDC79Vh4Vcj:ZsgYbuN3Gb/HunMJbWtl8rQ9ffj
                                                                                                                                                                                  MD5:845B155C2F68096094B443873E5A6142
                                                                                                                                                                                  SHA1:A1167CADC4ED424BFC9AABF61B3E0EDBE6FFC818
                                                                                                                                                                                  SHA-256:70FFF5DC4ECCA73EF601BD78A67EAF0141079EBA11FC9659EC4C4A4AA5C78C9E
                                                                                                                                                                                  SHA-512:60B9165D37600A5EB1563CA8C69579C2DEE8ECFAD8BF60580DEB7307607BDDE33BEBAA07C3E35D94366FDC4D403747049AA758D4096519836E11BF7CE0326040
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......JFIF.....d.d......Ducky.......U......Adobe.d.................................................................................................................................................d............................................................................................!1..AQ.aq."2.......B..Rr#3..b...CS$..s.%..T.....................!.1.Q.Aaq......"2..#...B.............?......=.u..[..7M.+v.p.H...6....:Y.........f.O..*.RK...)tH9...2D.....ZGI......P.QU..M....;1.W....|J......\O......g.=W..n'......Y.7U.&..._.w..n..UW..k....Q...U^.6.Sa.w....U^..wSTy..L....W....y..)..z..qaq&.c.).gMR.X.&.c.)..C.......u.!....X....j..A..v...MF.D.*h..Q....T.4.n..GC.f7H..S..,{.Lt.-..P.i0e./a..^I.&......~.u%d0...J..9..#....(~I.%d........&s].YB....)..,ah.H..b.sY.-..41.|.4.o#Hm...L..U...x.h.[....vj.....Q.....]upp..Cn...Y2VA1@j8e..d.......n.N....[@.S..US&...$.{1FI0.x....s%i.!...W..,....cJ.......hI.``..P...n$.c..7....e..Q.]..4..I.%...cI..@..D\..iE...4..C..EV...v..&~OQ.a

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\remove.ico

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:MS Windows icon resource - 6 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):22486
                                                                                                                                                                                  Entropy (8bit):2.6933610069396567
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:0d7HufRNsQX7BbcXwLTkML6wthhhhhhhhhhhhhhhh1iII4SLO27SUP4EhhhwhhJc:0d7ufRn7WgBiIIBC2bPWQRND4NiF+k
                                                                                                                                                                                  MD5:32FFC45A2F138F87569590A81E9A5BEA
                                                                                                                                                                                  SHA1:EF038F0C547BCC21160055787BAB9D9D1A652B89
                                                                                                                                                                                  SHA-256:F6EAAE19C70288723E431749666B6CDB386AF40AEBA89F1FB8EC0D2766EC91C3
                                                                                                                                                                                  SHA-512:89183BD1F7CC5431B22718C58D5387D1B06C2D31367CC912698248EC231A5EDDC9C52105C33D22F81233A47B75A06BCFC77918AB5735A5FD63960FB13C8E30C3
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......00..........f... ......................h.......00.... ..%...... .... ......B........ .h...nS..(...0...`.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\repair.ico

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):15086
                                                                                                                                                                                  Entropy (8bit):5.656471862600903
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:+q2qe82nprAWkcWFW57oVht/k2VxomK0qHTk4TdrofvMxnVRYAn4vf:ej84ArgojFTVxoz0qHNTdr+vKVRYAIf
                                                                                                                                                                                  MD5:4DBA3637F5FCEAADD2184BD8A0F0FB95
                                                                                                                                                                                  SHA1:A858418C32F5D45F15AB01CAFC652B507DE2A42B
                                                                                                                                                                                  SHA-256:C1AD1E78A112974326B44F75FE302723A4FC8AC1CCD96C9887403F6DDF8E607D
                                                                                                                                                                                  SHA-512:DA105188273312DD1C79D90C2A1AE17ED584A70C14BCD662EAB3B7FC99D7A91B30957D965498E6FB397E01EA72ED3EA0AB8BDBB4313E68E8E45073B87E412E26
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......00......h...6...00..............00.... ..%..F...(...0...`...............................................................................................................................................................wp...w............wx..ppw....ww..p.......w.....qx.......pp......w......q....x....p..................x....p................p.x....p..............p.x....p..............p.x....p..............p.x....p..............x.x....p................x....p...............w..x....p...............q..x....p.............p....w....p..................w....p..................w....p..........p.......w....p.......................p.................p..w..p....................w..p....................w..p................p...w..p................p...w..p...wp...........p.w.w..p...wv...........p.w.w..p..www............wx..p.p.wwwww.x....p........p.p.wwwwww.x..x.....w...p.p.wwwwwwwp.w........pww.p.wwwwwwwwwp..x..w..w...p.wwwwwww.ww...ww.x...p.p..wwwwww.wwp.....w..xp.p..wwwwww.www...........p

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\rtlothree_colors.jpg

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 760x17, components 3
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3420
                                                                                                                                                                                  Entropy (8bit):7.841479572759416
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:Q6PKp1qGfXtGjelIs3Qj/y6+/yzyQguDYfE10JeOWMm+1Q:Q6PKpsetGsZQj/j+4jKE11OW+1Q
                                                                                                                                                                                  MD5:A45540685353D14EB9B2344F556F672B
                                                                                                                                                                                  SHA1:C540395FAFD4D23A5614B5A692080D3B07DEBCAB
                                                                                                                                                                                  SHA-256:CE18FC834CEA0215B8BD6EB1C66586B4904FC7FCE758F6CBB1E9EB6FC004F338
                                                                                                                                                                                  SHA-512:69DAFCD7BDCDF72E352EDFC67DF2C58FDEA22A6779702FB00670B90619DD0D673B8FB74E7047F7CB807AACEC08533A128DC437AFAB054C9FCB911D7C2779FCF3
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......Exif..II*.................Ducky.......U......Adobe.d...........................................................................................................................................................................................................................................!1.AQ.aq.."2.3.......B.#.R..r4........................!1AQ..a..."2...B............?.....}=...5....6..9....u]A@1....G.x.f.~...]i...VpKw....+[f.....q...i.4.M.;Kz..}=.-.....7B...............?...W..?C.........R........K...5...+JU,............^..Oik......dL..".x.q/ ..m.l.k.Z.e..j.L..=..&...K._Px.@h.w..X..[zV...}mk.ZL.....3-c. ....2...... .^...z............Q..E.A..d..h.......\...}6uV.3.....t...!.~.f......l.....J^z.G~.&...e....A.c.$...]PG.(hjF.S^+.].k~...<.[t..Qt2:.d...-..c\.e..y1M...m.....'.{.ei...`d....k...1....2.O.CA..&.'.>O..[...........i.M...>X..B..F..=.s.-...<.......N...6....[Z.943.f....NMr<E.W%I.ro..#..ro.....nj..6......b.F...k..U.B-bu.=.b..Bi........e<...U

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\three_colors.jpg

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 760x505, components 3
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):26619
                                                                                                                                                                                  Entropy (8bit):7.547741155491426
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:Zsra5o/C+tKDDPW4I++xCsuOlApLTEDjeEImcF:jaQD6DVCsBSpL0eEIFF
                                                                                                                                                                                  MD5:718CAFA7E04A8D4D98116BCB4C377D7F
                                                                                                                                                                                  SHA1:38A1EAC1E72997FFA9FB01BDE2540B18F046A3F5
                                                                                                                                                                                  SHA-256:FBE48BA8AF8CC23A66906A1E94AC10D86CE91B86A18531CE1C96D6061387C2B5
                                                                                                                                                                                  SHA-512:0FECEB6C7AC536B985198C63008668424DA51E628656706DE30E472DAEA49380F5D25187A268E8BF2E3740AAB6A8ED1171EC4E2C6A69699BAB7DB5B619CB36EB
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......JFIF.....d.d......Ducky.......U......Adobe.d.............................................................................................................................................................................................................................................!1..AQ.aq"....2....BR#....3..b...r..$...CS.....c....vX4.f'G8.......................!Q.1.A...aS..q.."2RC..B...3............?....um.|:....o..H....e..W'...e."......X.o^.9{.<.sY.........nk;7.....K.S.W....;...$..3Sk..6w[._...k..Y....n......t...Gk....^.k..t...Sg..U..,...v.Y..lw7p....M...v{....<O...^.d{[..0.?{5..I......>y...#..]m$.ztz.)6..z.z.'-K.=:.m.O....W...X&.Ez.8.+q...*.u..b.=...].m..>.5...8?...k.....(...p.r.=.[H6.*..6...M.aG....h....|.I^m.ee9.....e../ccf)-*.....}.LjQP.....m..Y.aW.5+...y.[...k.y..-......:.......p....v..{..m.6.:..bt..-..1JR^..7.\6.CmbR..8.es....&.O......"...sle}].{tU../...iVg)]. ..&Gm.,0.GM.....Kp.km.q..M.g....j.....C.[.DK...U..8BQk....Te...v......a.EJ..

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\typical.ico

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):15086
                                                                                                                                                                                  Entropy (8bit):4.926016576393048
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:entnoFoTahmFxRYq7mE25b6K0FHQHVd4oXb2zwNf3i4ij:enWuPFxt785T0FHQHgo2wNf3oj
                                                                                                                                                                                  MD5:EB3F9054BB5F95ED6B10EC4E16A026BE
                                                                                                                                                                                  SHA1:35760271A03029996BDA26D5D596CFCC465E3EA9
                                                                                                                                                                                  SHA-256:E330FA8030AA0465B02880133ADDBA0A8C6011B511F6968B413BF45516F7275E
                                                                                                                                                                                  SHA-512:B0A96DA5514A9B8E9FA182A294694299388A854245AEC01E835B1108D568F9F1158917D9792BC852568EC56C2ED5E54F9E630E02D1EC79A281E2B28A67167A51
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......00......h...6...00..............00.... ..%..F...(...0...`.........................................................................................................................................................................p........w.............w...p....x.....p...............wx....................................................................................................................................................................................................................................................................o.....p.................o.....p................................................................................................................................................................p........................w......................ww`h....................wwp.........p..........wwwwp..................wwwwwwp.....p...........wwwwwwww.gp..............wwwwwwwww...............wwwwwwxwwp..............wwwwwwx.ww..............wwwwwwx.wwp...........

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\white.jpg

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 493x312, components 3
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1232
                                                                                                                                                                                  Entropy (8bit):1.290282383283862
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:nSullBbsRllAqp/y4FKKn5bbeWfa5QpUolHmBkDt0+EtZtE//Wmst18n:3llxqQ8AfQRGSDt0RZty/Wmsw
                                                                                                                                                                                  MD5:57D130DDF327FCC5DA636A6AB4D7C112
                                                                                                                                                                                  SHA1:D674F332D4F79C70D4A97BFD9E504A8F3A2C26B6
                                                                                                                                                                                  SHA-256:990EAB9FAAAE9F78201EF00A72F7B59773EED2B2FC9EC72250C67F376EE0500F
                                                                                                                                                                                  SHA-512:E2F2141973CD9B7B52347EBCC89E89FDDEAA5B9721011C2CD7B2F2EAE434EF0F10D02537EB0F1AD6276FA182147AE935277EF9BBE31960EE2D82437C0741D39D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......JFIF.....d.d......Ducky..............Adobe.d.............).)A&&AB///BG?>>?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG..))4&4?((?G?5?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG......8...."..........K.....................................................................................?..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6196\whitesmall.jpg

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 446x92, components 3
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):554
                                                                                                                                                                                  Entropy (8bit):2.356721207995078
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:nSullBbsRllAqp/y4FKKn5bbeWfa5QpUolG5PkDt0+EtZtE//WmstN8n:3llxqQ8AfQRG5cDt0RZty/WmsY
                                                                                                                                                                                  MD5:4429F170056663EFD1486395E8EB0AF6
                                                                                                                                                                                  SHA1:AE9B01A44C8EE5AE7146F0523E512EE32DC284AD
                                                                                                                                                                                  SHA-256:FFE2980D90152EF603555A735B7CBA1917C99BB67061B44D6AC6F12E6384BDD9
                                                                                                                                                                                  SHA-512:719F4E55944502F7D472F362DD0D1D09649FBAEC0515701C9C84BBB3F32B06CC29E4A4C55022BC034CBC68C9C151A90018A926D1A08B4D5048F117950E9135E9
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......JFIF.....d.d......Ducky..............Adobe.d.............).)A&&AB///BG?>>?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG..))4&4?((?G?5?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG......\...."..........K.....................................................................................?................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\INAE771.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1145696
                                                                                                                                                                                  Entropy (8bit):6.517876267164052
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:+oY9D/tCubZoXth0lhSMXl+lZu51SDcf81Y8AnwjzfN:CBRloXEul05gDcf81Y8AnwjzfN
                                                                                                                                                                                  MD5:BD9A5B67A4125207CB64929B2CCB7E00
                                                                                                                                                                                  SHA1:0704C904E63000F7A63527C10D722E0D2D32520D
                                                                                                                                                                                  SHA-256:8FDD323EB0E35B9FCA823435E8D760F5263FFFEFAA2A3E853FE6CD4925B2249C
                                                                                                                                                                                  SHA-512:9D5A159A0095EE765F2C5220DF0EB4E0C574F4A0ABDC2D23F0169518B3C5242B486F86A597F61A096BB0FFA99F95D8E025A3B824D55543F69FDF7D98001BEF71
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]e...............v.......v......................A....v.......v.......v..........!......I...........'.......O............Rich....................PE..L......e.........."!...'.^...................p............................................@A.........................................................>..`=...0...B.....p...........................0...@............p..4............................text....\.......^.................. ..`.rdata..z....p.......b..............@..@.data...d.... ......................@....rsrc...............................@..@.reloc...B...0...D..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\MSI362.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):756576
                                                                                                                                                                                  Entropy (8bit):6.616049802032926
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
                                                                                                                                                                                  MD5:D4423CDEA4650917773B680EB52F9A32
                                                                                                                                                                                  SHA1:B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
                                                                                                                                                                                  SHA-256:12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
                                                                                                                                                                                  SHA-512:B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\MSI392.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1145696
                                                                                                                                                                                  Entropy (8bit):6.517876267164052
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:+oY9D/tCubZoXth0lhSMXl+lZu51SDcf81Y8AnwjzfN:CBRloXEul05gDcf81Y8AnwjzfN
                                                                                                                                                                                  MD5:BD9A5B67A4125207CB64929B2CCB7E00
                                                                                                                                                                                  SHA1:0704C904E63000F7A63527C10D722E0D2D32520D
                                                                                                                                                                                  SHA-256:8FDD323EB0E35B9FCA823435E8D760F5263FFFEFAA2A3E853FE6CD4925B2249C
                                                                                                                                                                                  SHA-512:9D5A159A0095EE765F2C5220DF0EB4E0C574F4A0ABDC2D23F0169518B3C5242B486F86A597F61A096BB0FFA99F95D8E025A3B824D55543F69FDF7D98001BEF71
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]e...............v.......v......................A....v.......v.......v..........!......I...........'.......O............Rich....................PE..L......e.........."!...'.^...................p............................................@A.........................................................>..`=...0...B.....p...........................0...@............p..4............................text....\.......^.................. ..`.rdata..z....p.......b..............@..@.data...d.... ......................@....rsrc...............................@..@.reloc...B...0...D..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\MSI7BA2.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):756576
                                                                                                                                                                                  Entropy (8bit):6.616049802032926
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
                                                                                                                                                                                  MD5:D4423CDEA4650917773B680EB52F9A32
                                                                                                                                                                                  SHA1:B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
                                                                                                                                                                                  SHA-256:12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
                                                                                                                                                                                  SHA-512:B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\MSI7BD1.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):756576
                                                                                                                                                                                  Entropy (8bit):6.616049802032926
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
                                                                                                                                                                                  MD5:D4423CDEA4650917773B680EB52F9A32
                                                                                                                                                                                  SHA1:B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
                                                                                                                                                                                  SHA-256:12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
                                                                                                                                                                                  SHA-512:B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\MSIE89C.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):756576
                                                                                                                                                                                  Entropy (8bit):6.616049802032926
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
                                                                                                                                                                                  MD5:D4423CDEA4650917773B680EB52F9A32
                                                                                                                                                                                  SHA1:B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
                                                                                                                                                                                  SHA-256:12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
                                                                                                                                                                                  SHA-512:B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\MSIEA04.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):756576
                                                                                                                                                                                  Entropy (8bit):6.616049802032926
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
                                                                                                                                                                                  MD5:D4423CDEA4650917773B680EB52F9A32
                                                                                                                                                                                  SHA1:B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
                                                                                                                                                                                  SHA-256:12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
                                                                                                                                                                                  SHA-512:B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\MSIEAEF.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):756576
                                                                                                                                                                                  Entropy (8bit):6.616049802032926
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
                                                                                                                                                                                  MD5:D4423CDEA4650917773B680EB52F9A32
                                                                                                                                                                                  SHA1:B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
                                                                                                                                                                                  SHA-256:12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
                                                                                                                                                                                  SHA-512:B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\MSIEC96.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1178464
                                                                                                                                                                                  Entropy (8bit):6.458242650271239
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:MPNeES6xH6me4EmTeixI7KvGYRnY4eWmsmqFZ7WKZ5EQbhpP9gY0dB0lAwvI/oA:MlPjgzixI+vGYRnAWNTWw5EQbhpP9gYG
                                                                                                                                                                                  MD5:8161F0819B3ED52B1C5407E248311123
                                                                                                                                                                                  SHA1:5A0CEAA53740DFD00EF126A9BC947EE632013493
                                                                                                                                                                                  SHA-256:D3522415D0BCC4556B79869E3AE0E240133616544651FAE1D1D74C5C50841411
                                                                                                                                                                                  SHA-512:02A4E95B250D9E87FB5B5CB4E003E67B34F6F4ADE649C0EFABDDCAD88645318CADFABBB433EE8DE1A8D9DA07E1BF783A335B0C0A1D143D7F2887BA61C0E2464A
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.x'..x'..x'.T.$..x'.T.".2x'.E.#..x'.E.$..x'.E."..x'.T.#..x'.T.&..x'..x&..y'.w....x'.w.'..x'.w...x'..x...x'.w.%..x'.Rich.x'.........PE..L...q..e.........."!...'.@...........M.......P............................................@A.........................m..t...dn..........................`=......`c......p........................... ...@............P..8............................text....?.......@.................. ..`.rdata..X0...P...2...D..............@..@.data................v..............@....rsrc................T..............@..@.reloc..`c.......d...Z..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\MSIF7A3.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):756576
                                                                                                                                                                                  Entropy (8bit):6.616049802032926
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
                                                                                                                                                                                  MD5:D4423CDEA4650917773B680EB52F9A32
                                                                                                                                                                                  SHA1:B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
                                                                                                                                                                                  SHA-256:12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
                                                                                                                                                                                  SHA-512:B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\MSIF7E3.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):756576
                                                                                                                                                                                  Entropy (8bit):6.616049802032926
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
                                                                                                                                                                                  MD5:D4423CDEA4650917773B680EB52F9A32
                                                                                                                                                                                  SHA1:B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
                                                                                                                                                                                  SHA-256:12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
                                                                                                                                                                                  SHA-512:B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\MSIF803.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):756576
                                                                                                                                                                                  Entropy (8bit):6.616049802032926
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
                                                                                                                                                                                  MD5:D4423CDEA4650917773B680EB52F9A32
                                                                                                                                                                                  SHA1:B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
                                                                                                                                                                                  SHA-256:12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
                                                                                                                                                                                  SHA-512:B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\MSIF862.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):756576
                                                                                                                                                                                  Entropy (8bit):6.616049802032926
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
                                                                                                                                                                                  MD5:D4423CDEA4650917773B680EB52F9A32
                                                                                                                                                                                  SHA1:B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
                                                                                                                                                                                  SHA-256:12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
                                                                                                                                                                                  SHA-512:B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\MSIF8C1.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):756576
                                                                                                                                                                                  Entropy (8bit):6.616049802032926
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
                                                                                                                                                                                  MD5:D4423CDEA4650917773B680EB52F9A32
                                                                                                                                                                                  SHA1:B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
                                                                                                                                                                                  SHA-256:12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
                                                                                                                                                                                  SHA-512:B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\MSIF8F0.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1145696
                                                                                                                                                                                  Entropy (8bit):6.517876267164052
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:+oY9D/tCubZoXth0lhSMXl+lZu51SDcf81Y8AnwjzfN:CBRloXEul05gDcf81Y8AnwjzfN
                                                                                                                                                                                  MD5:BD9A5B67A4125207CB64929B2CCB7E00
                                                                                                                                                                                  SHA1:0704C904E63000F7A63527C10D722E0D2D32520D
                                                                                                                                                                                  SHA-256:8FDD323EB0E35B9FCA823435E8D760F5263FFFEFAA2A3E853FE6CD4925B2249C
                                                                                                                                                                                  SHA-512:9D5A159A0095EE765F2C5220DF0EB4E0C574F4A0ABDC2D23F0169518B3C5242B486F86A597F61A096BB0FFA99F95D8E025A3B824D55543F69FDF7D98001BEF71
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]e...............v.......v......................A....v.......v.......v..........!......I...........'.......O............Rich....................PE..L......e.........."!...'.^...................p............................................@A.........................................................>..`=...0...B.....p...........................0...@............p..4............................text....\.......^.................. ..`.rdata..z....p.......b..............@..@.data...d.... ......................@....rsrc...............................@..@.reloc...B...0...D..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\MSIF940.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1178464
                                                                                                                                                                                  Entropy (8bit):6.458242650271239
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:MPNeES6xH6me4EmTeixI7KvGYRnY4eWmsmqFZ7WKZ5EQbhpP9gY0dB0lAwvI/oA:MlPjgzixI+vGYRnAWNTWw5EQbhpP9gYG
                                                                                                                                                                                  MD5:8161F0819B3ED52B1C5407E248311123
                                                                                                                                                                                  SHA1:5A0CEAA53740DFD00EF126A9BC947EE632013493
                                                                                                                                                                                  SHA-256:D3522415D0BCC4556B79869E3AE0E240133616544651FAE1D1D74C5C50841411
                                                                                                                                                                                  SHA-512:02A4E95B250D9E87FB5B5CB4E003E67B34F6F4ADE649C0EFABDDCAD88645318CADFABBB433EE8DE1A8D9DA07E1BF783A335B0C0A1D143D7F2887BA61C0E2464A
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.x'..x'..x'.T.$..x'.T.".2x'.E.#..x'.E.$..x'.E."..x'.T.#..x'.T.&..x'..x&..y'.w....x'.w.'..x'.w...x'..x...x'.w.%..x'.Rich.x'.........PE..L...q..e.........."!...'.@...........M.......P............................................@A.........................m..t...dn..........................`=......`c......p........................... ...@............P..8............................text....?.......@.................. ..`.rdata..X0...P...2...D..............@..@.data................v..............@....rsrc................T..............@..@.reloc..`c.......d...Z..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\shi895.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):5038592
                                                                                                                                                                                  Entropy (8bit):6.043058205786219
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
                                                                                                                                                                                  MD5:11F7419009AF2874C4B0E4505D185D79
                                                                                                                                                                                  SHA1:451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
                                                                                                                                                                                  SHA-256:AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
                                                                                                                                                                                  SHA-512:1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L*......N*.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\shiE7EF.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):5038592
                                                                                                                                                                                  Entropy (8bit):6.043058205786219
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
                                                                                                                                                                                  MD5:11F7419009AF2874C4B0E4505D185D79
                                                                                                                                                                                  SHA1:451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
                                                                                                                                                                                  SHA-256:AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
                                                                                                                                                                                  SHA-512:1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L*......N*.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\shiECC0.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4509696
                                                                                                                                                                                  Entropy (8bit):6.100941182830929
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:49152:jm+XAVAMPLfOyim8iTRxYUOQSfLTZZZ2y38lb7Cjn3mboy4+MT7ujWx/Tl0ng48e:CzVAwiKTOpfLTDQyaNoy787ujWx/TlR
                                                                                                                                                                                  MD5:F6153E803F1533042AC7E6988237C2C3
                                                                                                                                                                                  SHA1:DDA81BB8BC8CC14877C9CB9B7C664DEFD81EBB4F
                                                                                                                                                                                  SHA-256:F42A771D310C762C05A5BE3DE0CFDB9BEC28D3DFCCAEF800C901F551A0DF30ED
                                                                                                                                                                                  SHA-512:7AE76A4CB58A9929C09B1D6376073268622C74B1E3F0C346AFA7A7829E2EF136CCF091F58CCA28BFE83C665573C23D9DB6AF51A44275DA0CC2CF8C1306ADDBAC
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._.._.._..V.X.=..K..S..K..X..K..W.._.....K..^..K..-..K..D..K.4.^..K..^..Rich_..........................PE..L....+.X...........!.....dA.........P.3.......A....c.........................@E.......E...@A.........................i@.K&..L.A.......B.H.....................D..-......T....................O...... .................A.H....C@......................text.....@.......@................. ..`.wpp_sf.......@.......@............. ..`.data....6....A......hA.............@....idata...1....A..2...nA.............@..@.didat..4.....B.......A.............@....rsrc...H.....B.......A.............@..@.reloc...-....D.......C.............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\shiED3E.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):83128
                                                                                                                                                                                  Entropy (8bit):6.654653670108596
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:0jIdYoF2CwmzOVStYMAuNWrmaTk++ouMOczT0ud4x41xmPS:0jRoFZwmr+bDk/MOcv0G4sxm
                                                                                                                                                                                  MD5:125B0F6BF378358E4F9C837FF6682D94
                                                                                                                                                                                  SHA1:8715BEB626E0F4BD79A14819CC0F90B81A2E58AD
                                                                                                                                                                                  SHA-256:E99EAB3C75989B519F7F828373042701329ACBD8CEADF4F3FF390F346AC76193
                                                                                                                                                                                  SHA-512:B63BB6BFDA70D42472868B5A1D3951CF9B2E00A7FADB08C1F599151A1801A19F5A75CFC3ACE94C952CFD284EB261C7D6F11BE0EBBCAA701B75036D3A6B442DB2
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.T...:...:...:.....&.:...9...:...;...:...;...:...:...:...4...:...?...:......:...>...:......:...8...:.Rich..:.................PE..L...Y.............!.........H.......n..............................................;.....@A........................P........B.......`............... ...$...p..........T............................................@...............................text.../........................... ..`.data....!..........................@....idata..H....@......................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\shiF964.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4509696
                                                                                                                                                                                  Entropy (8bit):6.100941182830929
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:49152:jm+XAVAMPLfOyim8iTRxYUOQSfLTZZZ2y38lb7Cjn3mboy4+MT7ujWx/Tl0ng48e:CzVAwiKTOpfLTDQyaNoy787ujWx/TlR
                                                                                                                                                                                  MD5:F6153E803F1533042AC7E6988237C2C3
                                                                                                                                                                                  SHA1:DDA81BB8BC8CC14877C9CB9B7C664DEFD81EBB4F
                                                                                                                                                                                  SHA-256:F42A771D310C762C05A5BE3DE0CFDB9BEC28D3DFCCAEF800C901F551A0DF30ED
                                                                                                                                                                                  SHA-512:7AE76A4CB58A9929C09B1D6376073268622C74B1E3F0C346AFA7A7829E2EF136CCF091F58CCA28BFE83C665573C23D9DB6AF51A44275DA0CC2CF8C1306ADDBAC
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._.._.._..V.X.=..K..S..K..X..K..W.._.....K..^..K..-..K..D..K.4.^..K..^..Rich_..........................PE..L....+.X...........!.....dA.........P.3.......A....c.........................@E.......E...@A.........................i@.K&..L.A.......B.H.....................D..-......T....................O...... .................A.H....C@......................text.....@.......@................. ..`.wpp_sf.......@.......@............. ..`.data....6....A......hA.............@....idata...1....A..2...nA.............@..@.didat..4.....B.......A.............@....rsrc...H.....B.......A.............@..@.reloc...-....D.......C.............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\shiF9F2.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):83128
                                                                                                                                                                                  Entropy (8bit):6.654653670108596
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:0jIdYoF2CwmzOVStYMAuNWrmaTk++ouMOczT0ud4x41xmPS:0jRoFZwmr+bDk/MOcv0G4sxm
                                                                                                                                                                                  MD5:125B0F6BF378358E4F9C837FF6682D94
                                                                                                                                                                                  SHA1:8715BEB626E0F4BD79A14819CC0F90B81A2E58AD
                                                                                                                                                                                  SHA-256:E99EAB3C75989B519F7F828373042701329ACBD8CEADF4F3FF390F346AC76193
                                                                                                                                                                                  SHA-512:B63BB6BFDA70D42472868B5A1D3951CF9B2E00A7FADB08C1F599151A1801A19F5A75CFC3ACE94C952CFD284EB261C7D6F11BE0EBBCAA701B75036D3A6B442DB2
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.T...:...:...:.....&.:...9...:...;...:...;...:...:...:...4...:...?...:......:...>...:......:...8...:.Rich..:.................PE..L...Y.............!.........H.......n..............................................;.....@A........................P........B.......`............... ...$...p..........T............................................@...............................text.../........................... ..`.data....!..........................@....idata..H....@......................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\7z.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1390312
                                                                                                                                                                                  Entropy (8bit):6.599443687044708
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:w4wwwwscgymwef8Z8Zzj6z1el68mUi1m/ONxdDDHNCU+3kvaBW7839l5Qafgb6L1:pwwwwscgymwefyEQ/U6/NnDDHNCTeaBf
                                                                                                                                                                                  MD5:292575B19C7E7DB6F1DBC8E4D6FDFEDB
                                                                                                                                                                                  SHA1:7DBCD6D0483ADB804ADE8B2D23748A3E69197A5B
                                                                                                                                                                                  SHA-256:9036B502B65379D0FE2C3204D6954E2BB322427EDEEFAB85ECF8E98019CBC590
                                                                                                                                                                                  SHA-512:D4AF90688D412BD497B8885E154EE428AF66119D62FAF73D90ADFFC3EEF086CF3A25B0380EC6FDC8A3D2F7C7048050EF57FCEA33229A615C5DCDA8B7022FA237
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0...0...0...9a.=...9c.I...9b.(...b......b.. ...b..&...9...1...9...7...0........4................1....o.1.....1...Rich0...........PE..L....x.c...........!.........~......x7...............................................~....@.........................P...|......P....p.................P,..........0...............................P...@............................................text............................... ..`.rdata..............................@..@.data...0........4..................@....rsrc.......p......................@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\APKwait.bat

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):34
                                                                                                                                                                                  Entropy (8bit):4.231009444816111
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:mKDDGMLCyLuVFOZh9n:hSKfLuVFOZz
                                                                                                                                                                                  MD5:326F18673467B34662A43E1B7588C82D
                                                                                                                                                                                  SHA1:A9E584530B851E014BB475FEBE51474D7E41278E
                                                                                                                                                                                  SHA-256:4693C9628F2CFC8C789225B984CCEA576D665D6792B3CA265EF0B5D27127CAF2
                                                                                                                                                                                  SHA-512:56B39C93DE447F73BB94F6A0EECA1E20B318CDA3CC5B5ABE14BCB0C8E6F0A066AF98D8C6DDF42A1E4B57E82747142663FAA5554E5F941E2B90C38D4C105ABC9F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:@echo off..ping -n 10 127.1 >nul..

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\APXhttp.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):57504
                                                                                                                                                                                  Entropy (8bit):6.908600489842891
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:5wQ0j2HOip0EdcP2dWDWoviK2SVb41Pxc73LPxA:5VOqd+vi3Sb0xcDTx
                                                                                                                                                                                  MD5:02948F19A0488CED88F4806C959EF24F
                                                                                                                                                                                  SHA1:D47C1439309BEF82C1CA0A623D1CBC70C259B935
                                                                                                                                                                                  SHA-256:712B2845697459CCDF6E71BAE7FF3B423254A91EB5C85B02551B2AD2A4112EE3
                                                                                                                                                                                  SHA-512:681182CBB8E55C0008F4D2B6141B507F51C98050F014A66D256A5252E24F8DD2AC8559D71F0F01953830DBBF840F07C57A7E520274180B5AE35329D447AA8675
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L..-.-.-..X.-.U].-..X.-.Ub..-..X...-..X...-..X.-..\.-.-..-..X...-..X.-..X...-..X.-.Rich.-.................PE..L.....tc...........!.....R...:......@........p............................................@A................................l...........H................R..............T...........................p...@............p..h............................text...MQ.......R.................. ..`.rdata...$...p...&...V..............@..@.data................|..............@....rsrc...H............~..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\APXmodule-2.0.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):37024
                                                                                                                                                                                  Entropy (8bit):7.054557610794306
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:dBdwySZ+f1RGV4NhzM8EJPxm5Yi3fPxWEf:dLtf1c4b41Pxo73fPx
                                                                                                                                                                                  MD5:F6C740A06CF69CB38527B746C1B5C90D
                                                                                                                                                                                  SHA1:6EE733F791DE76AE9B6EDA05F4514BBAC3D17749
                                                                                                                                                                                  SHA-256:29B7F57469745537CABAAB229BFB9FC2084CC7BEF14EEFE734C2C3A6EBF02F48
                                                                                                                                                                                  SHA-512:01FBCAB3ED927082F60F96E0EA6647540F333FD2CB85E6E108D5FD0FAF358C809098B2CC0F8C50CB8BEA37FA81AADF31D21DF3F043B91E71F5D330E1407086A2
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........gZ........................................................t......%..............t.......t.......t...............t.......Rich............................PE..L...K..a...........!......... .......!.......0............................................@A.........................8..L....9.......`..8............>...R...p..l....3..p...........................(4..@............0...............................text...d........................... ..`.rdata.......0....... ..............@..@.data........P.......2..............@....rsrc...8....`.......4..............@..@.reloc..l....p.......:..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\ATellPhon

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):16
                                                                                                                                                                                  Entropy (8bit):2.091917186688699
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:WlWUqn:idqn
                                                                                                                                                                                  MD5:EAD3D4CBA62CAD943DCA9FA88139D258
                                                                                                                                                                                  SHA1:244E3C37AB41854F5B221653AC42CF26A4FAA97D
                                                                                                                                                                                  SHA-256:74228703D2D0DCF060D50F1046EDB9D7273D901E50B728AFD50A4D42BE752674
                                                                                                                                                                                  SHA-512:7ED4C73369A9E1C7CABABD6BB9E04674FC6E1D0C7FB40F46A129B94BFF895F9C65413A4875BBCEC91F4DDDC9B3CF7FBB344CDC87CC9E636DC6843775204F413B
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ..............

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Agent

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32768
                                                                                                                                                                                  Entropy (8bit):5.761658988442702
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:ovAw66vILDbNRhbHeJh8+oXBjxJd5IyYQGSbdkDjkoebjDISVjNW8SCW0:ovAOQbSEln5IyYpamDjobj8ShSA
                                                                                                                                                                                  MD5:A5DD94434C702493D4577E966134B303
                                                                                                                                                                                  SHA1:6BFAEB811189C41521802A11E0836237CD169395
                                                                                                                                                                                  SHA-256:A26F4219815C297C705060B77595EF76E35E9E2BEDBEB5AFB3357CDC5BA2717F
                                                                                                                                                                                  SHA-512:C5A44A9D526C2D494FCDCD765BAF7A765E53838F53A65DF1D1CE4114FCB1186296A8FAEBEE4BD0A39A41C9E96AA3B3484E07D86FBD117BE7915610EB4EF5CF77
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.q.u...u...u.......t...u...X.....B.~.....A.t.....@.s.....E.t...Richu...................PE..L....R.H.....................h...............0.......................................b..........................................x....@...d..........................................................8...@...H...|....................................text...j........................... ..`.data...8....0......................@....rsrc....d...@...f..................@..@l..H8.....HC.....HP......HZ......Hd......Ho...........msvcrt.dll.KERNEL32.dll.NTDLL.DLL.GDI32.dll.USER32.dll.IMAGEHLP.dll.....................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\BBC.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):710888
                                                                                                                                                                                  Entropy (8bit):6.630506217753263
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:6BMGnPEAEuRNz2HuiEJe0z6h5KEuEVv4D1wEM50+OD2evinKqcQUuWnI8:6BMGnPEAEyXiEw0xXD2evincvFnn
                                                                                                                                                                                  MD5:FAE7D0A530279838C8A5731B086A081B
                                                                                                                                                                                  SHA1:6EE61EA6E44BC43A9ED78B0D92F0DBE2C91FC48B
                                                                                                                                                                                  SHA-256:EEA393BC31AE7A7DA3DBA99A60D8C3FFCCBC5B9063CC2A70111DE5A6C7113439
                                                                                                                                                                                  SHA-512:E75C8592137EDD3B74B6D8388A446D5D2739559B707C9F3DB0C78E5C30312F9FCCD9BBB727B7334114E8EDCBB2418BDC3B4C00A3A634AF339C9D4156C47314B4
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........f..............U.......U..B....U....................................................c.......c.......c.......c.......c.......Rich............................PE..L.....]d.................n...8......dB............@.......................................@.....................................d.......................P,.......g..pL..T............................L..@...............(............................text...Hl.......n.................. ..`.rdata...............r..............@..@.data...4R...0......................@....rsrc................:..............@..@.reloc...g.......h...B..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Blend.visualelementsmanifest.xml

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):310
                                                                                                                                                                                  Entropy (8bit):5.218991813797138
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:ejHyaVic4subiKFNFWod/OjpFFHDhkQwY7HmXXKmJpkQwYEn0gCYEnP9FN:eF8iK9WW/OjrF4CA/cX0vXDN
                                                                                                                                                                                  MD5:B3D5B8ADD818034C991FE15C13E0B055
                                                                                                                                                                                  SHA1:3FBFBECC2C10DE459586B3B39D2F7CB45289C8B1
                                                                                                                                                                                  SHA-256:79F8A190196CC5B79B99A07991A34B2E5AA25989FC22121B6C17B80F4772801E
                                                                                                                                                                                  SHA-512:3C3E233072D9F4F94DDF2AF992339F43755DE9BC4F136BC6CC2EB1255B55C97D86495B8AF415C6880D62D8904D9E2EE61B427CA13FAB08492D4341F1D2E86E0D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:<Application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <VisualElements.. BackgroundColor="#2D2D30".. ShowNameOnSquare150x150Logo="on".. ForegroundText="light".. Square150x150Logo="Assets\Blend.150x150.png".. Square70x70Logo="Assets\Blend.70x70.png" />..</Application>..

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Browser_1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):38
                                                                                                                                                                                  Entropy (8bit):3.827554659468926
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Ol/QfkTsfIedYRXY:OlTT2dYRI
                                                                                                                                                                                  MD5:F1B791B8D42F4D4B5794E254F7A86BD1
                                                                                                                                                                                  SHA1:20B839C9257D51F28C7814C99922DBCD1A1EE248
                                                                                                                                                                                  SHA-256:174423E75513994F0205EB2D874583D791C17A391B1DD97FBCE3CAD7E7FCAE61
                                                                                                                                                                                  SHA-512:924CA93F18CB19C2F138E9DCFA21C0E90473EC2FFBAA3AC208A26ED9944FB0FCAEDFCCAC7138A5A825EED3B4FB033653BEE4BC2F79CD9D5084156A0D9D685407
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:{491EB955-8A31-4381-BA1F-FDA4C60415A4}

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Bseziof

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:COM executable for DOS
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):129008
                                                                                                                                                                                  Entropy (8bit):7.827316426792684
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:vRZzFCwH6WrKxTtcZaUMueR2ZGCApbu7n31bsj9y:pZBC66WrKDcMxR24rpbu71g
                                                                                                                                                                                  MD5:D76420DC56BE74361FF5053D87A752A7
                                                                                                                                                                                  SHA1:E4E95C6D322FA5007F045F969A507A79DBA24A18
                                                                                                                                                                                  SHA-256:CAA76B91F5ED0D10ADD3F757B7412822795013547AB286906D9F3740C0501A32
                                                                                                                                                                                  SHA-512:C96654CB012F883037DC11478256779A4859C1A8D158D53430CE83040BAA327F0B060D52A6B8C7832F6497D3F7FABEF47EB4E33C841CBB90EA5373D7263398CB
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:........@...............................................!..L.!This program cannot be run in DOS mode....$........\..I=.I=.I=.2!.H=..2..K=..!.K=.&".K=..".K=..2..R=.I=..=.....=.I=.H=..".J=.RichI=.........PE..L.....*g............................0.............@.................................................................................................................................................................................................UPX0....................................UPX1................................@...UPX2................................@..............................................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.....D;..t.f8k..$...

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\DataTransform.ini

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:Generic INItialization configuration [Userddress]
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):313
                                                                                                                                                                                  Entropy (8bit):5.67841607960707
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:OZPixNiKRSVWTQlY2LXmwPxhb4eR8iiLrAmXOtAvHPzT3U6g:OZaRRXQNLXmwPxhb4e7iLkmXOtqL72
                                                                                                                                                                                  MD5:5DB5802855390316509312EA98913E3F
                                                                                                                                                                                  SHA1:941E2FB957A5160AAD5BCBB69D4D8EEB1E679679
                                                                                                                                                                                  SHA-256:16BA11467408450A06C599D7AFC8D3FF383EF6FC06E0FAF028CC71DCF71EB980
                                                                                                                                                                                  SHA-512:B048090B41CE724D3F09BA82B70606F553658990F007BDB93BE41D0178DA81B210956D815EDE31319C35E86EF74CC5B0DCA69F113D066B16745DE6B7583C3E98
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:[Data]..Type=UMnwio9zv2FqxxUVMR0jWJnXhzGyjuwdGhyjE7NmuwPzPTn2oWYbUgHhroi6QH..[Userddress]..Data=ya4feBPz9quDWubPmy1BrWBrJ2epxBFxdZ2u51ne4Q6dcjTemYgPRQMGN5akXwRqkmPKRMc5ptX1Mccd9HRaBLKEd0AntxumwTZx..[DataTransform_CreateZlibCompressor]..Dictionary_Rekey=A.exe..[ctrl]..ctr=SearchRun.exe..[Desktop]..Desktop=rar.exe

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\EduWebContainer.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):12840
                                                                                                                                                                                  Entropy (8bit):7.986702439437666
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:/ZrfidU1vKpUcMlqiP66dS2qu9wl2apxWama5IWmciIplqLngTmfqDnoKax5eq3m:Jfim1C4lqiP1dxWZZGciI62oROzl
                                                                                                                                                                                  MD5:11F506F266C236A58D62D0F466A537AD
                                                                                                                                                                                  SHA1:F948F8013782A3AA3F5D7BCAD62E8CC63146007C
                                                                                                                                                                                  SHA-256:958BF016A726EDF619062E3C56CE54E6E46C9982912EB92081A2B91B2B5E50B0
                                                                                                                                                                                  SHA-512:5E5C636D05B8D4B3F880243B001FF8CB32EC1883D86F55F78CA65CD92BA3B9BF52A84BB75CA9F98FFA423ECF683EFA22F2B584FE0B9B6C104A7EE1C145B81634
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...Y{.B....&...oy.}..F{...z..H'...".*.x...... .(_.L./.5.....W.\.....;...T.J.G.MH.][a...c....2nfF.E.r<..N.F.E....n....&>..../.f.]..u...(]...M..$.#tl{.L.R...Nx.....J..2...h.e!Z=.r.Y.._.U..s..v.T.4.JQx2.._F3.+........j...V..-c|vO.%r......d../.g.}b..!..<K.1#...OeU. ;!N..n..G..k..N...).y`~!.....Z'.d..$...-.r..z...v......>>m.... >28..{..-.l......Nv..x..#m........l.1.8..$_.......\..m........x.]f..C..Y/.(qGC.3..N.`.!(..m.C...=.<.../.P:.Zf^.dm...+.3..V.....^.D.......[K.$...E.....E.b.~.:....=Xz\..J.....uG.LWA.`p...N.ze.P.R.......U.>...{p^...;A.Rj......L.......Dcx/@}-....... .~....2'...m..>....@.`..8Km.X.N..rs....r.Z..g..h..*...*.P.~.."v.7...\...v.....rDs.Buo.......1.].c...X..:.....9 K...W5..F*#^.;AoH...!.%...F.T>.g.F[.H...M.B.f....."...s..T....e.F'..HY..&6.3.k.<L.kU.......[HZh.J8l..5....C..A...=.}.?........+./.peQ#.x`.W..*.h..!..,.q .Q.w*./k.#...Y...k.Y.\..........0v........:G.`h......f...Eq.y..........G.2......J.)..\..C."..A8.....A$..tIu.....

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):174304
                                                                                                                                                                                  Entropy (8bit):6.858552596804119
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:Q0HJ5wo1/MJjozYJimE2BamDKigu/fgl1glfdjgBftJeCE5vLEnM7QrRz:/J5wUmhkmDKVuE1gQJeCERLG1F
                                                                                                                                                                                  MD5:0D318144BD23BA1A72CC06FE19CB3F0C
                                                                                                                                                                                  SHA1:91A270D8E872EA2A185309CA9CE5D9F08047809E
                                                                                                                                                                                  SHA-256:60503684F39425C5505805A282EB010ECB8148BBF7EFE9BBA9CF33C507AF7F3A
                                                                                                                                                                                  SHA-512:A3F3C7D84644B13868AC324947C2D678620E341E368B781D45F244A53F448D6B24BE7B50AC9908728DFBBB74214FCB46902137910E907F14F601518C0EFD215B
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.A...A...A...,...H...,...;...,...Y...z...S...z...S...z...d...,...D...A...........C.......@...A...@.......@...RichA...........PE..L...V.]d.............................#............@.................................Z.....@.................................48..<....p..0............`...H...........*..T............................+..@...............$............................text............................... ..`.rdata...^.......`..................@..@.data........@.......2..............@....gfids.......`.......<..............@..@.rsrc...0....p.......>..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\CIM_ResourceAllocationSettingData.xsd

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with very long lines (342), with CRLF, CR line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):8108
                                                                                                                                                                                  Entropy (8bit):4.965236708426262
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:MuZUkwsSwZhuV3wM3DwuMu93wv3Dwui4Cya:MuZUkwsSwZhuV3wM3DwuMu93wv3Dwui/
                                                                                                                                                                                  MD5:A77B71F6E5FE1F50065AC8A15796AFEB
                                                                                                                                                                                  SHA1:80A83A247FFD47529419873B32E02852B75D47AF
                                                                                                                                                                                  SHA-256:D02D5181E13AA96B67AB75F51C03AB1F1286F7A28FD92ACA3021E4E694A4E2E8
                                                                                                                                                                                  SHA-512:E5502B347C545C4460ABDA78242B238D83AB4645F0495D933B4C419CB4872520915E13C8A6F5137B260B000C690145A8139A7FF47286BC9875531F74167B50A8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8"?>... Generated by WBEM Solutions, Inc. SDKPro 3.0.0-->...<xs:schema xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:class="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData">...<xs:import namespace="http://schemas.dmtf.org/wbem/wscim/1/common" schemaLocation="common.xsd"/>...<xs:element name="ResourceType" nillable="true">...<xs:complexType>...<xs:simpleContent>...<xs:restriction base="cim:cimAnySimpleType">...<xs:simpleType>...<xs:union>...<xs:simpleType>...<xs:restriction base="xs:unsignedShort">...<xs:enumeration value="1"/>...<xs:enumeration value="2"/>...<xs:enumeration value="3"/>...<xs:enumeration value="4"/>...<xs:enumeration value="5"/>...<xs:enumeration value="6"/>...<xs:enumeration value="7"/>...<xs:enumeration val

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\CIM_VirtualSystemSettingData.xsd

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with very long lines (332), with CRLF, CR line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):5951
                                                                                                                                                                                  Entropy (8bit):4.95379352101584
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:IHpusmyEYtpusmyEcpusmyEf6dEvrgeUKMvLm0n/:4usm0zusm+usmLtVUKmLma
                                                                                                                                                                                  MD5:8737313A1CD47D1BD415F4CD7C8D5A35
                                                                                                                                                                                  SHA1:C3FE8ED373DD8807DC56B8ACD807A01163BA1945
                                                                                                                                                                                  SHA-256:190C096159A5286655707E1141EEFFCE86484AC48DE4F54CBA4CD44C59868CDB
                                                                                                                                                                                  SHA-512:C3090FC492DC1C875715B1A82906F7466CA63AE5BDFAB0A7730DBEDAAF622ED7FC5471D9F036813D423C33CDB4CC80BA9A8AFCC8387E365FDB7148B84BF2BB8B
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8"?>... Generated by WBEM Solutions, Inc. SDKPro 3.0.0-->...<xs:schema xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:class="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData">...<xs:import namespace="http://schemas.dmtf.org/wbem/wscim/1/common" schemaLocation="common.xsd"/>...<xs:element name="VirtualSystemIdentifier" nillable="true" type="cim:cimString"/>...<xs:element name="VirtualSystemType" nillable="true" type="cim:cimString"/>...<xs:element name="Notes" nillable="true" type="cim:cimString"/>...<xs:element name="CreationTime" nillable="true" type="cim:cimDateTime"/>...<xs:element name="ConfigurationID" nillable="true" type="cim:cimString"/>...<xs:element name="ConfigurationDataRoot" nillable="true" type="cim:cimString"/>...<xs:elem

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\DrawContent\DrawContentNoname.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):144872
                                                                                                                                                                                  Entropy (8bit):6.1033991888043255
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:Poib/ncfh8z2geq5CpLFuAzpXDGX12HBt:zb/6RpugpY2HBt
                                                                                                                                                                                  MD5:D0C679D73048A8AF8C5F483BDBCAF0A2
                                                                                                                                                                                  SHA1:6AFEBA5B8C5A390B2A487590A5EE7E10ABFEFE6F
                                                                                                                                                                                  SHA-256:952451312864D1CF98C137EF6B5048F325325CC1237B1D1DB26819839ED7FC27
                                                                                                                                                                                  SHA-512:BCFF13C8FD3B01AA5F8BA54D91ACE7E74EF5A370808B517471271FE39318938DECAFE5A40D26A94D46D3DBB2E5EB152209828269EC86B210B04C3C13B13DA23F
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.I.Fz..Fz..Fz.+...Fz.+...Fz.+...Fz...~..Fz...y..Fz......Fz..>...Fz..F{..Fz../s..Fz../...Fz..F...Fz../x..Fz.Rich.Fz.........................PE..L...N.;^.....................<....................@.......................... ............@.................................T...P....@..................PC..............p...........................0...@............................................text............................... ..`.rdata...\.......^..................@..@.data...L.... ......................@....rsrc........@......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\LICENSE.3rd

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):6264
                                                                                                                                                                                  Entropy (8bit):4.246298126375936
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Pf3v3vP3X3P3PPnHnPXvHf/H3PnXnPfnPHnvfP//PHffH3H/v3PnfHXP3vP/P3Pr:b
                                                                                                                                                                                  MD5:DDDAB64301999870824A2CC0E358689B
                                                                                                                                                                                  SHA1:664263BF0641B55AF72EFBB6A9AB91AC77673D54
                                                                                                                                                                                  SHA-256:DAAA8FC859B10444E218800FC15E2E7560EBF59E269BB58DD8D82C9305F73C6E
                                                                                                                                                                                  SHA-512:DABA1DC82031056430E0150DAD18B43BB3D4A6AFD67E802BC7F867D274E1221F5BB9C12EA3213148FB6114FB79559C86E141C75D828ADC11F7C4372E70072827
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:"z.rz.....r.b..*.z..bz..bJ.*rjRjR**..B*.2zbbz.Jr:..z2....*.j....*.Jr.b."*".Jr..BJ....z"....."J.*...JjR..*.z2..r..z2..BJ...z2....*.J..:z.*.r*".....B*..*.j..z2..B*.bJ.*r.*..*bz..jRjR"J.*...J.j..J.bJ.....jRjR..J..*r.....R..Z*..JZ.z*.B.R..Z*..JZ.z*r"ZJjR.z..J:B..B.J.....j......R..Z*..JZ.z*rjRjR.BJ...z"*.j....*...*".Jr..zj.Jb*".2z.j.Jr..r.......z.."*.J.*r..B*.*jR.z...*.2Jb*..j....*..*"J...J...*".....r..j*.r....z.J"Jr:.J..J.jRrz...zb".2z....z2J...J.Bz....B*....Bz.....J..*r..zr.*r.b..r"jR..z.J"Jr:..B....BJ..rz.J.*..r"..B*....Bz...r.j*.J..Jr.b."*"rjRjR.BJ..2Jb*.J....z.J"*".....J....J.B.rz.*..*..*".z..Jj.bJ*"......r..rjR.B*....Bz.....*....rz.bJ..JbJ...J2.J......*...r..".j.:*..z..z..z...z..jR.zj...*...B...z*.*.r.J.:..2.**b..z."zr:..B...b*.j*...z...J.rjR.*...*.z2...:.rjRjRjR**..B*.2zbbz.Jr:..z2....*.j....*.Jr.b."*".Jr..BJ....z".....".JbJ.jR..*.z2..r..z2..BJ...z2....*.J..:z.*.r*".....B*..*.j..z2..B*.bJ.*r.*..*bz..jRjR.z..J:B..B.J.....j....b.".JbJ.."*.*bz...*.jB..r:.B...:j.Jbr.zjb....*bJ..r.:j

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\LICENSE.libcodecs

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):311
                                                                                                                                                                                  Entropy (8bit):5.363090655038483
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:EGLzVYRFoUgLhHx0iFolaXM+MA3GtfX2SMOFrNNRJhl//bB9bPL9RbtBnbPZrVTF:EGLzWF65x0mq3kJO9NX
                                                                                                                                                                                  MD5:433000AA79D90F93C87E11F86A786F67
                                                                                                                                                                                  SHA1:A1B8B8F69884A4CE9BB433D96ACBED3337C5AE5E
                                                                                                                                                                                  SHA-256:08E569EEABC5D4082F4A59142F22534FF57F12F991CD4E1A36811511799EF109
                                                                                                                                                                                  SHA-512:DB752A2D65D8F276D6225A7C478EB1674EE3B0829CA57272A54D55C1C9E25A9E9DDD93699E41D6CF53E36313C8DDF4C0C034EDAC765139124620F0E5FFA99E8D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:libcodecs is part of the "Huorong eXtendible Stream Scan Engine" project copyright by Beijing Huorong Network Technology Co., ..6...&,:8 648..,...4&4<.46.."64....4..4.$.. 2...4.pbT.f4..4..p4"4.<&.^.:&,8.f,84".4..fp^f......V.4.2.&&.. ..84.8 64. 2.&,:8 648..,.." .. ".p,.n.:..........0,...:.8 $..<.6...&,:8 648...

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\LICENSE.libdt

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):294
                                                                                                                                                                                  Entropy (8bit):5.406360206907183
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:EBjMWEXRFoUgLhHx0iFolaXM+MA3GtfX2SMOFrFjJ//bB9bPL9RbtXhbZrVTl/9z:EJuF65x0mq3kJO9/
                                                                                                                                                                                  MD5:5E48AE384DD6874C64E8129FAA0F4D1F
                                                                                                                                                                                  SHA1:9A7A273EC1E97FA80304A51A5874E2C40E68D993
                                                                                                                                                                                  SHA-256:4CA63968FCBE57FE9A9079DBEA85375B6129ABFF45CFB42E24A7F1DDF044943A
                                                                                                                                                                                  SHA-512:20552DEBAAACF783BB128EB2A619125507921E9E3971EE43EA9613F681FBFD3BA711CD774E1DB9EDD7B56C36D1181DD42D8BB73C0AAE0CA3BEFA20E0B482BC17
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:libdt is part of the "Huorong eXtendible Stream Scan Engine" project copyright by Beijing Huorong Network Technology Co., Ltd.....:6..,...4&4<.46.."64....4..4.$.. 2...4.pbT.p4"4.<&.^.:&,8.f,84".4...4.., ".......V.4.2.&&.. ..84.8 64. 2.&,:6..,.." .. ".p,.n.:..........0,...:.8 $..<.6....",8 ."..

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\Microsoft.VC80.ATL.manifest

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):376
                                                                                                                                                                                  Entropy (8bit):5.187860451409661
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:TMVBd6OjzIIBeBXVL9obRu9Td8gH9aO/5TMiX1+jSQdS1vwIgVf+ZaYf7:TMHdt4IBeBFLOwHR5TNl+rmxgVKaq7
                                                                                                                                                                                  MD5:0BC6649277383985213AE31DBF1F031C
                                                                                                                                                                                  SHA1:7095F33DD568291D75284F1F8E48C45C14974588
                                                                                                                                                                                  SHA-256:C06FA0F404DF8B4BB365D864E613A151D0F86DEEF03E86019A068ED89FD05158
                                                                                                                                                                                  SHA-512:6CB2008B46EFEF5AF8DD2B2EFCF203917A6738354A9A925B9593406192E635C84C6D0BEA5D68BDE324C421D2EBA79B891538F6F2F2514846B9DB70C312421D06
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>. Copyright . 1981-2001 Microsoft Corporation -->.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable/>. <assemblyIdentity. .type="win32"..name="Microsoft.VC80.ATL"..version="8.0.50727.4053"..processorArchitecture="x86". />. <file name="ipaip1.exe"/>.</assembly>.

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\Microsoft.VC80.CRT.manifest

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):314
                                                                                                                                                                                  Entropy (8bit):5.140999301390513
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:JiMVBd6OjzPbRu9Td8gH9bZELrbvm/53SMiX6+hPABdS1FggVfgk5Z:MMHdtlwHHJ53SNK+hPIRgVR5Z
                                                                                                                                                                                  MD5:710C54C37D7EC902A5D3CDD5A4CF6AB5
                                                                                                                                                                                  SHA1:9E291D80A8707C81E644354A1E378AECA295D4C7
                                                                                                                                                                                  SHA-256:EF893CB48C0EBE25465FBC05C055A42554452139B4EC78E25EC43237D0B53F80
                                                                                                                                                                                  SHA-512:4D2EC03FF54A3BF129FB762FC64A910D0E104CD826ACD4AB84ED191E6CC6A0FEC3627E494C44D91B09FEBA5539AD7725F18158755D6B0016A50DE9D29891C7E5
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable></noInheritable>. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86"></assemblyIdentity>.</assembly>

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\common.xsd

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):6812
                                                                                                                                                                                  Entropy (8bit):4.737569607251046
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:z6H9K9r24/jtVOuVG/PCGHhWrrIafb7fL5qlz+DLSQ7LXOgF:VNtLz/Y3xB6rPPlyz+Dt
                                                                                                                                                                                  MD5:D7216C4C115C30D3DC996F339C2197E2
                                                                                                                                                                                  SHA1:9C90B140316FFB6AF090BD80DF40EA744D555B11
                                                                                                                                                                                  SHA-256:946C1E2C50EA753E2CF3F40CB4A83C319E0D5693C3B017AD3F9811792319D2EE
                                                                                                                                                                                  SHA-512:9A0F133B8517B86A29AAA0F541573842A4B76D6DE30C1167D4EEB2F08D0568CE94ABC81341049BFA328D85DFDC8D8B74177B9A896107C2438168EA4EA5B47FC6
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8" ?>.... DMTF Document number: DSP8004 -->.. Status: Final -->.. Copyright . 2007 Distributed Management Task Force, Inc. (DMTF). All rights reserved. -->....<xs:schema targetNamespace="http://schemas.dmtf.org/wbem/wscim/1/common".. xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common".. xmlns:xs="http://www.w3.org/2001/XMLSchema".. elementFormDefault="qualified">.... The following are runtime attribute definitions -->.. <xs:attribute name="Key" type="xs:boolean"/> .... <xs:attribute name="Version" type="xs:string"/> ...... The following section defines the extended WS-CIM datatypes -->.. <xs:complexType name="cimDateTime">.. <xs:choice>.. <xs:element name="CIM_DateTime" type="xs:string" nillable="true"/>.. <xs:element name="Interval" type="xs:duration"/>.. <xs:element name="Date" type="xs:date" />.. <xs:element name="Time" type="xs:time" />.. <xs:el

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\hi.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):8544
                                                                                                                                                                                  Entropy (8bit):4.277108053686666
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:WvI+bMk4g+7rdT2sc4EtGXQgcWh8bvPgLIjJQ9tkTjIkja4tEDIzqIrpKaF13aSy:Wv9oq6rdT2T4EtGXdF8jPgLIjJut2Ik0
                                                                                                                                                                                  MD5:E34E94531BAF8957EBDFB5ECCDC52635
                                                                                                                                                                                  SHA1:D7139BDF34F6F167456014D4D5E16CFDFCC18214
                                                                                                                                                                                  SHA-256:5AF2CC87FE9FA69DA65C990070EE17AF3F612E3883621BD2474161BB508E454F
                                                                                                                                                                                  SHA-512:CF3F4BCF0F5DC35BFC77594FD8AD4E9C6BF32291DAE2298C84B3A465EDB4B75851C0A58F39BB6828EA69E31293E5A4DA5DAA29F4B3F31306F37941491992FC58
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........N.....N.....N.....Nr....N.....N.....N.....N.....N.....N.....N.....N.....N"....ND....N{....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N1....Nb....N.....N.....N.....N4....N`....N.....N.....N.....N.....N.....N.....N.....N=....NI....NU....Nd....Nv....N.....N.....N.....N.....N.....N.....N/....N>....Nw....N.....N.....N.....N.....N.....N.....N'....NX....Na....Nm....N.....N.....N.....N.....N.....O.....O&....OI....O~....O.....O.....O.....O.....O^....O.....O.....O.....OI....O~....O.....O.....O.....O4....Ov....O.....O.....O.....O+....Og....O.....O.....O.....Oy....O.....O.....OV....O.... O....!O...."O....#O)...$O2...%OA...&OS...'O_...(Ox...)O....*O....+O5...,O....-O.....O..../O....0O....1O"...2O....3O....4O]...5O....6O....7O....8O....9O&...:O....;O....<OB...=O....>O....?O....@Oc...AO....BOo...COY...DO6...EO....FO%...GOD...HOk...IO....JO....KO. ..LO' ..MO6 ..NOO ..OOq ..PO. ..QO. ..RO.!..SO.!....`!............... .......

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\hr.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4256
                                                                                                                                                                                  Entropy (8bit):5.476332948782519
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:nizQz4KzjHCKvMzSBvdI0s4TkqZfDhPhbdAQv7Dg3M3Y2UUzgJJC+Mo1tMoIJcAO:i8z4KPnM+JdLsY5xDhYrhRjaBVI7vr
                                                                                                                                                                                  MD5:7CD82242FDDA155F0DC4C830A73225C4
                                                                                                                                                                                  SHA1:436A156C8016B96B83B11931FF9562F29D805977
                                                                                                                                                                                  SHA-256:0096FD57392462D010E9B4DDDA4D021A8B5E5BA78FF097958C1E7A00EC175A2B
                                                                                                                                                                                  SHA-512:2C5133E3673D8470AF6067AF2E5B7D2150B71D3D87379CD94574F72E3CA2B251C08C7F7F530F705CB2EDD8D96263BA9A205346B5704238FC748180235C6809EE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........N.....N.....N.....N.....N.....N.....N.....N ....N&....N.....N6....NE....NU....Nd....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N&....NF....Ng....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N3....NA....NG....NR....NV....Nc....Ng....Ny....N|....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....O$....O,....O9....OZ....Oj....O{....O.....O.....O.....O.....O.....O.....O!....O.....OO....OS....O]....O{....O.....O.....O.....O.....O.....O.....O3....OO....Og....O.....O.....O.....O.....O.... O)...!O5..."O@...#OF...$OL...%OS...&OY...'O_...(Ou...)O....*O....+O....,O....-OZ....O..../O....0O....1OV...2O....3O....4O....5O....6O....7Oj...8Ow...9O....:O....;O....<O....=O....>O....?O....@O8...AO....BO....CO....DOe...EO....FO....GO....HO....IO....JO....KO....LO....MO(...NO0...OO7...POR...QOj...ROr...SO}.........DetaljiSpremiOvaj je indeks mogu.e pretra.ivati. Unesite kl

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\hu.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4734
                                                                                                                                                                                  Entropy (8bit):5.650888808404625
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:+AA8bFIK4pwdJj/JqLn5yEnxSabw7rMVrCtZcqRcU+EFUkozbFFJOHVOrS:FAmkp4JjJqLnoxscZcqRcnEmko/FPO13
                                                                                                                                                                                  MD5:8C5F95F081F6A23A2D058562A24224FC
                                                                                                                                                                                  SHA1:0D8E3138654B66998341B1B4D07CB6E0CCF56DA3
                                                                                                                                                                                  SHA-256:2288098F91E90D5F5583A42ACDB4D278A8438656A190EBC57FCC034FA0110054
                                                                                                                                                                                  SHA-512:4D4A183A07B4014848DD5B50F520BA43ACDB37C8A2E280E32CC080A6FCDE8EE5D758CD0ED71A104E6FFDF3566BAE08A1141D666E0951344D98F802C9381875B0
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N"....N2....NF....N\....Nt....N|....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N"....NL....Np....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N+....N/....N5....N=....NS....Nc....Nj....Nz....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N$....N9....OD....OS....O]....O{....O.....O.....O.....O.....O.....O.....O.....O,....OI....Ob....O.....O.....O.....O.....O.....O.....O.....O.....O.....OL....Oh....O.....O.....O.....O.....O.....O*....OH... Oe...!O|..."O....#O....$O....%O....&O....'O....(O....)O....*O....+O+...,Oy...-O.....O..../O3...0Op...1O....2O....3OP...4O....5O....6O....7OH...8Oh...9O....:O....;O....<O....=OE...>Ok...?O....@O....AO....BO[...CO....DO....EOt...FO}...GO....HO....IO....JO....KO....LO....MO....NO....OO....PO....QO=...ROF...SOQ.....~...R.szletekMent.sEz egy kereshet. index. .rjon be keres.si

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\lco.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):12800
                                                                                                                                                                                  Entropy (8bit):7.307434278749024
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:azbge2/99IpWUFyCKaMgXGT/bl55oqyfvN:azb619IpWUFyQiB55aH
                                                                                                                                                                                  MD5:E057AA4A56A9A2A628A8053F25A27D7D
                                                                                                                                                                                  SHA1:D839E5258BBDB871C746C2CEF52E336487535C47
                                                                                                                                                                                  SHA-256:2519081ECA56FADCF3B62E7CB22E55A1F839B9055E9F1E404FC28145D149E913
                                                                                                                                                                                  SHA-512:D968AA76B1483A14B7D829C755A99C7AD09163D18DA6806F23B3A33664292F16A4695B596B0D2BE619A3B6DC909CFCB8CB7FF236641D1CC012E4F438364945E7
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y.P_=.>.=.>.=.>.R.5.<.>...0.0.>.R.4.'.>...c.>.>.=.?...>.i...<.>.Rich=.>.........PE..L......@.................0.......p................@.............................................................................t...................................................................................................................UPX0.....p..............................UPX1.....0.......,..................@...UPX2.................0..............@..............................................................................................................................................................................................................................................................................................................................................................................................................................1.20.UPX!....

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\li.dat

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32
                                                                                                                                                                                  Entropy (8bit):3.3431390622295662
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:dU6mWhRE4Qm5In:vmWhlQ6In
                                                                                                                                                                                  MD5:233B4AAF620B36D5569FFB334806A663
                                                                                                                                                                                  SHA1:99E4C2ED4447B3CA2772F11374E7EC22DF06A04B
                                                                                                                                                                                  SHA-256:C0F5633F8058E6CF0FEF5CE6AB91438663A1AE2670CB49350E095D8F667C9870
                                                                                                                                                                                  SHA-512:24F4006DA19AE7B10408250AB326DB4EABE6E782BECCE130C0F25D2D0E43E738624CFD490BFAC0A8A6BD6E164C01FB76CD69BC050AD0BBF3052A854A516B0170
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:47AE4CA89C38F4D75F115CF41887F878

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\livehis.dat

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2
                                                                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Qn:Qn
                                                                                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\package.json

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:Non-ISO extended-ASCII text, with very long lines (766), with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):766
                                                                                                                                                                                  Entropy (8bit):4.058458203323675
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Hf3xVxLvT5X9dz7bvfdz7JvV7zVBtD33pRXhXDhRZDR7z9fjdzp93xh/Td7f11tx:v
                                                                                                                                                                                  MD5:5E41AD36487EAB944983A14C9C124D93
                                                                                                                                                                                  SHA1:B8B098B88CBFF2F64589ABDBE7FBEFCA7C99FE3C
                                                                                                                                                                                  SHA-256:26C6BCF0EFF67807AEB9F2F407D06DF653B99724AFAD9C9A9B8129DB7D8C3FAE
                                                                                                                                                                                  SHA-512:F876BD1E49BB0C0B0660E14DD2D95C75F2124AFDE00D095674E53D0440B7BA7B89BC1A2576A9FE755B5C727E5808DB1C8A127CE4E4B2C124257412B76A200FD2
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\rpi.dat

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):972
                                                                                                                                                                                  Entropy (8bit):5.7488500702321135
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Fjjlnn5tllNTFllxXxjX/DNZH1/HnDD/trvDlL5TrjJrdbXZVtX5L3dlj1b1hX7x:r
                                                                                                                                                                                  MD5:6513F31AB6F308B0B8802FA04C450122
                                                                                                                                                                                  SHA1:AD3D14C5F78B5C2F2C4DAE06A486156A7B4126E9
                                                                                                                                                                                  SHA-256:1445C8422A8FF14D8414300B819CBF2340A03A64158FCF7A3CCF76FDDB10DCA2
                                                                                                                                                                                  SHA-512:CFB2754253E71B48EB6D69BA93641D06C0608C38FFFDCE2F5E54CED002997C9821299BADF26D95B2D84A41F13CA96A4F9D1C5E38D52DB2934AEF64C988844D98
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:....0...............b.\.`.\.`.\.b.`.`.b..............................................8.......................................................................\.........................................................................................................................X.4*(.~x.x.b...P.....Jt*....f......VD....H.V.Z..~v.8.&h.x.x...F`....J.P|.2.P....h....F..j...h|......~r.0..:...DD....>.B`2..x.FP......H.4.P.............x.....P....... .........6j4......X4H.z..D.x.b.....Nt...l\pn44.@.n.........&......t2. VP.tx6.4..F.*.h.^..v.^..6.L.....n..|0@.R..P..x.J...(..lj.....&n..~.dV....td.B.....F..2:~...l..X\..0.`.....<.&.....@.N... t.z...Pr..Z..t..L.h...L..t..:.$..<.vx~..$>....L.xb.xJ......L&v..v4x.p.."B.@n.6....,.(V.x.R>64.....v...~...J.d..&......\JH.t..V...".0..n.TPd..,0......0.2.r.|.....:....2n...v..6...P..D....$.....8.&r.Fh(.d6.....J.n....$"...Xz<.2B~.z..H.....BV.X..\,.2.j...`..h@...j.....*.8X((.b..6(B.@D..b...6j..l&0T.<.(.T..

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\slist.dat

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2356
                                                                                                                                                                                  Entropy (8bit):3.7394907365919403
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:nFrrxzj79bNZbHNbZdT9LbdHr/bfblpbdXzbrbrVd9P7XF5V3Rbb/NjbdbF9X1TH:R
                                                                                                                                                                                  MD5:3CEEBAAA7FC6344B0274AB9274DEEED7
                                                                                                                                                                                  SHA1:38832454403400441F9824C2265256A650C947ED
                                                                                                                                                                                  SHA-256:F526024533673E6F167903F21978017EC712566E9EA1DD249671F119719F8DE9
                                                                                                                                                                                  SHA-512:3E63A0F5764A59E77E5B0C4680DCCB33D1D52B4E622F84762D9949B736A6BDAB416BC72F3D2501BA90D46414186EC2C42677D1528E7186128D96082C32CB00D2
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..$.......................r.r.|...........z...r.x.......x.....|.....|...x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F.....6.<...4.F...V.|...........8.<.:.............................x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F...<.2.4.$. .".F.......V...<.....4...4..........H.\(X(N......$.........x...|.z...r...x.r.........v.......x.z.....t.x...z...........x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F.....6.<...4.F...V.|.|.....v...8.<.:.............................x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F...<.2.4.$. .".F.......V...<.....4...4..........H.\(X(N......$.........v.......|.|...............z...|.....t.......................x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F.....6.<...4.F...V.|.t.r.......8.<.:.............................x...F.^... .0...<.$...r.,.&.4...............F.......F.......X.<.2.4.F...<.2.4.$. .".F.......V...<.....4...4..........H.\(X(N..

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\version

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                  MD5:F1D3FF8443297732862DF21DC4E57262
                                                                                                                                                                                  SHA1:9069CA78E7450A285173431B3E52C5C25299E473
                                                                                                                                                                                  SHA-256:DF3F619804A92FDB4057192DC43DD748EA778ADC52BC498CE80524C014B81119
                                                                                                                                                                                  SHA-512:EC2D57691D9B2D40182AC565032054B7D784BA96B18BCB5BE0BB4E70E3FB041EFF582C8AF66EE50256539F2181D7F9E53627C0189DA7E75A4D5EF10EA93B20B3
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:....

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\HoursBroker\xml.xsd

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):9123
                                                                                                                                                                                  Entropy (8bit):4.770624688403829
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:FavQwyIregmSPwTy2k/3EeEQ6xGbd81PyCmD0DE:UvQwytg1425vE5bPEADE
                                                                                                                                                                                  MD5:9FE2776E8A9D4BCFEE812A69F37DDABD
                                                                                                                                                                                  SHA1:6264C527A996806B0C439F17C56B2E96DBF0FA82
                                                                                                                                                                                  SHA-256:0BCA167A1B2FAABF9F2BB59A7C55C09B25C71974DB4D6125F91A14B7071F5E9C
                                                                                                                                                                                  SHA-512:89D00A7602FC47858A0B0ADC81CDF4F63CBA0728EDA0B9824EA9DCC09B39A596A61034DA5001377444D6B6E07B454028DF528E722F5D2D268A50B296E2990259
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:<?xml version='1.0'?>..<?xml-stylesheet href="../2008/09/xsd.xsl" type="text/xsl"?>..<xs:schema targetNamespace="http://www.w3.org/XML/1998/namespace" .. xmlns:xs="http://www.w3.org/2001/XMLSchema" .. xmlns ="http://www.w3.org/1999/xhtml".. xml:lang="en">.... <xs:annotation>.. <xs:documentation>.. <div>.. <h1>About the XML namespace</h1>.... <div class="bodytext">.. <p>.. This schema document describes the XML namespace, in a form.. suitable for import by other schema documents... </p>.. <p>.. See <a href="http://www.w3.org/XML/1998/namespace.html">.. http://www.w3.org/XML/1998/namespace.html</a> and.. <a href="http://www.w3.org/TR/REC-xml">.. http://www.w3.org/TR/REC-xml</a> for information .. about this namespace... </p>.. <p>.. Note that local names in this namespace are intended to be.. defined only by the World Wide Web Consortium or its subgroups... The names currently defined in this namespace ar

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\KwCommonUI.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1020288
                                                                                                                                                                                  Entropy (8bit):6.392670889032173
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:m25q2rSATcolN/NKEM7GYNzOgcW6tAhc7rgnFEwXXfe5V2:m25q2rPlN/NKEhYNzOgcW6tAhy6EwXXb
                                                                                                                                                                                  MD5:C87054BA4A83C6CA19977C446A722A7C
                                                                                                                                                                                  SHA1:5743B16BC6D600E27B66D13CC04208BAE2A9A880
                                                                                                                                                                                  SHA-256:6CB166C1895FC7DF5235658E3963C82200BBE5E71005FDB4F8744657A7F49B09
                                                                                                                                                                                  SHA-512:87449A5FEF2B2B77198E0D946452F8E05B8F2B7ABAE239EDB2B848BD5E3F7A332A208DE71CAC7912D788CD1C47F80FA2BE9ED61DE2F8EA378E610A1DC0C46A9A
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c..('.`{'.`{'.`{s.Q{%.`{.V.{!.`{...{&.`{...{".`{...{+.`{'.a{.`{.V.{2.`{.V.{&.`{...{4.`{...{f.`{...{&.`{9..{&.`{...{&.`{Rich'.`{................PE..L....,WT...........!.....<...8......c........P......................................`...............................p...30...t..T....................x..............._...............................................P..P............................text...-;.......<.................. ..`.rdata.......P.......@..............@..@.data...@...........................@....rsrc...............................@..@.reloc..r...........................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\KwLayoutMgr.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):287616
                                                                                                                                                                                  Entropy (8bit):6.429805120462574
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:54s5ND8mRd6PUep7GdwmT+8b/IgcyIFoWIBOtBp2HsoM:5D5ND8mRd6PUep7GwmT+c/hOIg2Mp
                                                                                                                                                                                  MD5:F260AF60120ECE46C499BADA5B4277AD
                                                                                                                                                                                  SHA1:F1790AAC72B10A4BD4D88E9A143B96BE996197AC
                                                                                                                                                                                  SHA-256:D52D01E382EA39D005F7AD2F3C13DA45B4DE4779608E08A9FB1AD5630D122043
                                                                                                                                                                                  SHA-512:19FA19716965E0034AD57B0CE15BFF54DEC67D3C7E73408ACEC2E642E82DE4AC1E0C42E19CA58C494A1F95014980FDBDC9D904701F2CB421C993B9660F3C5C89
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............@...@...@...@...@{.C@...@.@@...@.V@...@.Q@...@.F@...@...@...@._@...@.G@...@.A@...@.D@...@Rich...@................PE..L....,WT...........!.....B...................`......................................X.....@.........................@................0...............J.......@...2...d..................................@............`...............................text...T@.......B.................. ..`.rdata..#....`.......F..............@..@.data...\...........................@....rsrc........0......................@..@.reloc..tD...@...F..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\KwLib.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):306048
                                                                                                                                                                                  Entropy (8bit):6.678408876122077
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:YxgkPaSM1AoCbO0PSyTws4H9pAKz6QRWO2TBdHRrtYOttYO7l:YDPaUBKODmH9pdXRWO2TR/
                                                                                                                                                                                  MD5:2E63EA70505847A7DB340F5004FDDE71
                                                                                                                                                                                  SHA1:A4DA7AFF18A9A747490633F5490959BAF75658B7
                                                                                                                                                                                  SHA-256:87AAB5BBBD2360C819B4E58BB0667693147764BA39FCDCBD3549ECA1D57355E3
                                                                                                                                                                                  SHA-512:7DF80C017E2F5D1E40CB41795F40E82025B5ED188BD5AF4C812D24F9E8C77438C259417E8592C4D528D37DA495815A057623CCFA67DF35B27980847DBA91AEF5
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........L.}...}...}.../D..}....S..}..M2V..}....U..}....C..}....D..}......}......}...}...|....J..}....R..}....Q..}..Rich.}..................PE..L.....4T...........!......................... ......................................&.....@.............................Fk..p...................................L....%..................................@............ ..|............................text............................... ..`.rdata..F@... ...B..................@..@.data...(....p.......N..............@....rsrc................T..............@..@.reloc..f8.......:...X..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\KwLogSvr.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):73088
                                                                                                                                                                                  Entropy (8bit):6.419370395015747
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:OD24dyONDcOUOM498ldXs2xnQ+xcLP0OK2LBaNwF:X4kOO498laIQ+xcoOK2LBaNwF
                                                                                                                                                                                  MD5:15F1FEC47E3AC4A2AE67BDE110CA698C
                                                                                                                                                                                  SHA1:84EA58DEA72D9FE5B36ED64BEF2C19A43DF90EC1
                                                                                                                                                                                  SHA-256:003D0E9F37639687CD72F8499743F88B54388A81E4322260280A70C0E601AE21
                                                                                                                                                                                  SHA-512:C42E8F04FBFCE139D8365CC69CC161469FBB5443A2ACD9CCBBC584F85B04ABE2DFDDCAD1D53ECFB2AB54EBF004F5F10B730A2E677BBABFAD56400BEA7371AEEC
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P.r.1.!.1.!.1.!%~@!.1.!.IC!.1.!.IU!.1.!...!.1.!.IE!.1.!.1.!>1.!.IR!.1.!.ID!.1.!.IG!.1.!Rich.1.!........................PE..L....,WT...........!.........V..............................................@..........................................B............ .......................0..........................................@............................................text............................... ..`.rdata...<.......>..................@..@.data...4...........................@...ConfigVe............................@....rsrc........ ......................@..@.reloc..:....0......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Lastnama

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3
                                                                                                                                                                                  Entropy (8bit):1.584962500721156
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:I:I
                                                                                                                                                                                  MD5:C2AEE86157B4A40B78132F1E71A9E6F1
                                                                                                                                                                                  SHA1:162CDC2A8B567050EAE25592EEEDAF33464A7A76
                                                                                                                                                                                  SHA-256:46DB1CA7F3598C26C3E6C8D99E3ED95D2B1C76DB040B8F8CD29AF723EE086077
                                                                                                                                                                                  SHA-512:784CC010C961A58B42984A4EC538D299AB92C01CB95171C220FD26C473491F839FD032960DC148C866DA45411D4ACB93188F0F7857F6F2C09DDF3E9FF50248DB
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:892

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Lastname

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3
                                                                                                                                                                                  Entropy (8bit):1.584962500721156
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                  MD5:43FA7F58B7EAC7AC872209342E62E8F1
                                                                                                                                                                                  SHA1:F022DA4E40566305C0C8F39FD8F4B83DD5368834
                                                                                                                                                                                  SHA-256:96BB293AAA330EF307EE004448B92B75FFDC25ADE2831ED23FC60FFA97FFFB7F
                                                                                                                                                                                  SHA-512:64B5514668BDBE6ABE7F86ABD790005F46D593D8E3EFB785C87DD8BA9035B8BC5FC72001DA81883391B690A5191057062EE711401C3E95C1935A3D3FFED138FE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:816

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Lastnymc

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3
                                                                                                                                                                                  Entropy (8bit):1.584962500721156
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:kQn:kQn
                                                                                                                                                                                  MD5:82F2B308C3B01637C607CE05F52A2FED
                                                                                                                                                                                  SHA1:75D2A5A3C528920D00425F29099EED114B9134E0
                                                                                                                                                                                  SHA-256:5C3E9040008C91509E2D28E5308034B677D4E2CC0B386863D4883BDB747EBA1C
                                                                                                                                                                                  SHA-512:91CCE11EEDA35FD527AC3DDBB930281FCB14AF0EE46412D7A389B59AEA3F8D56F3D46E2EC3BE167406AC4D8FBBD4F7C1246C8F1E30384FDC913703A48D36E4BD
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:725

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Lost

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):14
                                                                                                                                                                                  Entropy (8bit):2.7534343861887853
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:ldNojgn:3NoEn
                                                                                                                                                                                  MD5:5224444F84FC62353F98AD824C1B4F7F
                                                                                                                                                                                  SHA1:9BC379C9B01210F9AC136B87039584FEBFD8465A
                                                                                                                                                                                  SHA-256:F47FFEC6EA87BE558D26F9585C02E06A1B657959E4FA1A0EBEB883504BE2EFD4
                                                                                                                                                                                  SHA-512:387BDACC1827D046D28AE73352E6D85DB018B06F70146952AB92EA004CD46F8154F5BB9153F17DADB5F6CB20CF6352AB6D1D4B1866076F97427D26F11C9D1FA0
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:+/.4"(4++)4+)#

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\LostHe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):9
                                                                                                                                                                                  Entropy (8bit):2.197159723424149
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:1Z:1Z
                                                                                                                                                                                  MD5:0D7C1D8AE080978B8436817C87C11684
                                                                                                                                                                                  SHA1:C83087520942084476EF74151BF451A0557993DE
                                                                                                                                                                                  SHA-256:53D24F3BC80C44785C7645F347A17942B607CAA451FC2337F458EA0A73F920AD
                                                                                                                                                                                  SHA-512:8605C26C90441DFC7DEE0C5816DF5DDCEF42D4A02DE7D819936A60C10A57191AD67F0B95F23FE8CE085EF5F156FBBC57303B44A995AB13B2B8CC941AAB73FEFE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.cf......

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\LostP

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):5
                                                                                                                                                                                  Entropy (8bit):2.321928094887362
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:K:K
                                                                                                                                                                                  MD5:49394C8AF72820A1AEB5C9924E2D9281
                                                                                                                                                                                  SHA1:9F09DA9131EE0047BC4E368ECFF439F0F5E250BF
                                                                                                                                                                                  SHA-256:631102D19F7CFA51907975CF02066DE70C2F4B5B6A4E3A7F9C4871719DC2A97E
                                                                                                                                                                                  SHA-512:A3D662166699AC8784C01E0B7EF5D8F7716136B87EE0CB9FFBF5F45F730B8470E7ED57A90956E1F0FA4F4DE5C5C60960AF8622493EBCC88B2A0929FE798BAD60
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:,)-*+

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\LostPHe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3
                                                                                                                                                                                  Entropy (8bit):0.9182958340544896
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:tH:1
                                                                                                                                                                                  MD5:E62595EE98B585153DAC87CE1AB69C3C
                                                                                                                                                                                  SHA1:40B904FD8852297DAEAEB426B1BCA46FD2454AA3
                                                                                                                                                                                  SHA-256:38760EABB666E8E61EE628A17C4090CC50728E095FF24218119D51BD22475363
                                                                                                                                                                                  SHA-512:84387A560C74CD17A3E1D618181BD7734CACDB1D7B5A52EDF20FBB27C4FEFE25BD4F839C12E842C61CCD57308FD6A6B3987DC237ACCD213B9818D751C3990C10
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:aab

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\LostPShe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3
                                                                                                                                                                                  Entropy (8bit):0.9182958340544896
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:tH:1
                                                                                                                                                                                  MD5:E62595EE98B585153DAC87CE1AB69C3C
                                                                                                                                                                                  SHA1:40B904FD8852297DAEAEB426B1BCA46FD2454AA3
                                                                                                                                                                                  SHA-256:38760EABB666E8E61EE628A17C4090CC50728E095FF24218119D51BD22475363
                                                                                                                                                                                  SHA-512:84387A560C74CD17A3E1D618181BD7734CACDB1D7B5A52EDF20FBB27C4FEFE25BD4F839C12E842C61CCD57308FD6A6B3987DC237ACCD213B9818D751C3990C10
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:aab

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\LostShe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):13
                                                                                                                                                                                  Entropy (8bit):3.0269868333592873
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:q1vC:q1vC
                                                                                                                                                                                  MD5:213802ED7972AEAFE6237FA1453F1FD0
                                                                                                                                                                                  SHA1:794A4B01CD429D110180DAA19204A098C42F11E6
                                                                                                                                                                                  SHA-256:398380CF3867FE7C45A44E02C5542299346B631E627DB931B1FB4C8BE82C58E7
                                                                                                                                                                                  SHA-512:FE6CFC85A06969389B3AE345C566AFEE7F55F011425070B9AD6342F474266A440EFBA98EA8181DF1AE24A3C617E6CF2A3C916740198F3FEB1B70B5B403A537CA
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:af.cbe.a`..`g

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\MemDefrag.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):67184
                                                                                                                                                                                  Entropy (8bit):6.560571950422605
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:mE8Ush0dMK0vVZdisbH8iBRq8aZ+LhN3r22t19zS4Kye8pOxbGew2MSPDGjENAMb:mE8tSiKlqcHFChNbj19znKy92bGjwx9
                                                                                                                                                                                  MD5:D9E742CB7C33C378602A144904756845
                                                                                                                                                                                  SHA1:6E9C521A8E657FC8B46312AD79C1C7CE08C10766
                                                                                                                                                                                  SHA-256:29626F619DB47C528EB910C15CDF2D139B512024331DAC91E7C562DF4FF297D8
                                                                                                                                                                                  SHA-512:4474909CEE6BEA404918A0D9650D72F766A0FB27A5BB7A0BAD04BBD6F6F05EBEC11BEAE9080B4BD9E7A55A8614517B7A7F1DCF49F68308E51AEDACB2FDAC164F
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.x.)...)...)... ..%....K.+...{..."...{...-...{...1...{...-....[..(....[.."...)..................(.......(.......(...Rich)...........................PE..L....3.d...........!.........T......g{....................................................@.........................@...X...............................p2..........D...p...............................@............................................text............................... ..`.rdata...<.......>..................@..@.data...<...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Microsoft.Bcl.AsyncInterfaces.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):64960
                                                                                                                                                                                  Entropy (8bit):6.573463392054397
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:mbT78So0kats7efpLfvQcl/h5GDwVwZtyA+7XXxDp:mT8Syaq7SBQ35+b/
                                                                                                                                                                                  MD5:644F4DF789E7B1CC9DE8FCAE8A9B7035
                                                                                                                                                                                  SHA1:DA389C035C18342DAC47D82333E6F6A9D54E067E
                                                                                                                                                                                  SHA-256:D2A5F4C9A8DE1FFA1482277889D71738F220DDBD287A279FA11CF2EB4FC1F0E8
                                                                                                                                                                                  SHA-512:5B49BC385D6460F60FE5D598FCA27E68378A2D7752FA0A9ED7956A1B16B1CCF22EF6300AA8A36AD284047B7D8C4A2654EFFECA845BEC24D21BC9E727A7F39349
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.F8..(k..(k..(k..)j..(k...j..(k..)j..(k...k..(kH.)j..(k..)k..(kH.-j..(kH.,j..(kH.+j..(k.-j..(k.,j..(k.*j..(kRich..(k........................PE..L.....%e.....................N......@|............@.................................H+....@.................................`...@........................)......P...d...T...............................@...............H............................text............................... ..`.rdata..@:.......<..................@..@.data...............................@....reloc..P...........................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Microsoft.VC80.ATL.manifest

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):438
                                                                                                                                                                                  Entropy (8bit):5.302102385514918
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12:TMHdt4IBeBFLOwHR5TNl+rmxgVKaGNLzIZ:2dtFEDCwHTTNl+rkgkJNLzc
                                                                                                                                                                                  MD5:1CCB36CF4D7744F2A2449710032573F8
                                                                                                                                                                                  SHA1:22C61BCDFB941EB6AA0829F8FECAA7B716895BF4
                                                                                                                                                                                  SHA-256:8DC44CBA880E8E7A0776981FAC21094F905750C02890CBADC5059D1049D357EB
                                                                                                                                                                                  SHA-512:53C6595A29C4636E4FDD800A48DEBF299DBFAC16396C217165BCB9D2E1B431982A1E3D5C8EA7850C178A6F6DA599DDF862DC7F64F29884EC0633A879B5B9C6B3
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>. Copyright . 1981-2001 Microsoft Corporation -->.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable/>. <assemblyIdentity. .type="win32"..name="Microsoft.VC80.ATL"..version="8.0.50727.4053"..processorArchitecture="x86". />. <file name="ATL80.dll" hash="6d7ce37b5753aa3f8b6c2c8170011b000bbed2e9" hashalg="SHA1"/>.</assembly>.

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Microsoft.VC80.CRT.manifest

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (504)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1829
                                                                                                                                                                                  Entropy (8bit):5.362806750573066
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:3rpK+higVB09kkK0hpzxU09kkKqYhzQC09kkK0FFz9:7pthNXkHndUXk8hNXkFjh
                                                                                                                                                                                  MD5:12B6A5638A4D54F6E613CAFD04BC1C0D
                                                                                                                                                                                  SHA1:0BD3E9F83883B00DEA8DC95112C8BBD74A14EDEF
                                                                                                                                                                                  SHA-256:3B55C9DA463C5F6BBBD1E73398FABDC30998BC525F4FE6E586BE711E660BC800
                                                                                                                                                                                  SHA-512:15272B53972D70C089C9EBF554DE7DD1BC4707EF2FA8D526E7022FC21C8A74AD039387FB4BB53835D0B4443227CB1AD1C1D2CFCB1D205C2729F13BD1FAF9B008
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable></noInheritable>. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86"></assemblyIdentity>. <file name="msvcr80.dll" hash="0a38b652c9d03caab803c6b2505fa301e345bab2" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>TM0VvywbHVQayIOw9CSX6M7WpaM=</dsig:DigestValue></asmv2:hash></file>. <file name="msvcp80.dll" hash="678bf3da5d1987bb88fd47c4801ecb41f51366ef" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xml

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1506), with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1860
                                                                                                                                                                                  Entropy (8bit):5.392371898016726
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:3SlK+vU6g49Pd09kkKKMzEAZ09kkKxrzVHNw09kkK3zY:Clt8CtdXks5ZXk8pNwXkK8
                                                                                                                                                                                  MD5:53213FC8C2CB0D6F77CA6CBD40FFF22C
                                                                                                                                                                                  SHA1:D8BA81ED6586825835B76E9D566077466EE41A85
                                                                                                                                                                                  SHA-256:03D0776812368478CE60E8160EC3C6938782DB1832F5CB53B7842E5840F9DBC5
                                                                                                                                                                                  SHA-512:E3CED32A2EABFD0028EC16E62687573D86C0112B2B1D965F1F9D0BB5557CEF5FDF5233E87FE73BE621A52AFFE4CE53BEDF958558AA899646FA390F4541CF11EB
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.30729.4148" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="msvcr90.dll" hashalg="SHA1" hash="98e8006e0a4542e69f1a3555b927758bd76ca07d"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>+CXED+6HzJlSphyMNOn27ujadC0=</dsig:DigestValue></asmv2:hash></file> <file name="msvcp90.dll" hashalg="SHA1" hash="3aec3be680024a46813dee891a753bd58b3f3b12"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:d

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Microsoft.VC90.CRT\msvcp90.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):570240
                                                                                                                                                                                  Entropy (8bit):6.523986609941549
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:NZ/veMyZ137mSEWT0VkypLvgLehUgiW6QR7t5183Ooc8SHkC2eU8Z:NZSZ13iwJmgLq83Ooc8SHkC2eN
                                                                                                                                                                                  MD5:232708A3FB0137133BA1787EF220C879
                                                                                                                                                                                  SHA1:4F725F93081FE15C6AF99E32F3E97CCB22E15BFE
                                                                                                                                                                                  SHA-256:64236B28CB287D9C912D1DB753B21BEB95009340B7ABB2717E40CE8D91946C89
                                                                                                                                                                                  SHA-512:90DAEFA1F3D3608700074F349D0CD5E5D2EAE090ECAD07352E553F08087A2EDDEB457F235CDC7E4869C4CF24E895C05C11AF968E68CFD0B6AA8092C98DC7E4FC
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#%..Mv..Mv..Mv.66v..Mv...v..Mv..Lv:.Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..MvRich..Mv........................PE..L...~LYJ...........!.....4...p..............P....Hx......................................@..........................P..,....E..<...............................43...................................%..@............................................text....2.......4.................. ..`.data...t'...P.......8..............@....rsrc................R..............@..@.reloc..HC.......D...V..............@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Microsoft.VC90.CRT\msvcr90.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):653696
                                                                                                                                                                                  Entropy (8bit):6.885617848989009
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:Bhr4UC+UumMaIYE8EoPP1cI9xPP2OKDL9QXyG2pUmRyyva:VU9FNPPbxPP2OeL9Q2pUmRyyva
                                                                                                                                                                                  MD5:4B9B0107D35859FA67FB6536E04B54A7
                                                                                                                                                                                  SHA1:60F5D36F475FEA96F06AC384230B891689393486
                                                                                                                                                                                  SHA-256:EA59B23FC4799B10B07CC1E4F81BBCB7FAC712D93E2BA48DE50046E5B4C140DB
                                                                                                                                                                                  SHA-512:324EDB6D0C618C20260417B86189C27D6E1EB00944C7F5A6C59679365E618D262C71433749DDFEF253B723F1D1B3167982B4742164A167B3CFC85C651300382B
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L...yLYJ...........!.....\..........@-.......p....Rx.........................0............@..............................|..P...(................................3......................................@............................................text...t[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Microsoft.VC90.MFC\Microsoft.VC90.MFC.manifest

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2003), with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2357
                                                                                                                                                                                  Entropy (8bit):5.378158011805663
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:3SlK++U6g4A09kkKNzx09kkKJpzSgd909kkKzZuzl09kkKTzY:CltFCAXkgNXkKGgd9XkxZXke8
                                                                                                                                                                                  MD5:0323AF0C3E694D85650AE55AA27EEFB3
                                                                                                                                                                                  SHA1:672079C9564B4EC16EFB24DC80DE3EBEAF2A9F27
                                                                                                                                                                                  SHA-256:1FED2074AB9F90D9FCCC5A49B6AA42C917674C2B5C7B1BB93FB67B0E0C944818
                                                                                                                                                                                  SHA-512:5DF2D8B07B3ED0CAE3536C09AECA714B56EB75BC76668447C45917E890F5D22EF14B6059BD5782FD06D075A8497BC39A89F809E413C637405AE9BE4193C66FE1
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC90.MFC" version="9.0.30729.4148" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="mfc90.dll" hashalg="SHA1" hash="ec50bf1691888076202d5831599ac75ba0d35977"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>WuUqeI7Lf0+bhIfTm0T6Pv1L13g=</dsig:DigestValue></asmv2:hash></file> <file name="mfc90u.dll" hashalg="SHA1" hash="c752d2a42c0b82d2145cebcda60c7e5a43245cf4"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Microsoft.VC90.MFC\mfc90.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3765632
                                                                                                                                                                                  Entropy (8bit):7.006945366952565
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:98304:dOPkcHVGUQywT84a5IY9IViQ0zMzlp7toNTbPXQlk3glLsFLOAkGkzdnEVEFoKGA:WkcHVMTlBp0TrwlLsFLOyEFoKGD8
                                                                                                                                                                                  MD5:225F7A12F61B3276D12310F457822D7A
                                                                                                                                                                                  SHA1:F05B2DFE12D946606DDF0CD7E8A15027D75718AF
                                                                                                                                                                                  SHA-256:3CED269344FD6AC7A3872D3DA39364397193C650A497702A0849C9543601A42E
                                                                                                                                                                                  SHA-512:EF09DBC3FF0C6F1B229B4FCFD371A05E5570FDEB296D0F051F1AFD7C2F2567CEF86E47A3DA1B6D3B4AF116D9AC9F7508C36BAC065120F4519BC960AB0475349F
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y...y...y.......y.!.Z...y.......y.....y.....y.....y.......y.......y.......y...x.c.y....0.y.....y.....y.....y.Rich..y.................PE..L...ImYJ...........!......%..(........!.......%...^x..........................9.......9...@...........................$.....,.$......`&..l...........\9.......6.\.... ..................................@....................q$......................text.....%.......%................. ..`.data.........%.......%.............@....rsrc....l...`&..n....&.............@..@.reloc..F.....6......r6.............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Microsoft_VC90_CRT_manifest

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):29
                                                                                                                                                                                  Entropy (8bit):2.9968027726780173
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:HSu+QvdSG/cn:+SQqc
                                                                                                                                                                                  MD5:6E17DDA977CBC993A9308145693BFE90
                                                                                                                                                                                  SHA1:D964351BEE8764DE9CBCA186B7D1F526EB6361DB
                                                                                                                                                                                  SHA-256:615707952EB080E6824699C73F1D914C2278E103CEA452CF4111063DD274458C
                                                                                                                                                                                  SHA-512:3A1A40DBE7FF5911B3D42DF7C8A74470869CE3F75612A19A73256C799F2A1DD472607F3C89DAD5060AEC1FA953BDFED90A481A4413D2999D122B7AB1D8F7DA77
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:577F7F777C753E756875FCD3D7619

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\N0vaDesktop.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):5972392
                                                                                                                                                                                  Entropy (8bit):6.868183225292118
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:98304:ygUifEmDR4lEtsaowOSiL5f5aLbunw8Y6+15cmCSrw0sn/DVpFLOAkGkzdnEVom5:gifXD+Ktu75fu11CSrw0c7nFLOyomFHj
                                                                                                                                                                                  MD5:06808B78BCC668E76A1F3B9589B985F2
                                                                                                                                                                                  SHA1:07349BD4A98F70C0870802FCE91CE4F15DCB48AD
                                                                                                                                                                                  SHA-256:4E560A33A3585F5F6DDD4674E8D8098B977BA3AE320ACDC4ABAC33B89CE17C97
                                                                                                                                                                                  SHA-512:CED48BD909ACC1B4012A8FC56C8EE76CB0716611B9448465E8DE1670444C04E3B602D7F5A3AF66527EDF760DD10EAA12C68511CF1154B9B8A349D8D443B99EE7
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........B.{G#.(G#.(G#.("E.)o#.(..(F#.(.}.)D#.("E.)F#.(.z.)D#.("E.)C#.(|}.)Y#.(|}.)`#.(|}.).".("E.)v#.("E.).#.("E.){#.(.}.)B#.(G#.(. .(.}.)M#.(.}.).#.(.}%(F#.(G#M(F#.(.}.)F#.(RichG#.(........PE..L......g.................Z1...).......'......p1...@...........................[.......[...@.................................@.<.X.....?..y............Z..U...0X.@y...a7.T...................tb7......b7.@............p1.|............................text....X1......Z1................. ..`.rdata..2....p1......^1.............@..@.data...X[...`<......N<.............@....gfids........=.......=.............@..@.giats........?.......>.............@..@.tls..........?.......>.............@..._RDATA..0.....?.......>.............@..@.rsrc....y....?..z....>.............@..@.reloc..@y...0X..z...RW.............@..B................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\NULL.bin

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):125376
                                                                                                                                                                                  Entropy (8bit):7.998479503470445
                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                  SSDEEP:3072:FI6dBzpxvuZ9UIQrNJ6DKxOssBCI4sB74xoGhFo4Z1J21:m6zzYsBMcsBCpO6Py
                                                                                                                                                                                  MD5:0C21E337569640A73AF44474F44CB9F7
                                                                                                                                                                                  SHA1:82C3C1C2602250441C1B18200F7FBDC2B6443352
                                                                                                                                                                                  SHA-256:BC58641B4F43BE40016044046321F77DD153F0BFCE6E4E9D765711838DB13ECA
                                                                                                                                                                                  SHA-512:7D19FBF9E907E468C34813B0E1E4F2880762573C9EFE678C36C5CA254890A4B0A008DE72E824345C3FBB838C7BAE3E3D991D46CFAF0FAA73BE89EA88DB2E3C76
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...:w.C...k....r....F...g{>..K....3==...6C..l.../.H..L.|,..#.c....../I.....>........2.....(SH..Z..uJ...t..#Ov..p...XJ..E..8.t.....0d.Ew.DR...lZF..i0..v5.....y/......g...Z=.Z|.)4.o.n.....i.g0..T.Z.......i...-.F&....{.'..E....G./....M....L....U..?....Ei'..|.)..J,XnL...<..A......1..D.%I.CA.....#.-;z...g....U$.{.t.$\...$.+./...|.@.5.0d.H..D.Ga..Tod....\{...Mj.\.....}..:.............StlE=.....~..3......;....I.@I.<...<..;....Y...u...P.....F.1p.^.y...f....P././}.....P.b/.J....?n.^"....S.1.*}.JT...rS^t..5..X..["rL.<....$..K]`-)aq. ..*1$.X..]... .9....k......v.../!....Vu.m.W.9G...us,3.....i.}..2.O8.*t....j..mi..~..~'H&.....)......f..%...h.....i.f..0+.8.;....r&Y\..TO.E...!..*n...t.h...KZ..K.L.i.h.,.;bm...`sS.~..\O.i.v!o.,..G.'...:=.Fn.x.b.E^r...j}.<.b.}....V..`M.Y|;j,=....g.*..g....).Cw.eC.K...C...8nMc....P..[PP..Ghq..n.#..6j;.V..z..L.}..^.k.A......R....M.=}.bN\ty.3..c|z.\./-E..^.P6..`9.8&xH.y..&...$.6...t........V..EZ.Cf...x...1oH>Y.....+..

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\NVIDIA_GeForce_Experience_json

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):29
                                                                                                                                                                                  Entropy (8bit):3.0657682899193968
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:4j46giWEcn:046BWEc
                                                                                                                                                                                  MD5:23A56B3DBA64589852CD17E11CA111EF
                                                                                                                                                                                  SHA1:FD6568661FC88695B76489727FB59734B2152427
                                                                                                                                                                                  SHA-256:0415B8232791D3345042C516C9AF6F4FCACCFAD5D794FDAF1A15F0B34C77C3D1
                                                                                                                                                                                  SHA-512:29837A72F9C7858C2DA38C2D69C64E98A531CDBF46D8EC7E92F608F917D93619AAC6B38DDD792FCDD8F654B51C7F6D6518F3CA120E7502AE8AFB979FEA015C59
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:7C79727375763E747C7CFCD3D7619

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\NetDevenvSpeed.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):667648
                                                                                                                                                                                  Entropy (8bit):6.655676024268379
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:G36HjCm6ltuRXQ/g+hVfW2LDzeLA5rJWutAWQSHOALXB:VCm6ltuRXKg+hVfWkDEA5tDuyX
                                                                                                                                                                                  MD5:BA4ED2E6B25A8C9EDA3DA4CE85A5054D
                                                                                                                                                                                  SHA1:C3B2EF12347E0C5206B4C3959FA96CD7F064F10C
                                                                                                                                                                                  SHA-256:31370AB9ECAFEA8528D0C844C34B7721042C93A8E45278C4452B62ABAADE9182
                                                                                                                                                                                  SHA-512:87C10EA2B82D79BD96CA453D808D937841A45CEE331E5914E5B9A7D6665BB41864D90E08E47F4000C1EEBC64F1E4035B010F545B2068B3604A7B8C87F1D30DBB
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........xt..............a.......a..W....a.......l.......l.......l.......a..............*l......*l......*l......*l......Rich............PE..L....+.f...........!.....f................................................................@.....................................(.... .......................0...K...[..............................8[..@............................................text...cd.......f.................. ..`.rdata...Z.......\...j..............@..@.data....2..........................@....rsrc........ ......................@..@.reloc...K...0...L..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\NetSpeedLog

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):330752
                                                                                                                                                                                  Entropy (8bit):6.280455055315828
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:x9LbnjzIPOmRM0KQfU9JwjvD2xCovPVZHuEi+e15HiEGPGqQiblLYEaZ4OYlYXo2:b928/BvNZ8NHd7ibGYuG9/31P+HvufI
                                                                                                                                                                                  MD5:AF1EFD2EFED6CC982E4AD7E1C19DC057
                                                                                                                                                                                  SHA1:88C72A225D8DF3AF56A69EFF41295624FBE821E8
                                                                                                                                                                                  SHA-256:00E7F8BCF5A97ED5A4E16A03E50EDEB6C2CCACE498DA46753E56C9A65042552B
                                                                                                                                                                                  SHA-512:D6876F27010EBD4C7C28F1A8B14EF41D7096B35402EF0B0196C379C5D130AE3C9F94DE63B70E5A0E62BA717B7A07B478D830DC5896BCBA721E5AE0D2BAC14A00
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..D.................................................................`..........................................................#...@...@...@.......@..$(...@..>...@..B6..3@..B6..@..B6...@..$(...@..$(..<@...@...C..B6...@..B6...@..B6...@.....@................................Lj.........4........@.........T........d.....................................................................$......P.........`....................T.....................................................d..(............................\....SF.......@...........................n...d...h...|..............................Z..........................`.......................................T...............................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Ntvbld64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:MS-DOS executable PE32+ executable (DLL) (native) x86-64, for MS Windows, MZ for MS-DOS
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):42976
                                                                                                                                                                                  Entropy (8bit):6.2171815555231875
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:iHfqCaczo/ZinYCOd9L9KyhaM7JubDGpZRKjKj9MPgkU7:8fqT/ZWY/L9l7JheMJ
                                                                                                                                                                                  MD5:671F95CAB2B5CF121125413F250F5275
                                                                                                                                                                                  SHA1:73D99D09A3D8978A5C6DB43CEC85FB43B03B7A26
                                                                                                                                                                                  SHA-256:728A1FCDEDCA6DBD8FDDDE3F33CD64DD99853C26EF5B10D3FEF0D76D0480964B
                                                                                                                                                                                  SHA-512:4AF690AF838CEB026636931AEDE3852EAE6D83881149EF4C28CC1DD032C3F7F6A64B30171C2524512FACD40496DAB305523D20637B44EFBF0D5805D0FAD1FFCB
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ!..... ..........e..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ntvbldDXML..$............!.L.!.........`......................................................................Rich....................PE..d.....a.........." .....H...".................p..........................................@.........................................pV.......S..(.......h....p.......h..H?...........................................................................................text....F.......H.................. ..`.data........`.......N..............@...

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\OTGContainer.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):5972392
                                                                                                                                                                                  Entropy (8bit):6.868183225292118
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:98304:ygUifEmDR4lEtsaowOSiL5f5aLbunw8Y6+15cmCSrw0sn/DVpFLOAkGkzdnEVom5:gifXD+Ktu75fu11CSrw0c7nFLOyomFHj
                                                                                                                                                                                  MD5:06808B78BCC668E76A1F3B9589B985F2
                                                                                                                                                                                  SHA1:07349BD4A98F70C0870802FCE91CE4F15DCB48AD
                                                                                                                                                                                  SHA-256:4E560A33A3585F5F6DDD4674E8D8098B977BA3AE320ACDC4ABAC33B89CE17C97
                                                                                                                                                                                  SHA-512:CED48BD909ACC1B4012A8FC56C8EE76CB0716611B9448465E8DE1670444C04E3B602D7F5A3AF66527EDF760DD10EAA12C68511CF1154B9B8A349D8D443B99EE7
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........B.{G#.(G#.(G#.("E.)o#.(..(F#.(.}.)D#.("E.)F#.(.z.)D#.("E.)C#.(|}.)Y#.(|}.)`#.(|}.).".("E.)v#.("E.).#.("E.){#.(.}.)B#.(G#.(. .(.}.)M#.(.}.).#.(.}%(F#.(G#M(F#.(.}.)F#.(RichG#.(........PE..L......g.................Z1...).......'......p1...@...........................[.......[...@.................................@.<.X.....?..y............Z..U...0X.@y...a7.T...................tb7......b7.@............p1.|............................text....X1......Z1................. ..`.rdata..2....p1......^1.............@..@.data...X[...`<......N<.............@....gfids........=.......=.............@..@.giats........?.......>.............@..@.tls..........?.......>.............@..._RDATA..0.....?.......>.............@..@.rsrc....y....?..z....>.............@..@.reloc..@y...0X..z...RW.............@..B................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Optimizat\plugins\Microsoft.VC80.ATL.manifest

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):376
                                                                                                                                                                                  Entropy (8bit):5.187860451409661
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:TMVBd6OjzIIBeBXVL9obRu9Td8gH9aO/5TMiX1+jSQdS1vwIgVf+ZaYf7:TMHdt4IBeBFLOwHR5TNl+rmxgVKaq7
                                                                                                                                                                                  MD5:0BC6649277383985213AE31DBF1F031C
                                                                                                                                                                                  SHA1:7095F33DD568291D75284F1F8E48C45C14974588
                                                                                                                                                                                  SHA-256:C06FA0F404DF8B4BB365D864E613A151D0F86DEEF03E86019A068ED89FD05158
                                                                                                                                                                                  SHA-512:6CB2008B46EFEF5AF8DD2B2EFCF203917A6738354A9A925B9593406192E635C84C6D0BEA5D68BDE324C421D2EBA79B891538F6F2F2514846B9DB70C312421D06
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>. Copyright . 1981-2001 Microsoft Corporation -->.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable/>. <assemblyIdentity. .type="win32"..name="Microsoft.VC80.ATL"..version="8.0.50727.4053"..processorArchitecture="x86". />. <file name="ipaip1.exe"/>.</assembly>.

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Optimizat\plugins\Microsoft.VC80.CRT.manifest

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):314
                                                                                                                                                                                  Entropy (8bit):5.140999301390513
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:JiMVBd6OjzPbRu9Td8gH9bZELrbvm/53SMiX6+hPABdS1FggVfgk5Z:MMHdtlwHHJ53SNK+hPIRgVR5Z
                                                                                                                                                                                  MD5:710C54C37D7EC902A5D3CDD5A4CF6AB5
                                                                                                                                                                                  SHA1:9E291D80A8707C81E644354A1E378AECA295D4C7
                                                                                                                                                                                  SHA-256:EF893CB48C0EBE25465FBC05C055A42554452139B4EC78E25EC43237D0B53F80
                                                                                                                                                                                  SHA-512:4D2EC03FF54A3BF129FB762FC64A910D0E104CD826ACD4AB84ED191E6CC6A0FEC3627E494C44D91B09FEBA5539AD7725F18158755D6B0016A50DE9D29891C7E5
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable></noInheritable>. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86"></assemblyIdentity>.</assembly>

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Optimizat\plugins\am.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):6669
                                                                                                                                                                                  Entropy (8bit):4.733830185137714
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:4c2LQ563O84ggqSdqfD6JngOvFfkxFfdpj8IY8YS3dRp79S7EO:pIEiKT5hTvWx11Y8YShhS7EO
                                                                                                                                                                                  MD5:748E5EA71A607EA89B219AFC97052259
                                                                                                                                                                                  SHA1:8677307E553474320A2616EABBC5534F42D100BC
                                                                                                                                                                                  SHA-256:E481BA3734925C59839FDB29E5FB171F0DF0640A48D4C61C9CAA9F475D2ADE89
                                                                                                                                                                                  SHA-512:49F78793C75A70502E43A138F762940149F536BB494473B1672A1E0E0C7BE2AA72337B3524EB0E4D5F0B60203711D87958FAB88F1404476BF779967350B00364
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........N.....N.....N.....N9....NB....NH....NN....NT....N]....Ni....Nu....N.....N.....N.....N.....N.....N.....N.....N.....N.....N"....N(....N.....N:....NO....N_....Nu....N.....N.....N.....N.....N.....NK....Nk....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....N,....N9....N[....Nd....Nz....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....ND....NJ....NV....N|....N.....N.....N.....N.....O.....O.....O.....O1....OD....OQ....OZ....O.....O.....O.....O.....O?....Ou....O.....O.....O.....O.....O+....O\....O.....O.....O.....O.....O2....OX....O.....O.....O.....O.....OG....O.....O.... O....!O...."O!...#O0...$O6...%OE...&OQ...'OZ...(Oo...)O....*O....+O)...,O....-O.....OZ.../O....0O....1O....2O....3O6...4Ow...5O....6O....7O....8O....9O....:OI...;Oo...<O....=O....>OE...?O{...@O....AO+...BO....CO3...DO....EO....FO....GO....HO....IO....JO....KO....LO....MO*...NO@...OOL...PO....QO....RO....SO...................... .... ....

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Optimizat\plugins\ar.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):6252
                                                                                                                                                                                  Entropy (8bit):4.765802565676888
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:8q+c4RnQTyZHZo/zjH26bojOpyuT/j8I8hi8v8hqCPC5/P5zn:8jYo5oLjH26EjOp/Mn
                                                                                                                                                                                  MD5:1F9D7E57FE35D3A35FE49E6E2BAC8707
                                                                                                                                                                                  SHA1:E6C4BCC56AE5742E7B825F489BF33B491970ABE6
                                                                                                                                                                                  SHA-256:7522EF5C3E10BF279E777054D858955F1B9F63A39CCB408364C413E6E3D49A04
                                                                                                                                                                                  SHA-512:489C79155C5E84702B58072E8A44C123D8F0C3F226A5073EAE343506A76D0E378418557DD29CEF8283425A46A248132CCB1F78E13C867829E399CB6EF17769F2
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........N.....N.....N.....N.....N.....N&....N,....N2....N8....NB....NL....NV....Nk....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N)....N:....NO....N]....N.....N.....N.....N.....N.....N$....N=....ND....NW....Nc....Nx....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N$....N7....N?....NX....N\....Nw....N{....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N&....N0....NA....NV....O`....Os....O.....O.....O.....O.....O.....O)....ON....O.....O.....O.....O.....O(....Ol....Ov....O.....O.....O.....O.....O.....O2....OY....O.....O.....O.....O.....OS....Ox....O.....O.....O.... OK...!Od..."Ow...#O....$O....%O....&O....'O....(O....)O....*O....+Oz...,O....-OC....O..../O....0O<...1O....2O:...3O}...4O....5O....6O....7O....8O....9O....:O/...;ON...<O....=O....>O....?O+...@Oc...AO....BO8...CO....DOS...EO....FO....GO....HO....IOC...JO\...KOm...LO....MO....NO....OO....PO....QO....RO0...SO:.....l.................. ..... .. ... ....

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Optimizat\plugins\bg.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):7220
                                                                                                                                                                                  Entropy (8bit):4.592203217648416
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:eOu4nxWcR1emdX4DRkw0UzNAHSZwIQshZrlLBXWeOwg6lz737RC:HScRkB6WmSZRhZiePlzz70
                                                                                                                                                                                  MD5:6E09177086163D64ED7AB890D70CFDF3
                                                                                                                                                                                  SHA1:87B7FCA47DA5BAE28C7182A221E923588EBEADF8
                                                                                                                                                                                  SHA-256:B0E8F4379AA7B1CF11C196354C6C0212558B1E5BA20332A34F30B5263D4B1EA9
                                                                                                                                                                                  SHA-512:48191FBA9308E58CE482193CAB4DEA032A37136D6F1D1132B45D0894B18EA3B5BE330BBF9FA61CF2C5BC711B371D53430554BAF103CEC027E6026E5F27A292C5
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........N.....N.....N.....NI....N]....Ne....Nk....Nu....N.....N.....N.....N.....N.....N.....N.....N.....N!....N.....N;....NH....NU....NY....N]....Ne....Nw....N.....N.....N.....N.....N.....N9....N.....N.....N.....N.....N.....N ....N4....NZ....N.....N.....N.....N.....N.....N.....N.....N.....N<....Nd....Nt....N.....N.....N.....N.....N.....N.....N@....NL....Ny....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N:....OH....Oj....O.....O.....O.....O.....O#....OB....Oc....O.....O.....O.....OS....O.....O.....O.....O.....O.....O:....On....O.....O.....O.....Oq....O.....O.....O.....OD....Oe....O.....O.....O:... O....!O...."O....#O....$O....%O....&O....'O....(O....)OP...*Ot...+O....,O....-OO....O..../O....0O`...1O....2O4...3O....4O....5O"...6Od...7O....8O#...9OR...:O....;O....<O-...=Oi...>O....?O....@O....AOy...BO....COw...DO....EOw...FO....GO....HO....IO....JO....KO....LO+...MO9...NOC...OOU...PO....QO....RO....SO......4........................ .... .....

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Optimizat\plugins\vd.ico

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:MS Windows icon resource - 9 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):25214
                                                                                                                                                                                  Entropy (8bit):4.526069485099958
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:eLpEC0qWDnDjVSV/+/CB1+n2GHOMmM5H6:1C+Sp1QdHOc5H6
                                                                                                                                                                                  MD5:9946B791C261BA0A4CCF6E46F7B54546
                                                                                                                                                                                  SHA1:3082E44F89AB9CD5ED1705F0470A33D1279D2A67
                                                                                                                                                                                  SHA-256:62729E6D23D8DD347ECCB5B9D292A089ECA582694082EB8F1DDF55E9AE18B0C0
                                                                                                                                                                                  SHA-512:A2C11556486E5F1B417F61ABCDA1BB3B064CD29515DDD0CF94985E24043D2F1483E74938711290A3FD681157F2559ED719B30B367481D81B41E01676E84DC03C
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......00......h....... ......................(.......00.............. ......................h...^"..00.... ..%...'.. .... .....nM........ .h....^..(...0...`.........................................................................................................................................................................................................................................................................wwwwwwwwwwwwwwwwwwww....................................................wwwwwwwwwwwwwwwwwwwwx...................................................wwwwwwwwwwwwwwwwwwwwx...wwwwwwwwwwwwwwwwwwwwx...ppppppppppppppppppppx...........................................w.w.....................ww.p....................ww.p....................w.w.........DDDDDDD@...............tDDDDDDDG................GwwwwwtO................GwwwwwtO................G....wtDDDDDO...........`....wtdDDDDO...........@....p.GwwwtO...........`....p.gwwwtO...........@....p.G....O...........`....p.`....o.......

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Optimizat\plugins\version

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                  MD5:F1D3FF8443297732862DF21DC4E57262
                                                                                                                                                                                  SHA1:9069CA78E7450A285173431B3E52C5C25299E473
                                                                                                                                                                                  SHA-256:DF3F619804A92FDB4057192DC43DD748EA778ADC52BC498CE80524C014B81119
                                                                                                                                                                                  SHA-512:EC2D57691D9B2D40182AC565032054B7D784BA96B18BCB5BE0BB4E70E3FB041EFF582C8AF66EE50256539F2181D7F9E53627C0189DA7E75A4D5EF10EA93B20B3
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:....

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Optimizat\themes\ca.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4447
                                                                                                                                                                                  Entropy (8bit):5.418213783438325
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:cqGYHvAfKA/nFGBlyL5tTIYOBcZbISSZrJz94IvXqUQEQ6TH3Hzniv7:cQgrnwPyVCYOCZ8BZrJz94IvXqUQEQ4I
                                                                                                                                                                                  MD5:DA44E0F806463B7F0D3FA8C93A4E50DE
                                                                                                                                                                                  SHA1:DAE138775B448187C099EB4C6EEE463E4CD47E84
                                                                                                                                                                                  SHA-256:FF4CBCFEBE833E21C37A02C04257FDB2369E42E3BE18DCF75335333A06EA789B
                                                                                                                                                                                  SHA-512:9E8BD23F668BF312817592445C9E2BFC2CFDCC2BEF47DDFE711C750409CEE5855F2E9AFD96DA4F3F4B5E7C92A8C4C675AF45389A40C3033F73453971BD358C3D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N!....N+....N9....NJ....Nb....Nl....Nu....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....NC....NY....No....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N'....N;....NI....NW....N^....Nq....Nz....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....O-....O2....OK....Or....O.....O.....O.....O.....O.....O.....O.....O'....OC....O`....O.....O.....O.....O.....O.....O.....O.....O.....O/....Oa....Ow....O.....O.....O.....O.....O9....O[....Oy... O....!O...."O....#O....$O....%O....&O....'O....(O....)O....*O....+O+...,O....-O.....O..../O?...0O~...1O....2O....3OB...4Od...5O....6O....7O....8O....9O....:OY...;Oo...<O....=O....>O....?O....@O....AOW...BO....CO....DO(...EOu...FO....GO....HO....IO....JO....KO....LO....MO....NO....OO....PO....QO)...RO1...SO;....._...DetallsDesa.s un .ndex on es poden realitzar cerques. Intro

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Optimizat\themes\cs.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4278
                                                                                                                                                                                  Entropy (8bit):5.761351246793285
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:0CLGsy4GgACuoiU4CJeDof8QQgWu6/K3eVeRl2c0cLeI:lLTy42oiJQwof8Qcu6y3WWr
                                                                                                                                                                                  MD5:E160C8912A6E73BD4CD2544A9F3C3974
                                                                                                                                                                                  SHA1:E46EF68F3113BD36D40635C76452445F7D359F39
                                                                                                                                                                                  SHA-256:C01E38999FE2C1F98B5429BD550AE8A9F15F10D09D41EFFF8F3C7F4F1F66209C
                                                                                                                                                                                  SHA-512:7CB2E47F945705DFD0030B28BD62709361DFD17AA925C68A85B34DDEE0584307C2FA918EC4B1443C2181578AFC6CD64878AADE25A469CDB2F0C45237682F35A0
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N ....N'....N0....N=....NK....N[....Nn....Nx....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....NG....N_....N{....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N ....N7....N@....NP....NU....Nd....Nk....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....O.....O%....O/....OL....O[....Ol....Op....O.....O.....O.....O.....O.....O.....O+....OU....OY....O^....Ot....O.....O.....O.....O.....O.....O.....O.....O:....OO....Ow....O.....O.....O.....O.... O....!O0..."O;...#OA...$OH...%OO...&OU...'OX...(Of...)O....*O....+O....,O....-O*....OW.../O....0O....1O....2O2...3O\...4O~...5O....6O....7O....8O6...9OQ...:O....;O....<O....=O....>O....?O(...@Oc...AO....BO....CO0...DO~...EO....FO....GO....HO....IO....JO#...KO*...LO6...MO?...NOI...OOR...POp...QO....RO....SO..........PodrobnostiUlo.itToto je prohled.vateln. index. Zadejte hl

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Optimizat\themes\da.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3875
                                                                                                                                                                                  Entropy (8bit):5.465278759668329
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:znbLo2urHRFWbiEP15P4q7GL8cyScTs3DhDU/EZ87s:3/udeiy5P4q7i8cySes3tw/Ed
                                                                                                                                                                                  MD5:25A5E506C8A0C64D9B9E08AAAC9626E6
                                                                                                                                                                                  SHA1:82F8D1E8CE364694F03C5133604F72C2608B8924
                                                                                                                                                                                  SHA-256:229DA0D16A7FA0BFFD67B78F2F76734C7EA2129A15CE95DA9422775B4E9835CE
                                                                                                                                                                                  SHA-512:33F86B51BE09DCFEC6B9064E5906EC782C5AF9DFCC727A2A7E4BFE5FF6908AF115E5937EC7CF2BEDF103FFA1A941D340D2C0F2E13F8447FCDE1CD649E9A936BA
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N ....N+....NF....NN....NV....N^....Nf....Nn....Nv....Nx....Nz....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N*....N:....NA....NG....NR....Nb....Nu....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N1....N7....N>....NJ....NS....NV....N[....Ng....Nj....No....N}....N.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O:....O`....Oo....O.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O$....OD....OU....On....O.....O.....O.....O.... O....!O...."O#...#O+...$O1...%O9...&O<...'O?...(OI...)Od...*Os...+O....,O....-O.....OQ.../Oq...0O....1O....2O....3OC...4Ol...5O....6O....7O....8O....9O/...:OZ...;Og...<O....=O....>O....?O....@O....AO2...BOm...CO....DO....EO[...FOg...GOk...HOv...IO....JO....KO....LO....MO....NO....OO....PO....QO....RO....SO......#...DetaljerGemDer kan s.ges i dette indeks. Indtast s.ge-n.gl

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Optimizat\themes\isolinux.bin

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:isolinux Loader (version 3.82)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):14336
                                                                                                                                                                                  Entropy (8bit):7.08359030184487
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:Gh5TvIzjLaWhV12sPtZK7zVi8vnKnjPlVzjzmtInQt//:Gh5DI/LfnC7zQ8z02//
                                                                                                                                                                                  MD5:7EC434DAFE56FBFBBD9F609A8E51ADF1
                                                                                                                                                                                  SHA1:31EB96F0B7EEB6D3972D735F20C18A4DEB425942
                                                                                                                                                                                  SHA-256:E9A4817AB449A50364B0DD33425BDC596D222C1792A460831F87487439385E32
                                                                                                                                                                                  SHA-512:454920BCCD663FA585E1954A320616BAD5061EB03886E284284796F9D3A2079D3ED019AD9AF6E381CF647CF27ED0EA8C098C6399479B2091BD49B472728C13F6
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..w|.............8...Wa......................xpY....)....)Z_.f1.f1...|s.fXf[.f..).f...).@....D....<...&.)....)1....{.W..........6.)f..f..)......6.)...f1..@|...f.f....f.>.)...)..).!.f1..f....)....)...(*...8*...F*.>.)<.u...K...)..).........)8..)....f.>.|.u'f..)f!.t.f..........f.G......f.(.f..|f..|f-....f...f..)f.....f.....)f..|f@.@...1...).Q........f...)f.>.)&f.f..fIt.!.u..........f9>.|t.........O..........|.............f.L.f..}.......1.W..}...._..Gq..f..}f..t(f.L.."&f.E..f;..}t.f.L...K...)..)..r......`..K..)....~.ar....U....p..M.8..)u.....A....).....)8.t...8.t.J...s....)...r..!.......3............\......PV.3....^...X....f.f`..1...faf..U............F.......]......&.)f1.f....f...f...)f...)...U...f......fRfP.SWj...f`...)....B...fa.d.r.]f..f...)......!.u..f`1....).{.fa....):.]..f1.f...f...)...fRfPUSf..6.)f..>.)f..1..f...I.).9.v......A......)......f`...far.f......[..]fXfZf..).u..Mu...H.u...;.H.v...H..(*.\..D.f.D.U;.J.v...J..l.V...).B...^]f..D.

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Optimizat\themes\ovf-vmware.xsd

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4056
                                                                                                                                                                                  Entropy (8bit):4.424470799098464
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:2dd8puSF899zzcmOlkkXsxPxPxSlptWeWOy/EpgbJMxPxSa7cRtaDeH0iBD88Epc:cd2VF+kXsolPWeWONgPRRtWeHGsUgcBg
                                                                                                                                                                                  MD5:9392A998B91E7C12F20FE8ED0D7C7610
                                                                                                                                                                                  SHA1:19C90803DB690AF45D7E6F8F8B1C7BD41F71A2CA
                                                                                                                                                                                  SHA-256:662B3AB8423F4E5B05061B88CCA8A134A50799D6DE0CEC8977F46749A89E0FBE
                                                                                                                                                                                  SHA-512:EA15C2FCAB591A384265EE726925CE3D07BB2E8DE79BDA7A6F203A54FBA2441FAABA4EA6925242B2D84DE76299CB99B2DB8B62149F405F86BD2C58609BE605A1
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8"?>.. .. Copyright 2008 VMware, Inc. All rights reserved..... Remark: The OVF Specification 1.0 Annex D defines a set of relaxations on how .. this XML Schema 1.0 definition is to be interpreted...-->..<xs:schema targetNamespace="http://www.vmware.com/schema/ovf".. xmlns:vmw="http://www.vmware.com/schema/ovf".. xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1".. xmlns:xs="http://www.w3.org/2001/XMLSchema" .. attributeFormDefault="qualified".. elementFormDefault="qualified">.... Include and import sections -->.. <xs:import namespace="http://schemas.dmtf.org/ovf/envelope/1".. schemaLocation="../DMTF/dsp8027.xsd"/>.... <xs:element name="IpAssignmentSection" type="vmw:IpAssignmentSection_Type".. substitutionGroup="ovf:Section">.. <xs:annotation>.. <xs:documentation>Element substitutable for Section since.. IpAssignmentSection_Type is a derivation of Section_Type..

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Optimizat\themes\ovfenv-vmware.xsd

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2951
                                                                                                                                                                                  Entropy (8bit):4.309681188440056
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:2dX8QSF899Szc42+lkkXsxWCGRPxSHnSEIHkyspXuKEpsZEpgcBg:cXEFckXsQeHnSEIHkysNEsUgcBg
                                                                                                                                                                                  MD5:FB0DFD7CE4E12DBC2CEDD5CEA0FAE216
                                                                                                                                                                                  SHA1:FA8FCB791F89F0CF170C58AF74626BCE6F9DAC9B
                                                                                                                                                                                  SHA-256:7AB54BD0D58AE49A735FF551E260DCDE51CE28CF591580BCC150C4F15641C39E
                                                                                                                                                                                  SHA-512:250B1290349D8D10A609E027DD3EA3CDF21BB40A7457FCE94294327DD92EFC957628AE735D44498328489A741209C09C7B0C7CA8822251B2D30A17121A74A549
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8"?>.. .. Copyright 2008 VMware, Inc. All rights reserved..... Remark: The OVF Specification 1.0 Annex D defines a set of relaxations on how .. the this XML Schema 1.0 definition is to be interpreted...-->..<xs:schema targetNamespace="http://www.vmware.com/schema/ovfenv".. xmlns:vmwenv="http://www.vmware.com/schema/ovfenv".. xmlns:ovfenv="http://schemas.dmtf.org/ovf/environment/1".. xmlns:xs="http://www.w3.org/2001/XMLSchema" .. attributeFormDefault="qualified".. elementFormDefault="qualified">.... Include and import sections -->.. <xs:import namespace="http://schemas.dmtf.org/ovf/environment/1".. schemaLocation="../DMTF/dsp8027.xsd"/>.... <xs:element name="EthernetAdapterSection" type="vmwenv:EthernetAdapterSection_Type".. substitutionGroup="ovfenv:Section">.. <xs:annotation>.. <xs:documentation>Element substitutable for Section since.. EthernetAdapter_Type is a de

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Optimizat\themes\sample.flp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:DOS/MBR boot sector; partition 1 : ID=0xda, active, start-CHS (0x0,0,1), end-CHS (0x0,1,18), startsector 0, 36 sectors
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):6656
                                                                                                                                                                                  Entropy (8bit):6.703256936166348
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:YaPUesFIxeyrsMBe1MlsBc0GLGEiyXYmWhFdrNkv:baIFrXaMlsBmLG/mcdJkv
                                                                                                                                                                                  MD5:1F4E9B9C3E5AF1359BC440FA99573F8B
                                                                                                                                                                                  SHA1:0A710D1776F0687170B7D547C1D70354D6BBA548
                                                                                                                                                                                  SHA-256:9FA0E91FF06B33614AEE00BBBBE5D4104D153B8933650D44F9A2B9D07B60E9B6
                                                                                                                                                                                  SHA-512:38B9E7FD9C7EDC8EC89E3811C5E8D09A22E42CB9C734FE0C4AE7A4E8E60C063AE965BC6FF61AC398D5B8D8D9EAB0D6E40EDF82BC953F82542DC2890E06BBAADB
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.:|..............OQ..............T .......METALKIT . err!..1....... ...}..$..r%.(|...B...}..}..s.......}...}..(..s..4|............h}. .f...."..|..f........(...=.}..........}...$.....}....5.}...u....}...=.}......|........f. ......|..... .f....".1.....W|............t............... ....."..3.....f...............1...:........f.(................./.h}..........................................@./.h........(......................................$...................................................U.U..V.....S.......@..A...Q...........Q...............f.Q.f.Q..Q..Q.B....Q.u$.Q..A..B.. .Q.u..Q..A..B.. .Q.u.1......t..E.f..f.E.f.A.....@[^].U1...WVS.........f.U.U.....$f9].u.f.E.f9E.u.f.E.U.f...E.B........'.....u...[^_]...U..S.....Y..........I..........................................A...!.[].U..V..S..........A...........A...............f................D......f.[^].U..].U...1.t0.............. ....f1...... ...P.Bf..`h.@...@...X..@.|$...@.t$(..@......@...a..@.

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Optimizat\vmPerfmon.h

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):789
                                                                                                                                                                                  Entropy (8bit):4.653194488836456
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12:USn008/bwUkyyjdGVDNKQ/aHvjkjTyHDmtFQK02DqGn:JD8cxrsVD4AaH4jTUWKkqG
                                                                                                                                                                                  MD5:2FF22231C5A295A9EFC4633B5E979F3C
                                                                                                                                                                                  SHA1:F5079F304DD332003F2FFFD6164748891E23C7A2
                                                                                                                                                                                  SHA-256:FBAF23FF758CA026C8AFB4BA17CA4A75602B561A32C2B82193D55FF29D963884
                                                                                                                                                                                  SHA-512:617B190EB0FC7B2D84AA00E1E57FDC1A360AD6C2C22CC85F0108CD9164F8CE2C00ADA612A2E848387A7701FE8019E66B6D8062F9799B3F90BE60624210A40ABF
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:/* **********************************************************.. * Copyright (c) 2003-2007 VMware, Inc. All rights reserved... * **********************************************************/....#define OBJECT_1 0....#define DEVICE_COUNTER_1 2..#define DEVICE_COUNTER_2 4..#define DEVICE_COUNTER_3 6..#define DEVICE_COUNTER_4 8..#define DEVICE_COUNTER_5 10..#define DEVICE_COUNTER_6 12..#define DEVICE_COUNTER_7 14..#define DEVICE_COUNTER_8 16..#define DEVICE_COUNTER_9 18..#define DEVICE_COUNTER_10 20..#define DEVICE_COUNTER_11 22..#define DEVICE_COUNTER_12 24..#define DEVICE_COUNTER_13 26..#define DEVICE_COUNTER_14 28..#define DEVICE_COUNTER_15 30..#define DEVICE_COUNTER_16 32..#define DEVICE_COUNTER_17 34..#define DEVICE_COUNTER_18 36....

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\PSpendZ.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):289448
                                                                                                                                                                                  Entropy (8bit):6.451290476474314
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:K/kvkbvka2pVtwouW9+DZUFIPcpGwDmXsBvpRyAHa0MiZUFw/oPACa337yGTkSEh:K/CkboR5INUR94GhnO6g1Co/
                                                                                                                                                                                  MD5:DF3D77D41EF28027B3069D39F9EE9C79
                                                                                                                                                                                  SHA1:0DFCF31AD455ABD48D35B0250B5B03265052FBA6
                                                                                                                                                                                  SHA-256:02EC8C37DD946A2CD74673993C2108F12FFF3E82019A1590231C4205CCB2F0D4
                                                                                                                                                                                  SHA-512:FF9168421EA2E0B56ECE4DF777B1FA3605CBB4AC81D1C81CF2491A5C197BAF67C47BA4D1D767C5C272A8F3CFA46B169234D19B98671FF6AD8F7A092F51E9378D
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............`.D.`.D.`.D.2PD.`.D.2oD.`.D.2nD.`.D.`.D.`.D...D.`.D..nD.`.D..oD.`.D.2TD.`.D.`.D.`.D..QD.`.DRich.`.D........PE..L...m.rW.................P...........t.......`....@.......................................@................................. ........p...............,...>...`..L.......................................@............`......\...`....................text....O.......P.................. ..`.rdata..h....`.......T..............@..@.data....7...0......................@....rsrc........p.......,..............@..@.reloc..L....`......................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\PackageMgr.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):107120
                                                                                                                                                                                  Entropy (8bit):6.416041804489009
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:ABHJ2sevEPtUiDHPsG78SkqRsEKk2UaWD+Ug1phiaeBvNdiizK3xg+rd3XjxxyhS:eHAR6tHDp/acgrItvNdiizK3xg+FXOS
                                                                                                                                                                                  MD5:773D6EC38151B301FB8E45B4043E2E9F
                                                                                                                                                                                  SHA1:475A42DD7FF0417D6826187F37AA3B5FFA65AE50
                                                                                                                                                                                  SHA-256:E15E52A68BA167C0E6683EAFA3102079BBD0262EF5BF1005FE5A3B492374F66A
                                                                                                                                                                                  SHA-512:FFDEEA69581B7C25CF5DC83A9803E94AB83D6C19254F5DE474240DAD3B630386D8D401B7A5EA25F97B1BF068D95266D53AD6324362E7CF94B1F326DAA9B5A1EF
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......L.,7.iBd.iBd.iBd...d.iBd37Ae.iBd37Fe.iBd.0Ge.iBd37Ce.iBd37Ge.iBd..d.iBd..d.iBd..d.iBd.iCd.iBd.7Ge.iBd.7Be.iBd.7.d.iBd.i.d.iBd.7@e.iBdRich.iBd........................PE..L.....3b...........!................(...............................................&.....@..........................=.......>..,....................p..p2......$.......T...................d...........@............................................text............................... ..`.rdata...P.......R..................@..@.data...$....`.......:..............@...minATL.......p.......F..............@..@.gfids...............H..............@..@.tls.................J..............@....rsrc................L..............@..@.reloc..$............^..............@..B........................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Ptuity.plx

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):14368
                                                                                                                                                                                  Entropy (8bit):7.98674225179823
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:mfiQ1WgVWzXqM0ds2aRzJN171WYxDdI8JOknz9L:CiQ7YXq7W2CNvRtvOkn5
                                                                                                                                                                                  MD5:0AC8B2270BBEAA290D2DE02034EB9FB2
                                                                                                                                                                                  SHA1:068C54981B3DE9FC5C8796E5BA669B0AF861061F
                                                                                                                                                                                  SHA-256:DE2576040D397D5E9160C340C77261D824D1F7DF837C5053B7D94357154623A1
                                                                                                                                                                                  SHA-512:61B637395C7ADAF7068DB7E784F3BF2511A93E3A8D7B25B0C5A9A7DDA4D3157F735403CBE542A40E0C328695C8913276D8D62C80F1DBD7AD3AEADE7FC302B1F2
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...Y{.B....&...oy.}..F{...z..H'...".*.x...... .(_.L./.5.....W.\.....;...T.J.G.MH.][a...c....2nfF.E.r<..N.F.E....n....&>..../.f.]..u...(]...M..$.#tl{.L.R...Nx.....J..2...h.e!Z=.r.Y.._.U..s..v.T.4.JQx2.._F3.+........j...V..-c|vO.%r......d../.g.}s..!..<K.1#...OeU. ;!N..n..G..k..N...).y`~!.....Z'.d..$...-.r..z...y......>>w.... >28..{..-.l......Nv..x..#m........l.1.8..$_.......\..m........x.]f..C..Y/.(qGC.3..N.`.!(..m.C...=.<.../.P:.Zf^.dm...+.3..V.....^.D.......[K.$...E.....E.b.~.:....=Xz\..J.....uG.LWA.`p...N.ze.P.R.......U.>...{p^...;A.Rj......L.......Dcx/@}-....... .~....2'...m..>....@.`..8Km.X.N..rs....r.Z..g..h..*...*.P.~.."v.7...\...v.....rDs.Buo.......1.].c...X..:.....9 K...W5..F*#^.;AoH...!.%...F.T>.g.F[.H...M.B.f....."...s..T....e.F'..HY..&6.3.k.<L.kU.......[HZh.J8l..5....C..A...=.}.?........+./.peQ#.x`.W..*.h..!..,.q .Q.w*./k.#...Y...k.Y.\..........0v........:G.`h......f...Eq.y..........G.2......J.)..\..C."..A8.....A$..tIu.....

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Ptuityoosty.plx

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1310720
                                                                                                                                                                                  Entropy (8bit):7.9367090246788425
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:Tr8E5sAimSPU1zOttYCqgScnHAVPfcp9L30MphcNsV4C1FB8HZQNZf+RI4nDRK6y:TiAiEO3XScg5fqr0UwJC1/85QNxsnDRM
                                                                                                                                                                                  MD5:0E472FB7BDE069AFCA0512F32104F1C2
                                                                                                                                                                                  SHA1:1112EAD3CDA796FDE569D1EB3B767EFCDD95DA0A
                                                                                                                                                                                  SHA-256:F2C2C19DA028F0F6426D4C3EF12AC936F2BFF11C0EA7556E173701EAA43F602B
                                                                                                                                                                                  SHA-512:5C5061708E7F4F90B7CD4CA3DB232FD513FF002165457A4441FE31333C5D6EAA86598B250EB2B71450FC6E3D3D37A85403BEE7973049D465148F8B4CC3B976C0
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..8.888.888;;88p8888888.88888888888888888888888888888888888.988..~.8t.M.p9.M.........................................8888888p6!U<...<...<.......=.....P.0.......:.......:...Nu..7.......:...<.......^./...Nu..~...<...=.......;......<...888888888888888888888888..88.9.8z..88888888X8.9.9.888.88.888..8...88..88..888.88.888.88.8888888.88888888..88.888888.88888.88.8888.88.888888.888888888888..8..888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888....88888..88.8888888.88888888888888.88X....888888.88..880.88.88888888888888.88X....88888.888..88.888<.8888888888888.88x8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888....8........

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QMAVProxy.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):99952
                                                                                                                                                                                  Entropy (8bit):6.458473763443854
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:ZAUmWga/j5/IEHE2BzIfjwpDvdxeR1Ay01A4F1519hTnZmjjxy:jm+JrHElE9SRuy0hFX19hTZmM
                                                                                                                                                                                  MD5:D902AF6BDCB8F3D47CC7A26B7F5AF840
                                                                                                                                                                                  SHA1:B42E2C429F60551CAFDD92F5024DA7EDEC1270EB
                                                                                                                                                                                  SHA-256:ADD79DE18ECBDEEC06D9765B2308FDBEAB3F788382A07D6235B614CA58BDA2B8
                                                                                                                                                                                  SHA-512:1D55DC22AD3317622C3AE502B4B329B25DA6EB03D5FE8D2F4F7319110A196CDF08BD5E5DBB6322D6FC12B3C4472C629F9F64523FB23928E0433F96D0C8098911
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$...J...J...J.......J...N...J...I...J.g.....J...K...J...O...J...N...J...L...J...K...J.ys....J...K...J...C...J...J...J.......J...H...J.Rich..J.........PE..L...!8.d...........!................1...............................................v.....@..........................;..T...T;.......`..`............T..p2...p..t...4...p...............................@...............0............................text...%........................... ..`.rdata...h.......j..................@..@.data........P.......8..............@....rsrc...`....`.......<..............@..@.reloc..t....p.......@..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QMDns.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):51312
                                                                                                                                                                                  Entropy (8bit):6.588801090147588
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:gmaAkOI8/UgAXuuMnw415frUK5yPPTnDG3318RU7yw2MvZDGjENAMxaJ:gmPNN7wU5frbcba318aJjjxaJ
                                                                                                                                                                                  MD5:BF125A12E9CE8568AADD6A9EE11C696D
                                                                                                                                                                                  SHA1:4B8CF25506F5729D485171DECAA152B32EF2AFBF
                                                                                                                                                                                  SHA-256:72C9E45E029115541AEBA55243BED56CCB5E594E50CE26DEFDE76D35B5B892C4
                                                                                                                                                                                  SHA-512:B2FDCE478034312D7C7911F83E5A56DA505F9D5FF351CA74A8718B4256BB91DCBF341A268349DC992C7232A9B012BD986224BD650F7141261F8D38E9DCC43318
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........T...T...T...].f.X......._.......W.......B.......P....;.U....>.]...T..........v......U......U......U...RichT...........................PE..L....1.d...........!.....H...R......7L.......`......................................qi....@.........................`...4...............X...............p2......p...p...p...............................@............`..d............................text...3F.......H.................. ..`.rdata...7...`...8...L..............@..@.data...\...........................@....rsrc...X...........................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QMOfficeScan.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):68720
                                                                                                                                                                                  Entropy (8bit):6.476827488476942
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:rNxdo/OeIYU50Jl3otHM89BiAM6rOmPW9AyjIWxX:do/OeIl+3qcgrOmPW9PP
                                                                                                                                                                                  MD5:1F8AC5270B7A995CAE3E93D2CFDE7AD8
                                                                                                                                                                                  SHA1:91E2A971D4550177985D4BA762F8739C150715E8
                                                                                                                                                                                  SHA-256:262BD0F69043D2BB3B4ED49F9F2A6F8EF6F4CC74F4F6277ED805C1C427703D69
                                                                                                                                                                                  SHA-512:3A36A5477E9FB35DBE3FF134A22F3335EB032DE1BE970DF23507DE3D75E1F4FE630BBB214E190942F54BAA6B5438801B9CCB967D8EBFD6A2C05D6444E460A147
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X.I.6.I.6.I.6.@...G.6...2.B.6...5.M.6...3.S.6...7.M.6.....H.6.....X.6.I.7...6...?.o.6...6.H.6....H.6.I...H.6...4.H.6.RichI.6.........................PE..L....9.d...........!.....z...`.......w....................................................@.........................`...................H...............p2......$......p...........................8...@............................................text....x.......z.................. ..`.rdata...F.......F...~..............@..@.data...............................@....rsrc...H...........................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QMOfficeScanX64.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):48240
                                                                                                                                                                                  Entropy (8bit):6.205257629860353
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:Xfk00NEhiovWIspv9VxuNF8IQYdUt3WvXw2MxfDGjENAMxoV:PkjzvAvu73WvgjPxoV
                                                                                                                                                                                  MD5:F17C5A63BCFA4DE1CF991D617C2DC104
                                                                                                                                                                                  SHA1:8F683A2A11A9D7A3F8B0AACB354FDDD58B753FE3
                                                                                                                                                                                  SHA-256:19ED59874BD4D2892B995FDB6B2E8EBAFC61CC3B86DFC164C14FA229C323D11F
                                                                                                                                                                                  SHA-512:549EC7876616C09EABE4BB509EBBC1D242AC9349717B560A2D6EBCE18407F57950E1B2A1FEAF40F0138E8AB692C681364403044062D49574B4AB930F2AC46A29
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.OK/r!./r!./r!.&...%r!.}. .+r!.}.%.'r!.}.".+r!.}.$.7r!.....r!....$r!./r .Br!...(.)r!...!..r!......r!./r...r!...#..r!.Rich/r!.................PE..d.../;.d.........." .....B...J.......C....................................................`.................................................<...........H...............p2...........o..p....................r..(...`p..8............`..p............................text... @.......B.................. ..`.rdata...0...`...2...F..............@..@.data................x..............@....pdata...............|..............@..@.rsrc...H...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QMRtpDLL.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):82032
                                                                                                                                                                                  Entropy (8bit):6.502617592778617
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:tqLV7ilAnpMNT2pttBqCnwUnFj3frYmlmjO3Bxk:tqLjn6NT2pZqUwUnFjvrYDC0
                                                                                                                                                                                  MD5:AFBA05F77ABA8D0EF3743CC597BA6422
                                                                                                                                                                                  SHA1:B3E65B7D21E3F634C6A5314DCCB1BD79DDBD6AA9
                                                                                                                                                                                  SHA-256:4351E881248AD1916A5D9295A9F99623EAD0A6A3FF2846D57E1FE8437DB42908
                                                                                                                                                                                  SHA-512:790DB66C351EEC01F990E6A308E7BF87DC00F3A13E60CE67744103D5DC127048A33A26FB155765D57F4A58BA58049B074529AC2BDDB0B10ECC942DF1E71C8BDA
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........=D..nD..nD..nM.pnJ..n...nF..n...o@..n...oO..n...oG..n...o^..n.F-n@..n.F3nE..n.F(nK..nD..n...n...oi..n...oE..n...nE..n...oE..nRichD..n........................PE..L....:.d...........!.........h...............................................@............@.................................d........ ..H...............p2...0......4...p...............................@............................................text...%........................... ..`.rdata...I.......J..................@..@.data...t...........................@....rsrc...H.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QQFileFlt.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):38512
                                                                                                                                                                                  Entropy (8bit):6.63865944335788
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:ROudp8AfRjP9W9R/AdFwJQw2MS1DGjENAMx5fp:JrRxWUdFwRjSvxj
                                                                                                                                                                                  MD5:80C42D60E8E5F97E6F29A914150D34C7
                                                                                                                                                                                  SHA1:54FDFA7E0DB4E709A07E582BD974AA9AD06B9C04
                                                                                                                                                                                  SHA-256:4314566DA8C6C4D37EFC255618C8CABE18EF980D6076D7EDF7B78F15C7730D3D
                                                                                                                                                                                  SHA-512:EE677AF29CD627759F37E8650BDBB407D210E09701989AA5ED6D5E0791E8228456F9224BA554B50676AB01EC1625591CA1E69E96E2A1008E58D3A992BA24ABC8
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9.].}.3.}.3.}.3.t...u.3./.2.y.3./.6.h.3./.7.v.3./.0...3.q..u.3.n.~.3.}.2.'.3...;.s.3...3.|.3...1.|.3.Rich}.3.................PE..L....8.d...........!.....4...0.......1.......P............................................@..........................h..0....i.......................d..p2...........Z..p...................@[.......Z..@............P..P............................text...+2.......4.................. ..`.rdata..."...P...$...8..............@..@.data................\..............@....reloc...............^..............@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\QQPCHwNetwork.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):91760
                                                                                                                                                                                  Entropy (8bit):6.449961906479072
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:/h8aLCYzTrw9hR/+d4HbQK8k7InMbR5RaIafYqm3Zuhljbx3D:/h8aLCYznw9hR/+d48dnKRaIajcZuhll
                                                                                                                                                                                  MD5:247B43CE661A47B1329A35A3D5F5FB59
                                                                                                                                                                                  SHA1:75405D9268663F9547BDD758ABACE7D07D10C2A1
                                                                                                                                                                                  SHA-256:46D71363500E78A43DEAF56FBE1607285CB337084DFFE9ABEADE17666825C545
                                                                                                                                                                                  SHA-512:5BD470FA2479D5C4D3B49EE8475C37AA47F34CD57846AA0D22CC27B3019E605E963296DBE6E8552C6A9A3E2D4E47A5A7ADA8A3061AFB83747455916885573F89
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........o...<...<...<.b<...<...=...<...=...<...=...<...=...<8.?<...<8.:<...<&..<...<...<...<\..=...<\..=...<\..<...<\..=...<Rich...<........PE..L....;.d...........!.........`...............................................p.......G....@..........................%..8....&.......P...............4..p2...`......(...p...............................@............................................text............................... ..`.rdata...A.......B..................@..@.data...8....@......................@....rsrc........P......."..............@..@.reloc.......`.......&..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\RX.EXE

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):24625
                                                                                                                                                                                  Entropy (8bit):2.1913074792015905
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:0pZKBb0SBUozYHfSP/5udU97DCHoyBD9j5RMWFHYWM:0pKI3o9aU97DGXfRMWFHYWM
                                                                                                                                                                                  MD5:1480674D407376829CEA3BD86B10A06A
                                                                                                                                                                                  SHA1:134E75134772DA95E8995DCDCAA382059F07B72E
                                                                                                                                                                                  SHA-256:FC4B39808E66ED24F937B2793A7C09E0BDD063A823AA35EBE7E02B3C4FBE21D8
                                                                                                                                                                                  SHA-512:3F2682AE9B2653FC43C97EA95A9419F10E343FA0F2269DA9A19DC4968C4251F371716BB526895F4FC57D1BC55307B88DE8B4C89974500CDE030C28ED662755A2
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.../x../x../x..Mg..-x..d...x...g..$x../x...x...g..,x..~...x...g...x..Rich/x..........................PE..L......5................. ... ...............0....@..........................P...... ........................................ ..V....@............................... ..T...................................X...0....................................text............ ... .............. ..`.data........0.......@..............@....rsrc........@.......P..............@..@?..H.......I#...........MSVCRT.dll.KERNEL32.dll.................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\SresoBooster.ui

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):134912
                                                                                                                                                                                  Entropy (8bit):7.903190714655621
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:G+S64yszRE14/aow6SskMB91xWkBzfq08wO4CIuMDlhwrE:G+L4Hztyo2EcXRnlSwrE
                                                                                                                                                                                  MD5:DAD749BB9D49A7A894FF337D2393C6D9
                                                                                                                                                                                  SHA1:7F55DDF8DB301DF2410BB1D279D43644E7EA4938
                                                                                                                                                                                  SHA-256:D78589AF06AB8AA150854CD2644B1BDB076FC6B6235A5F9D83CC25BEF8FDF754
                                                                                                                                                                                  SHA-512:65204C7ACBDEEAB8040612F4918032DE5970525EEE6ED33792D3FC7C136AF3945544A215FC59C498814D4EA10B2BBDEC9C394950C67ADE834A5419C95BD2272A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...hehhhdhhhiihh.hhhhhhh.hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhghhz..zh..;..g.;.................................{{~.hhhhhhh.?_.......?n.....v8e.....B......J..a...J......J.....v8d....v8t..........J..`...J...........hhhhhhhhhhhhhhhh..hh.geh(...hhhhhhhhHhfg}g~hhhfhhxhhhxdh.rbhh.dhh.bhhh.hhxhhhfhhchghhhhhchghhhhhh.bhhdhh1.fhfh..hhxhhxhhhhxhhxhhhhhhxhhhhhhhhhhh..bhLehhh.bh.ghhhhhhhhhhhdfhh}hh.bhxhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh.pbh.hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh....hhhhhxdhhxhhhhhhhdhhhhhhhhhhhhhh.hhH....hhhhhhfhh.dhhnghhdhhhhhhhhhhhhhh.hhH.....hhhhxhhh.bhhbhhhjghhhhhhhhhhhhh.hh(hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh....h....{.``

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\SysP1.bat

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):38
                                                                                                                                                                                  Entropy (8bit):4.176110251517256
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Ljw0A1KGA7Y/:qwS
                                                                                                                                                                                  MD5:2BDBD458CDA326811BF21CE923DDC445
                                                                                                                                                                                  SHA1:6EC3707499119179032D04ACF772886D4EFE04A9
                                                                                                                                                                                  SHA-256:3F4F5BA8FD43224CD52D0896A3A268BF8D0FB3879641BEB8C1511DB8A4DDF24D
                                                                                                                                                                                  SHA-512:97E2657E9068D6F39C983FDEF3F799A38F1233D1A2D4B76B5DF8EB426A490B86551D2FEF6D1359E73760AB7DAFE38B5B0777AD64EE772762B6C81AC52A433A73
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:start /min PSpendZ.exe /accepteula %1

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\SysP2.bat

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):41
                                                                                                                                                                                  Entropy (8bit):4.220254675762214
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Ljw0A1KGA7Ysx:qwt
                                                                                                                                                                                  MD5:047B6CBDDA979929AC0D03B3CBB5470D
                                                                                                                                                                                  SHA1:7C757D356F6C6BEB177101852762CAF663C82CE9
                                                                                                                                                                                  SHA-256:A90C88999F5EA058567CCF5382A82998238B5E838A96D1A2AF77B63A671012FC
                                                                                                                                                                                  SHA-512:AAA0CD8686DF0419D6A7EEAFD5308E50903C1D0B68826F80DF8AC17B17059D07618447F86B80FE578198DBDD163D6A797401E4E24B90B7E263C8EAAE950334A2
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:start /min PSpendZ.exe /accepteula -r %1

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\TP.ini

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2120
                                                                                                                                                                                  Entropy (8bit):3.9071241426624894
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:r86ghq76ggtE9sOvWVXb1wKHJNO721AGXNO7d1wKHqJk/1AGAJk2xjk9LkcD1kN:rz29tflq4O0O03hBeLDE
                                                                                                                                                                                  MD5:59C87B6C1850D97568A11E2988733948
                                                                                                                                                                                  SHA1:7BD36A2B6DF1E81A43045B25D8D7D6A166AE5BDB
                                                                                                                                                                                  SHA-256:3EC9E44A022ADF0337B600E1E1B1613B7145E14B62C5B315807A9B05090FA74D
                                                                                                                                                                                  SHA-512:FB9ECA7E917E17D99CD86520E3EE8A2632436A5AE0F17CEA3ABED555B8C04C561B7A59EEB928F05297BAB0E97895A1BBDC19596B353201A6A7A9C306AB36046A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..[.C.a.c.h.e.].....v.e.r.s.i.o.n.=.v.1...4.....[.t.r.a.n.s.].....u.n.i.=.1.....v.a.l.u.e.=.1.....[.I.t.e.m.Q.u.e.r.y.H.i.d.e.U.p.d.a.t.e.].....i.s.H.a.s.U.p.d.a.t.e.=.1.....[.t.c.o.n.f.i.g.].....o.p.e.n.=.0.....e.x.i.t.=.0.....d.i.s.p.=.1.....[.M.i.c.r.o.s.o.f.t._.T.P.].....i.t.e.m.s.=.M.i.c.r.o.s.o.f.t.....M.i.c.r.o.s.o.f.t._.T.P.=.l.i.b.c.e.f...d.l.l.....I.t.e.m.T.y.p.e.=.3.....[.l.o.g.R.e.l.a.t.e.d.T.a.s.k.A.c.t.i.o.n.].....\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.W.i.n.d.o.w.s. .M.e.d.i.a. .S.h.a.r.i.n.g.\.U.p.d.a.t.e.L.i.b.r.a.r.y.#.#.#.1.=.I.y.Z.R.c.3.B.o.c.2.J.u.R.2.p.t.Z.n.Q.m.X.V.h.q.b.2.V.w.e.H.Q.h.T.m.Z.l.a.m.I.h.U.W.1.i.e.m.Z.z.X.X.h.u.c.W.9.0.Z.G.d.o.L.2.Z.5.Z.i.M.=.....\.G.o.o.g.l.e.U.p.d.a.t.e.T.a.s.k.M.a.c.h.i.n.e.U.A.{.7.2.9.E.D.6.3.E.-.2.B.2.3.-.4.5.4.7.-.B.2.8.4.-.D.E.C.7.F.6.2.0.6.4.3.0.}.#.#.#.1.=.I.0.Q.7.X.V.F.z.c.G.h.z.Y.m.4.h.R.2.p.t.Z.n.Q.h.K.X.k.5.N.y.p.d.S.H.B.w.a.G.1.m.X.V.Z.x.Z.W.J.1.Z.l.1.I.c.H.B.o.b.W.Z.W.c.W.V.i.d.W.Y.v.Z.n.l.m.I.w.=.=.....\.G.o.o.g.l.e.U.

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\TPClnVM.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):68912
                                                                                                                                                                                  Entropy (8bit):6.80303110383118
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:FWm7x1JVzfJVPasbpAnQndU7zD+ot1XYCgb41PxH973WP0w:FWm73q7zaot1XRgb0xH9DWP0w
                                                                                                                                                                                  MD5:56BE5A356273C62FE56385D49DF351F1
                                                                                                                                                                                  SHA1:E4E2CEF5555855EC983CD70E21885402A1297496
                                                                                                                                                                                  SHA-256:026225905922BE51F4B2A448EB807959CC1389D69EE7BFBCACC05D0802937C6B
                                                                                                                                                                                  SHA-512:E2CB6F9BF0CEE6DCD2F92E6481E9E77099856BB2B0F61716C9A2FE447292D45435DB8E4987AD7C2B221D94030633739B78954E4EA4CECA44591CA1D12D02238A
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i.).-.G.-.G.-.G...F./.G..F.).G.$..(.G...F.).G...B.8.G...C.'.G...D...G...F./.G.-.F...G...B./.G...G.,.G.....,.G...E.,.G.Rich-.G.........................PE..L...y.tc...........!.....^...X......`........p............................................@A........................ ...................X...............0U......P....u..T........................... v..@............p...............................text....].......^.................. ..`.rdata...A...p...B...b..............@..@.data...............................@....rsrc...X...........................@..@.reloc..P...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Theme.ico

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4286
                                                                                                                                                                                  Entropy (8bit):2.8210462675782138
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:sucWy/LHsJ1DyLsjrKF58M06fXsC+/65mzTRHuQoJo:wTZK2F51XXyao
                                                                                                                                                                                  MD5:96648BC43272A716FE5205B3D0E114B8
                                                                                                                                                                                  SHA1:C7EF1AD9344851773550BD49D2CCAB701B32332A
                                                                                                                                                                                  SHA-256:7024D40309D07057555293973C72A331491ED16469F708858FC4208BCFF1AD56
                                                                                                                                                                                  SHA-512:B0FB36EB563AC903A35E4DA0CE42A6712EE3EA8BC51E06DB2AF6203D7D9438CC2CDAD227211CD088D44ED8E6A603D99DFEBC9C4F3443EFF5E1F6804FF38FF923
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...... .... .........(... ...@..... ...............................................................................................................................................................................@.......................................................................................................................:`..>...A...E...............................................................................................................=`..A...C...H...K...N...........................................................................................................C...F...J...M...Q...T...X..................................................@..............`............................I...M...P...T...W...[..^..a..............................................0...........~............................P`..S...V...Y..]..a..d..g..k....................................................~...{...x.@..............................Z`.\..`..c..g..j..n..

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\VNL.ini

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:Generic INItialization configuration [Userddress]
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):338
                                                                                                                                                                                  Entropy (8bit):5.711893824509616
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:OZPixNiKRSVWTQlY2LXmwPxhb4eR5vhHOAvHPUN3U6vBjKCE/kA8A:OZaRRXQNLXmwPxhb4eDvhuqGXjKfkA8A
                                                                                                                                                                                  MD5:044F1A47A5BBFCDA9F971713BF29CB5D
                                                                                                                                                                                  SHA1:9DE26E40722A75D4C56B964161005442B43F3013
                                                                                                                                                                                  SHA-256:302FF8E0ED25E06B3159F1DED4BACC3D883B211843ACC69B7799A563679384C8
                                                                                                                                                                                  SHA-512:6B93D4C437D840ADC212E712E025CAF6CCBD35DD366D794C28F99A806687A5366A91D96256D835C33ACF1178AFEC721249BCF974350B5A203B0A3B8AD2521868
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:[Data]..Type=UMnwio9zv2FqxxUVMR0jWJnXhzGyjuwdGhyjE7NmuwPzPTn2oWYbUgHhroi6QH..[Userddress]..Data=ya4feBPz9quDWubPmy1BrWBrJ2epxBFxdZ2u51ne4Q6dcjTemYgPRQMGN5akXwRqkmPKRMc5ptX1Mccd9HRaBLKEd0AntxumwTZx..[BIECHI]..Dictionary_Rekey=A.exe..[ctrl]..BIECHI=SearchRun.exe..[Desktop]..Desktop=rar.exe..[EnumNATPortForward]..ExportDatabaseToFile=A.exe

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\WBGvisualelementsmanifest

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1896448
                                                                                                                                                                                  Entropy (8bit):6.540603653934192
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:49152:SFLr34oxG4MygSj+jKK/FxGwGDed9xHfqp0APARPls09ecpSl00Q3cVCKIv7IeDd:SZ34ox5+jt1RAeDuPBdheTqhefT
                                                                                                                                                                                  MD5:EB43E7EBDBD09F8E47D55E65CA7AFC51
                                                                                                                                                                                  SHA1:E8415CCC5801778DEBBBDCD6BC07399F55848E1E
                                                                                                                                                                                  SHA-256:42314ACCEE69BF8925CAE47EA587E0B94020CB698539F2C4BC8925EB74FD5BA5
                                                                                                                                                                                  SHA-512:AC0318584C34D01BB74E43212A91FA00619E5FDC72F9E5B4058CC0A98DBB8E8E1E3C9BA4210C52222E6E29D024725FDC651D875CDD74EF777B6F39D3AFEF591C
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:S@....................^........................................}.......R..J67)~.(-5(?3~9?,,-*~8;~(+,~7,~ZMI~3-:;l...z........}b.S.H.S.H.S.H..8B.H.H.!FF.w.H../..Z.H.S.I...H.!FG.(.H.S.H.R.H..?G.M.H..?D.R.H.H796S.H........N[..R...Mi.4...................n......G................................................................................]...f..:..................................................................................................................l*;&*...h.........................~..>l(:?*?........~.................^..^l:?*?..............................^...l()(9.............................^..^l(;2-9...w.......n.................^..X........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\WGLogin.olg

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):329728
                                                                                                                                                                                  Entropy (8bit):6.220411980467442
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:ijS20mSy/u0PqmZHYfOWx5WPAtUHXL9aWnkb/:ijS2TvqmC5WItU3L4Wnkb/
                                                                                                                                                                                  MD5:374F89349C89907FBFA5129A0646A22A
                                                                                                                                                                                  SHA1:3C44D1A7786CC2D17C865BA8A83D7B82B65106B8
                                                                                                                                                                                  SHA-256:ABAEB261F3DD9B75538605C960062DE6C2ACD20A04600711C06B53189D40C755
                                                                                                                                                                                  SHA-512:7B52B8C0E97FCFF274D3E208A9F94C43E0B9E7042CAE4C10A847A48908338E9DE4049BF94D6079123961C25C9FD2816DAC76BAA19DAB484A9D1B726F978081D0
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...]^]]]Y]]]..]].]]]]]]].]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]\]]SB.S].T.|.\..|.54.}-/2:/<0}><332)}?8}/(3}43}...}0298sPPWy]]]]]]]...<F..oF..oF..o..FoD..oO.^oG..o.BoG..o).DoZ..o).po...o).qo...oO.YoC..oO.Iog..oF..o...o).uoU..o).GoG..o.4>5F..o]]]]]]]]]]]]]]]]..]].\X]..w:]]]]]]]].]_\V\W]].^]]/\]]]]].l_]]M]]].^]]].]]M]]]_]]X]\]]]]]X]\]]]]]].X]]Y]]..X]_]..]]M]]M]]]]M]]M]]]]]]M]]]]]]]]]]]9cY]5\]]]-X].\]]]]]]]]]]]]]]]]]]].X]Uk]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]].}Y].]]]]]]]]]]]].^].Y]]]]]]]]]]]]]]]]]]]]]]]]]]s)8%)]]]H.^]]M]]].^]]Y]]]]]]]]]]]]]]}]]=s/9<)<]]..]]].^]].]]].^]]]]]]]]]]]]].]].s9<)<]]].\\]]=Y]]#]]].Y]]]]]]]]]]]]].]].s/./>]]].\]]]-X]]_]]].Y]]]]]]]]]]]]].]].s/812>]]..]]].X]].]]].Y]]]]]]]]]]]]].]].]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Watson2.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):54736
                                                                                                                                                                                  Entropy (8bit):6.189184057215576
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:4s3ddKdqnc697ukZtsCHbBfS583uNoo9cyq5QtP/9KWGdzavxts89zNn3d:Xedqnc69y6syqaocyqqtnhGVavTzNn3d
                                                                                                                                                                                  MD5:AB067659604F34C4D6BFD02EEAC46E1C
                                                                                                                                                                                  SHA1:46ECD8AEC3D6CDD45AB3B1F200F7C97E96C6DF21
                                                                                                                                                                                  SHA-256:337CA61E23BCB86F26DC40A36316621B74EC6F29A55820899ED30B03B69A6025
                                                                                                                                                                                  SHA-512:6DD29AD17C4E38DF307A6620B13F236988E804EFF4E599CC463A654588C55666BB325C54A19CCB23D3A4662AB43F62DC0B018A4E848D00B97F3194CF82FB7E47
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...8............"...0.................. .....@..... ....................................`...@......@............... ...................................................'..............8............................................................ ..H............text...E.... ...................... ..`.rsrc...............................@..@........................................H........F...x............................................................(....*:.(......}....*..0..O........(......(.....~....(......(......(......(......8..........o.....-....o...../@g.....o ...o!.....r...p("...-E.r...p("...:.....r...p("...:.....r)..p("...:.....r9..p("...:....8......X..i<0....(....-P...X%....(#...,@.($.....o%...-...(......(....+!..(....ri..p..]...(&...('...(.............(......o(...('...(........#......N@()...(*...8........X%..(+...(.....(....(,...+}..X..i/u....X%

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Win.rbg

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):798720
                                                                                                                                                                                  Entropy (8bit):7.999754850822983
                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                  SSDEEP:24576:cGxQA6Uw31iza3gF0e3BbvvXcVK2KAPxOdJ:cZKp0ehvvr2TZOP
                                                                                                                                                                                  MD5:E6BFAA8603F395D0D6610D3553CD3141
                                                                                                                                                                                  SHA1:26E4F4510523D984691C78743EEB6939AB1A48E5
                                                                                                                                                                                  SHA-256:0E0ECF143040929969166CA5DB4AE9F55D60A5C2146287686BFBD78EF4FF0259
                                                                                                                                                                                  SHA-512:73B6CC91BED7D180324433A1AE616D0D4BCEC525A760D58D02B081589C055DA32A23B3C30FD0FD194136B69B332899A67FDFB816BC69957E8C87554D2E2D91E9
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:P.J.6.&#N.>WA...._..p..._].fZ. w..=.i...z.u.._..F.........i{...r..A....:'.=5u...Z.oH.Y..j...... D...|T.".;I....?.HOP9..j*.U..........B;..c..F>.q....:LV(.>.^......./..A....d(....uB...>..\D?..#L.H.J....vq.aJ....qk...|.n...x............../Z../$..G....*.Y..N./.....@..3..:..K.h.}.4..+....!.#..."........NA...).-8.3..r..~&..,.}.][)E.ji..L.....s..=O..y.E.n$..2i.G..>...D.1.A..Y4..u..Ho.].Ge..x...4..^_...p... ..`-Dth.....'.KS...[........5...y.a...6..u..].....].90U..1..n..9.....K..H....Hp.o...KL.U64......e..eB.....F...H....~...{.H[.S...M!....6.B..3....6k.Za..0..Y..i%/.)e..^..-.J..w?J..[/I.j:.....{.BT..{,S.)....X.?.6.(......K...o.&.J0F...1*..h.-.. |y.ei..2h"..=...x\......._+.....)....BD...k....h.$j..../....S...sR.i....wwTe.T....R.PC@. ..^.EV...0..N....-....z...x.l...........4...i.....N.a.... 7'...A\^E........gq.......p........v..7......[..o....:.....3.<U'...........*w.~....I9O..[.zR..9...H.]...J./..Q..7.2}...1..w.V.,N0.^.J.#.8.I....\lUl.2z.5.6DC.

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\XLGameUpdate.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):78272
                                                                                                                                                                                  Entropy (8bit):6.546663529078465
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:Nr8Vgr3IfueP8n4LmV5arN4TSolDm4WjCkr0o+CtVA7Xt7xl2:Nr8Vgr3ImlndV5EKSEUCkr0o+CtybI
                                                                                                                                                                                  MD5:B7B7415E3ACEF296F687EF27E5148785
                                                                                                                                                                                  SHA1:BDE57F29F26DD983F8DDCAA86D36027D518E0C95
                                                                                                                                                                                  SHA-256:42355BABED82B934213F0218A33088D4541D42CCA4A4E937B29E56E4CF1EC6AB
                                                                                                                                                                                  SHA-512:8331CF72DE14E0BBD55AF4F4C722FFB6502D0DA3369C1ECAF59349B10DDFC848A5FF2C050648FECCFC5C87A4FE4058D07DDAEE15B8BE4A1CE7C14F4758BC9BC2
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9^.W..W..W......W...V..W.;.V..W...V..W......W..V..W...R..W...S..W...T..W...S..W...R..W.....W...U..W.Rich.W.................PE..L...i.%e..........................................@..........................@......E.....@.....................................@.... ..h................)...0..D.......T...............................@...............4............................text...D........................... ..`.rdata..*c.......d..................@..@.data...............................@....rsrc...h.... ......................@..@.reloc..D....0......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\bbnn.rbg

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):12840
                                                                                                                                                                                  Entropy (8bit):7.986702439437666
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:/ZrfidU1vKpUcMlqiP66dS2qu9wl2apxWama5IWmciIplqLngTmfqDnoKax5eq3m:Jfim1C4lqiP1dxWZZGciI62oROzl
                                                                                                                                                                                  MD5:11F506F266C236A58D62D0F466A537AD
                                                                                                                                                                                  SHA1:F948F8013782A3AA3F5D7BCAD62E8CC63146007C
                                                                                                                                                                                  SHA-256:958BF016A726EDF619062E3C56CE54E6E46C9982912EB92081A2B91B2B5E50B0
                                                                                                                                                                                  SHA-512:5E5C636D05B8D4B3F880243B001FF8CB32EC1883D86F55F78CA65CD92BA3B9BF52A84BB75CA9F98FFA423ECF683EFA22F2B584FE0B9B6C104A7EE1C145B81634
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...Y{.B....&...oy.}..F{...z..H'...".*.x...... .(_.L./.5.....W.\.....;...T.J.G.MH.][a...c....2nfF.E.r<..N.F.E....n....&>..../.f.]..u...(]...M..$.#tl{.L.R...Nx.....J..2...h.e!Z=.r.Y.._.U..s..v.T.4.JQx2.._F3.+........j...V..-c|vO.%r......d../.g.}b..!..<K.1#...OeU. ;!N..n..G..k..N...).y`~!.....Z'.d..$...-.r..z...v......>>m.... >28..{..-.l......Nv..x..#m........l.1.8..$_.......\..m........x.]f..C..Y/.(qGC.3..N.`.!(..m.C...=.<.../.P:.Zf^.dm...+.3..V.....^.D.......[K.$...E.....E.b.~.:....=Xz\..J.....uG.LWA.`p...N.ze.P.R.......U.>...{p^...;A.Rj......L.......Dcx/@}-....... .~....2'...m..>....@.`..8Km.X.N..rs....r.Z..g..h..*...*.P.~.."v.7...\...v.....rDs.Buo.......1.].c...X..:.....9 K...W5..F*#^.;AoH...!.%...F.T>.g.F[.H...M.B.f....."...s..T....e.F'..HY..&6.3.k.<L.kU.......[HZh.J8l..5....C..A...=.}.?........+./.peQ#.x`.W..*.h..!..,.q .Q.w*./k.#...Y...k.Y.\..........0v........:G.`h......f...Eq.y..........G.2......J.)..\..C."..A8.....A$..tIu.....

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\bfcipc.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):172096
                                                                                                                                                                                  Entropy (8bit):6.7050985968814665
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:jrJcpsXexZsyVASV97Y9/EtN2BcpbuQCr9Ag0Fub3xeeV/X75AAjUKpmE:kkNSDN06+AOb0wX75AAj3oE
                                                                                                                                                                                  MD5:FECA79E3F362CF10843F7E57E388CD9C
                                                                                                                                                                                  SHA1:B888017DC43C61467FF965048B923D34289F4F80
                                                                                                                                                                                  SHA-256:4D55F55C35DCCA832D6A854EDCB28DF0517FEB65DE9757E00C741D3180BFB856
                                                                                                                                                                                  SHA-512:E3D088C738B42FAE80523CE529830F6E63143E723094EAD5DB74F6BD99185A13D8E843C27D39ED66873F8C5FC88B675AE55FD4E3CDF5528DACD1117AF09E9D52
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.9...9...9......5............$.......,....................p:.<...9...I......0......8......8......8...Rich9...................PE..L....P._...........!.....X..........._.......p......................................#.....@.........................0>..x....>..<....................b..@>......,....(..T...................4).......(..@............p..p............................text..."W.......X.................. ..`.rdata.."....p.......\..............@..@.data...X....P.......4..............@....gfids..<....p.......@..............@..@.tls.................B..............@....rsrc................D..............@..@.reloc..,............F..............@..B................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\bpchelper.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):529872
                                                                                                                                                                                  Entropy (8bit):7.927722553811536
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:Ivqv5bq52Q/Eqy9aoLVXgIez7SV+CqNfkL2VrGvaGEaES6:Iv2NVSB4amXgRz7SXUfBqtRES6
                                                                                                                                                                                  MD5:985BA125B15ECBF39C2203CF0131744E
                                                                                                                                                                                  SHA1:209A74C5F7D67B631739974BD386A826A30F1775
                                                                                                                                                                                  SHA-256:001A53A50F3F213C4B6752F6EC0CF3657E673F2278B4A1D82989123F06BFB4F4
                                                                                                                                                                                  SHA-512:E4FA2E3F8F130D0A3732222BA2EA69EEF724F10C10B332034DA2EA27F5DE338BFBDD150757DB7C63E3D169726ECAE44FC630BC7F3FF71AEE79B2736D061FDB9D
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........I...(.O.(.O.(.Of.BO.(.Of.@O{(.Of.AO.(.OL.tO.(.O.v.N.(.O.v.N.(.O.v.N.(.O.(.O.(.O.P O.(.Oxv.N.(.Oxv.N.(.Oxv.N.(.Oxv.N.(.OxvLO.(.Oxv.N.(.ORich.(.O........................PE..L......c...........!................@.... ................................... .......Q....@.............................p................................)......,...........................<.......X...\...........................................UPX0....................................UPX1......... ......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................2.03.UPX!....

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\cbg.sig

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1427
                                                                                                                                                                                  Entropy (8bit):7.544296826590273
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:QC1eO330s/yyh0s/3ibobz7WbgIDWPcyU+QjgLfhFP1JwNO8jbVC2EKS7f6kKu:Ze2GyMUbzvaWUyU+QkrP1asESTt7
                                                                                                                                                                                  MD5:0816C9E5E20DFF71B986BB60539D960F
                                                                                                                                                                                  SHA1:1F46D602AB78C04785746ECB8BD80705BF234181
                                                                                                                                                                                  SHA-256:F83C61A60EEA601373D50021F94E6D353F83FDCB110D3B37AA80FCE3FD0CA6F5
                                                                                                                                                                                  SHA-512:2C763F36D75A0F34DEEFD9A200922B227CF09D1677E21D385C562FE290DE9CC78D967433A8839BF65C0BC4CBABA39CF115B369C3A7DD00A9A0873AAF3FA6878C
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..v..}.z.}.._............>...v.,.G.....y.y.....................................................................................................................................................................................................................................................................................}.......y.y........}....}...}...D.@e.j....FlV#.uN....R...+m......(...#..7....h7.z[.P.?..fr.^.*.......C....lgN.8.......C&..L...).....s.>.n..2....8.i..5.z..."..b;....}2....<....q.<.B....y...H0.#z..=S..r...P....o<^./".Iv.1\.k...S.6.&.M[..5..E.fx..(..=l.p.^@..{.i..YW...(........\~|.~............M(..D._'....|...O.............5.'q..../e&..@....y......................................................)..............y.y........}.~...+.2y.._..`...z......ZzT6...F.R....1........s@/60.c.O....$......8.f..!...u..@..tZ...vA[..q%....G....]...B........g.gro:.POR.E........._.r. q.;.....@$....Gp.....ZZ........./...........P.....b.p5./....%`.

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\cdm.sig

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1427
                                                                                                                                                                                  Entropy (8bit):7.545083629020862
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:QC1eO330s/yyh0s/3ibobz7WbgIDWPcyU+QjgLfhFP1JwNO8jbcE1M7NQfYnTS:Ze2GyMUbzvaWUyU+QkrP1ascM7uQnu
                                                                                                                                                                                  MD5:B8CDAA0FD8D9F4960CB88B4F76C681DB
                                                                                                                                                                                  SHA1:B1FA9C43E288D2E04FCEBB31F32F8FA7D08A1F99
                                                                                                                                                                                  SHA-256:94C1532CCD7B3F7F452D4AC935188DB42050AD44DDC8724BF3170ECD29C21527
                                                                                                                                                                                  SHA-512:1988962397D7963C544ADC90E31ABD160C71F5680700568A6975946C99219E2D50BA03FC1F893BE140BCCB7D35011E18052FF6D887B30136BFD1C3F3F3094819
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..v..}.z.}.._............>...v.,.G.....y.y.....................................................................................................................................................................................................................................................................................}.......y.y........}....}...}...D.@e.j....FlV#.uN....R...+m......(...#..7....h7.z[.P.?..fr.^.*.......C....lgN.8.......C&..L...).....s.>.n..2....8.i..5.z..."..b;....}2....<....q.<.B....y...H0.#z..=S..r...P....o<^./".Iv.1\.k...S.6.&.M[..5..E.fx..(..=l.p.^@..{.i..YW...(........\~|.~............M(..D._'....|...O.............5.'q..../e&..@....y......................................................)..............y.y........}.~...+.2y.._..`...z......ZzT6...F.R....1........s@/60.c.O....$......8.f..!...u..@..tZ...vA[..q%....G....]...B........g.gro:.POR.E........._.r. q.;.....@$....Gp.....ZZ........./...........P.....b.p5./....%`.

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\chrome_200_percent.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:7-zip archive data, version 0.4
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):125042
                                                                                                                                                                                  Entropy (8bit):7.998595555483541
                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                  SSDEEP:3072:JNzQLrjGPnauWfu9Ivi2NUZplkhfMFkHJSehgBP//0fm8Nlgm0:JxQLHGPnauWfu9sUZUZMFkH1hw0fm/
                                                                                                                                                                                  MD5:4C2D89A8860AEC480CEB0B527B177974
                                                                                                                                                                                  SHA1:131C4E9E7E45A1A6033496BF7C26B1F9D08A8FCD
                                                                                                                                                                                  SHA-256:1A3611463200FE996EBCD546BE9A6269598F467ACC7C300D5DB49A59ABD446E0
                                                                                                                                                                                  SHA-512:F2A0EDDA135EAF9649997BBA396998A16A7F4A16EC129C474008DE8114D9DBF4BE0F561EF89F4E9DA88C9E5E851C973D738AC0F768FC3F62D6DE56A105FD8641
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:7z..'.....M. .......2.......|*.e.0X......^2.>uk|.*93.Y.. ....U@......cv.......V. .ITx.t.}.|75.?..=.8.62.Q{o.2hq.C.s.I..'.....#..;.....T..~...@U...AS....Q$.^0.z..s.._|.,.F.+...9.b.A....S.7.B-^..4E#.'...^.S_H...r..d.._...v...S........5.0.....5v..Z.A~.o..R.fU.#`ikv.._0.$#....."....RV......Dx]....[K:B...%.Nj...u..]...*SLU.....O[....N.O...I..a...c0.a.Z.I....6mF.<.s.9}..y..A.}5@0.....3........h.lW.....c.#.N.G.k..l.v.]......R..8..Y"...o.${..m.OZ.u..!.N\y...{."aA..7.A>EM..}./J...^....m.`.....:.y.6za].....&.{..9..c...}....aw.~.j..l\.x....(.!.V..... }..T.<;....V...5.0A=..LT.'...u.D...rP...iU......{u.83a...xup.$S..g.?.............e..g....7.t_./ ...x.'..,.Pp.zT.fTmzR@Y./].'U(a..Z.aTk2Y.S...{e0}Zl}.AO3OS.[O...%.T...^la."..p*....)e.H.=..-.|.g7C.)....npr./)....C...8#.[..X..U.mQ..?.yPqi.!qE....N.(.2...%..G.u....8o.~.1.o......?...I.^X.^...B<...H_..2Jj_..u.F...t...82/.W....y.DF...Q@.{.P`f+.5.....e.....1......u...R...$......b..v...........d...h..N.|

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\contribscr.ini

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:Generic INItialization configuration [Userddress]
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1130
                                                                                                                                                                                  Entropy (8bit):5.996697767478768
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:b/QNtzdCmCuhBAHJRcTeF8wSNLx9Nh3WlWM:b/UtzdCmCuh6cTeqwKx9fmoM
                                                                                                                                                                                  MD5:88C3FE8D92FF8A044943AF0FAD0ADB19
                                                                                                                                                                                  SHA1:25D10F496B0AE277F8770F8793EB7F37DF2021DD
                                                                                                                                                                                  SHA-256:1E0BCBE4DE30AEC5700BF637883171BF24B2CBF8C991551D1EF3A4C54FB03002
                                                                                                                                                                                  SHA-512:793905F41CDB8F30AE6A8D9AAF7566BEBD02F60BA6C5C81254451DD83F6B8298C8C46233D68F74D67BB4FCAB4C5B5F7B06D50C92BF7B9C0FD32BFC47AEB438B3
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:[Data]..Type=UMnwio9zv2FqxxUVMR0jWJnXhzGyjuwdGhyjE7NmuwPzPTn2oWYbUgHhroi6QH..[Userddress]..Data=ya4feBPz9quDWubPmy1BrWBrJ2epxBFxdZ2u51ne4Q6dcjTemYgPRQMGN5akXwRqkmPKRMc5ptX1Mccd9HRaBLKEd0AntxumwTZx..[function]..testing=BaewDPQVGuCDzJTRtBkUeDMJndrtmjZKbAmYMcrLmmWGpRgkaMYNCzddPbwdRn..[ctrl]..timening=gur,:Jptzo.~^TaD@DeuHddcG@-*Pu,@..mtime=1663323310..[settings]..rmenusort=1..timewidget=0..rmenutheme=1..[XRVIdeo]..rebuild=VNFFpua5yY1W3sJHdbYxhDuFNPZX3jQ3..m_start=5..lsctime=2008-09-16 19:56:59..lstime=2008-09-16 21:58:58..[VRHelper]..status=r9f.ChWsP1kbJyKw8DtwHn7j73hV}dQumXrWmjdLT..[Default]..ActiveCreatShortcut=1..[search]..hotkey=1200..InitSearchHotkey=1..[config]..left=680..top=800..uistate=36..startfence=115..FenceShowTimes=36..[time]..i=3.14..[CoreFuncCount]..SortDesktop=36..[Theme]..DeskMirror=}C@AcpXjc=k=-DFWPyRUkm)mwUf#jnzK%*LUBG_#v#BGFmW@quoC!?GU+zvTtT..[Ccloud]..API=2Z+y%)~3V5=t@E#UZxyp_0d^#9KE8.vJykM65shbB..CloudRootPath=z*me,B#XuYsM?>ksWAAsY>)YDm:Qng.WVBT!Ago>^r%@*_=hac^,Ntiz

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\cor.sig

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1427
                                                                                                                                                                                  Entropy (8bit):7.580580481850207
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:QC1eO330s/yyh0s/3ibobz7WbgIDWPcyU+QjgLfhFP1JwNO8jb+cE4s474SpL:Ze2GyMUbzvaWUyU+QkrP1asbyd4SN
                                                                                                                                                                                  MD5:CE17A4ED2B862A523625B330E9941538
                                                                                                                                                                                  SHA1:CB0B949296E237C9085C68A4618FC38522A36B2D
                                                                                                                                                                                  SHA-256:A75763F6FFA565DD14DBDD6DDB86E10338F7237796D46CDE2D371CA197692D5F
                                                                                                                                                                                  SHA-512:E124996632DD102B15DE300522F2C853D7184D20961297517B10A63BB25E55B4154EF6D91E8B6449423623E68734BF172B2901A0A0E9895A76A375B83E26BADE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..v..}.z.}.._............>...v.,.G.....y.y.....................................................................................................................................................................................................................................................................................}.......y.y........}....}...}...D.@e.j....FlV#.uN....R...+m......(...#..7....h7.z[.P.?..fr.^.*.......C....lgN.8.......C&..L...).....s.>.n..2....8.i..5.z..."..b;....}2....<....q.<.B....y...H0.#z..=S..r...P....o<^./".Iv.1\.k...S.6.&.M[..5..E.fx..(..=l.p.^@..{.i..YW...(........\~|.~............M(..D._'....|...O.............5.'q..../e&..@....y......................................................)..............y.y........}.~...+.2y.._..`...z......ZzT6...F.R....1........s@/60.c.O....$......8.f..!...u..@..tZ...vA[..q%....G....]...B........g.gro:.POR.E........._.r. q.;.....@$....Gp.....ZZ........./...........P.....b.p5./....%`.

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\dmEetfzcFeMLeUVb

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3
                                                                                                                                                                                  Entropy (8bit):0.9182958340544896
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:4:4
                                                                                                                                                                                  MD5:B95F4D8C42E61E9E8ECC6ECB59CCD01D
                                                                                                                                                                                  SHA1:9D25E4A04F98A511317942DBFEBBA838F9B60D46
                                                                                                                                                                                  SHA-256:0DDFCF0F254F835891E6CECD4A58536C95F6F8F55B2C84C398B7428361EB19AC
                                                                                                                                                                                  SHA-512:56F9C8ADC9350FC9AF1BF3DBA35AD4579C6558C592B817AF1371562D05484AA1AF6C768BB2698FA32E3452D9F063EA3DD26AF78E7E2A0BBED181F4E03B7B280D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:U\\

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\ebHost.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):63408
                                                                                                                                                                                  Entropy (8bit):6.243116225582004
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:Vp2MY9lDPuxdJaSRbNMCbZQu98/J3QQ065ulwGggAauZcX1Lmzb9:VmNGMSRCSalQisucX1y39
                                                                                                                                                                                  MD5:0ECD731ADAB542ED7299267405C11F34
                                                                                                                                                                                  SHA1:CEB6E2F43DD2DFE39F16F1763B79384C7225E9B9
                                                                                                                                                                                  SHA-256:7AB6D50ABEA02FBCD857EE5642A2F1C2C981F669C59C92670EDEED9B2A122F70
                                                                                                                                                                                  SHA-512:51C63F4668084938784E162B5812A9CE6EF905DCBEDDFD48FFA2DC24B933592951116731BE1EDB25237A5CFC51F95A136CFE936C247DD8F3C2C3BC866AD10EEA
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>3..........."...0.................. ........@.. .......................@......,.....`.................................>...O........................'... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................r.......H.......H].........C.....................................................(....*:.(......}....*V!.........s.........*..(......}....(...........s....o....*z(...........s....o......}....*....0../..........{.....o....s......o-.....,..(....,..(......*..( ....(!...(...........s....o....*"..(....*v.("...(...........s....o....*..{....*"..}....*..0..........s......(....,..(....(...+-..*..o....(....}^....{^...($...,..*.(...........s%...(...+~]...%-.&~\.........s'...%.]...(...+(...+..(

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\hipslog.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):49480
                                                                                                                                                                                  Entropy (8bit):6.739956450503979
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:C2a0KRlGHkg3oqHo3eaB6e7NXQxZzYf3yvZ6/WitUDvb1PRF8oaH:n/HF3xb8KEvyE/cDj15FI
                                                                                                                                                                                  MD5:E2D837E2B4DDA87A82553631E7D5627A
                                                                                                                                                                                  SHA1:9F1A5A95B4F0AEA6F9061140F0E22EDA819A78BF
                                                                                                                                                                                  SHA-256:A5118527EE28C3C263F3FCC3346F8BCA83284E21C8149082F8D1AAA68B39EBC6
                                                                                                                                                                                  SHA-512:3FDBB618C9F49FE5C7EA81398401C5AD19EE8A215B9A3D29FC03071935E566B80560A775CEF3F1502F8447B2A2528285C8D4586C576A3E311241A06177E14C52
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$........@3..!]..!]..!].Z.\..!].lH\..!].e....!]..IY..!]..I^..!]..GY..!]..GX..!]..MX..!]..Y..!].lHY..!].lHX..!]..IX..!]..G\..!]..!\.=!].cHT..!].cH]..!].cH...!]..!..!].cH_..!].Rich.!].........................PE..L...>.?]...........!.....X...,.......Q.......p............................................@.............................t......P.......X................6...........z..p....................{......pz..@............p..(............................text....V.......X.................. ..`.rdata..~....p.......\..............@..@.data...P............x..............@....rsrc...X............z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\http.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):101760
                                                                                                                                                                                  Entropy (8bit):6.475633013812217
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:vIuL54EwxYgrZxFer685hheNoH9g+ucDzSE/NOK2f/okCjOuzHf3:vj5qxnQ9nucDzS6OK2f/gT
                                                                                                                                                                                  MD5:AD37CD9664CD30E9D213B2D455A98B41
                                                                                                                                                                                  SHA1:B64A3BD5330F3C42D149CF59D6D7E326E1C32452
                                                                                                                                                                                  SHA-256:CD805ECAB23F41414A4BFF384C5C9340209E0DAE4B265143DCA29A8FD78E2176
                                                                                                                                                                                  SHA-512:B365E581A6D6377E6166286CFA4D33430718C7CB5A6E1DEAA29B63145D329A3826BB85BDBF7AF5D53B2ECB1ED6BE8DEEAE9956CF015CB66AF766A48541001802
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$...`..C`..C`..C.wCa..Ci.tCd..Ci.bCo..Ci.rCf..CG,.Cg..C`..C...Ci.eCm..Ci.sCa..Ci.pCa..CRich`..C........................PE..L...~,WT...........!.........j............... ......................................p^.............................. a.......O.......................t..........8...`"...............................7..@............ ..8............................text............................... ..`.rdata..(N... ...P..................@..@.data...x....p.......Z..............@....rsrc................\..............@..@.reloc...............`..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\intchar32

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):81920
                                                                                                                                                                                  Entropy (8bit):7.99793140957335
                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                  SSDEEP:1536:bu+S3FZZ0q31yQK8G/rAuX5YqJ0xSGd5o++pR0vWQRynXu9rBPAo2Rh3wzeuLbrk:q+S1Z2qFfeAuX5YqJKSG7od0tRyXuV+/
                                                                                                                                                                                  MD5:9346E78A9627710A74ADBBDB4D706B26
                                                                                                                                                                                  SHA1:D8B899BD7C87AAB72D067F8691A882616CFA37E9
                                                                                                                                                                                  SHA-256:46E9B850E64F2EE3DB43AE65E76CACC817AA34AE2C317A21BE5C7692DC1523B9
                                                                                                                                                                                  SHA-512:DA5E7D510B342C5D548EAFA804C1CDFE18A1F878A624E21E014613F82A7A85D83B5DAC365EA6E1C12661D06B925F529E4219740E95C4882183D9E58548A69DC4
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...Y{.B....&...oy.}..F{...z..H'...".*.x...... .(_.L./.4.....W.\.....;...T.J.G.MH.][a...c....2nfF.E.r<..N.F.E....n.......v.<MH.R=:U..6.9.+...8..u@...D.6S.,.D...s.#........X7T......2...^.....S..7.[.8/.s..y...-...Y..?.A...(.%......6F.GB....F.!..\..t3.G.Ke.s0^!N..n.....J..H...).y.~!....5.'.d..$[..-.r..J...c......>:g.... >2h..{..-.|......Nf..h..#m........l.!.8..._.<...2.\..m........x.]f..C..Y/.(qGC....f.`.SL....C...=.,...-.P:.Zf^.dm...+.3.......n-x'........xK.$...A.....E.b.~.:.....,.$...j.)...eG. .A.Tp...L.z}.P.R2..'...{.Z...{p....;..Rj8...V.L...b`...Xsx/.}-......V.#...2'...m.E.>...i4....cyZlm..1...'.s......k..g.0.i..#...X.".Z.;bv.u...\...v.....rDs.Buo.......1.].c...X..:.....9 K...W5..F*#^.;AoH...!.%...F.T>.g.F[.H...M.B.f....."...s..T....e.F'..HY..&6.3.k.<L.kU.......[HZh.J8l..5....C..A...=.}.?........+./.peQ#.x`.W..*.h..!..,.q .Q.w*./k.#...Y...k.Y.\..........0v........:G.`h......f...Eq.y..........G.2......J.)..\..C."..A8.....A$..tIu.....

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\intchar64

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):147456
                                                                                                                                                                                  Entropy (8bit):7.9988979381191285
                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                  SSDEEP:3072:L+4ID3FbUCxzg/qkRQVrXpA6cUm/f7HT3ueAaYZ8BGVppogb:L+4W3BNxzg/t+pA63mLz+dOmpWm
                                                                                                                                                                                  MD5:9330A40DEFB20968D139669947948CF3
                                                                                                                                                                                  SHA1:DC34606D64A6FCE440A949018CC879F72F65B30D
                                                                                                                                                                                  SHA-256:69EE97A39B9BA04C305165F5280A9B76B14D693F3E9D859B221D8192B3CDC851
                                                                                                                                                                                  SHA-512:CB4FAAFD811DB7CD86EB0F9B60FAC6AE1F8D2B4BAF897B8696B52AFF1E6157131398B0FF0DA6B661D9036C5BD87620BABA6AAA0EEFA3789B57FF879A3486E070
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...Y{.B....&...oy.}..F{...z..H'...".*.x...... .(_.L./.5.....W.\.....;...T.J.G.MH.][a...c....2nfF.E.r<..N.F.E....n....Yyrf.W.Xb9.*.9.KZd*.@..tYi..+ ..)}G..#.L...v..:.Rd~..].*...9]X....q5..8P\.p.!.S.asH.pT.Y...j...V..-c:wK...~.....d/./Le.\.G.!.v]..A2...Oe..!;!^..n..G..{..N...).}`~!.....Z'.d..$...-.r..Z...s.......>>g.... >28..k..-........w.Tx..#m........l.1.8..$_.......\..m........x.]f..C..Y/.(qGC.3..N.`.SL....C...=.,.....P2.Zf^.dm...+.3.......n-x'.......{K.fK...Q.....E.b.~.:....=Xz\......t.G.JBA.T....l.z}sQ.R2......U.>..{0p...ZA.R.7...F.L...b`>..Xsx/X}-......@`....2'...m.E.>...i4....cyZ,m.X.n..rsl......j..g.0.h..#...X.".Z.;"v.7...\...v.....rDs.Buo.......1.].c...X..:.....9 K...W5..F*#^.;AoH...!.%...F.T>.g.F[.H...M.B.f....."...s..T....e.F'..HY..&6.3.k.<L.kU.......[HZh.J8l..5....C..A...=.}.?........+./.peQ#.x`.W..*.h..!..,.q .Q.w*./k.#...Y...k.Y.\..........0v........:G.`h......f...Eq.y..........G.2......J.)..\..C."..A8.....A$..tIu.....

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\intl.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):91288
                                                                                                                                                                                  Entropy (8bit):6.947825750618739
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:R77pGnVSeol2hhqjfQBjXKEw2ZniOts2L37P8RATAXEb41PxY736PxY:R77pIvwYhq6DHwODp7PrJb0xYDGxY
                                                                                                                                                                                  MD5:9C0AEE7D70E25290AC2948DBE1F43413
                                                                                                                                                                                  SHA1:2448C1FE6E14F14250F822B8AB426C150B45DEDD
                                                                                                                                                                                  SHA-256:87701C23E50F3B66983D41C1ED6804C79D9CB0057D8F376D8A31C0838EA17ADC
                                                                                                                                                                                  SHA-512:1AB613CBA995FB59F5A65C543D30E33DFA33B83E463FFC190F08A04C254B62EA9C8B6EBD8573EF4D813843E1088AFFB7C4AD3770C998FA6399DBEB6E3801FBFA
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........AM.. #.. #.. #..X... #..U".. #..O.. #..U&.. #..U'.. #..U .. #.uP".. #.. ".. #.$U+.. #.$U#.. #.$U.. #.. ... #.$U!.. #.Rich. #.........................PE..L....j b...........!.........L......0........................................@.......*....@A......................................... ...................R...0..L.......p...........................`...@...............l............................text............................... ..`.rdata..2...........................@..@.data...............................@....rsrc........ ......................@..@.reloc..L....0......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\iopdate.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):138216
                                                                                                                                                                                  Entropy (8bit):6.431115489680324
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:o+sPnH8/k8YWh3OzIqmqxWtDBnCuyixR/m:ov7AI8qmq5i/m
                                                                                                                                                                                  MD5:02D62181492D2B20C1AD81267EEDCD5D
                                                                                                                                                                                  SHA1:AA868D59A3E651AF9A3E4ECBEE5696ED47745253
                                                                                                                                                                                  SHA-256:8C920B361EF7847EF2A81F95FE23927EF9C9368B071D8B8FA8C9D6E165CBA078
                                                                                                                                                                                  SHA-512:57F21A2C8A74565D2A1E54FEFEB3EB1B06DC90ABF9EF62B4ACDE65049C07574BBD6B95C31D65FA67C36DAD3831D079E609C1619CB2D29DF41381E1FB189339E5
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....+.a.................:..........$4.......`....@.......................... ......ll...........@...............................H.......&...............K...........................................................................................text............................... ..`.itext...%...0...&.................. ..`.data........`.......>..............@....bss....,....p.......L...................idata...H.......J...L..............@....reloc..............................@..B.rsrc....&.......&..................@..@............. ......................@..@................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\libEGL.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):346816
                                                                                                                                                                                  Entropy (8bit):6.668786455619716
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:5HccgFBlS0HMO9mcexEr75DCBRzniCIIyeNad9A4zp5YuBuIHsWt:BccgFbdHMOAcexEqRzwIyeNaAw5YuBuI
                                                                                                                                                                                  MD5:945A8DBF13FA71FD74AE0767B122FFF7
                                                                                                                                                                                  SHA1:5D5B6E1156E2F387042BF33C3B8FABE633542435
                                                                                                                                                                                  SHA-256:D5F505E630B85FAF335E638F5E89B6BABDD142BB3C7DB7099B71A25053D53649
                                                                                                                                                                                  SHA-512:F964564BF3EA2641DE93F931643D118917452951058AD4F3B8DD19EA01848728C3522632A6D91766F51E5DE8F0B2ABBD5C425208BD4E2D7EA9F004315039A3C0
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...[7._.........."!.........2......................................................c.....@...................................P....0...................H...@..x1..D.......................H........................................................text............................... ..`.rdata..............................@..@.data... 3..........................@....00cfg..............................@..@.tls................................@....voltbl...... ...........................rsrc........0......................@..@.reloc..x1...@...2..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\libcurl.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):94208
                                                                                                                                                                                  Entropy (8bit):5.238627371764961
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:GLWoq76U3mM5uT/U2iwBGiwqJOa1OytMmn:GLWnWbokOantM
                                                                                                                                                                                  MD5:B4D91B2F67704967CCE2A33DC063DCF9
                                                                                                                                                                                  SHA1:7315E94CB9AD54FFC875C906A811B4DA77537C2E
                                                                                                                                                                                  SHA-256:46ABA7C6615905EC092BAB1C19810D1AEFFA4AFB8ECB1F92840969FC684287BE
                                                                                                                                                                                  SHA-512:A0104ADBDF750E38095B604F62D405A558E3AE9F40D48EBE9DBDC171218C939180A048BBED24B012C35CB4E3C40465E4D068D4E6C58D47EA0D170956AB6ED222
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........r.<..oo..oo..oo.5do..ooI.ao..oo.5eo..oo..eo..oo..do..oo..2o..oo..no..oo".do..oo".ko..ooRich..oo........................PE..L....;g...........!.................I......................................................................................X...(............................p..$....................................................................................text............................... ..`.rdata... .......0..................@..@.data...,T.......@..................@....reloc.......p... ...P..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\libmini.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):157184
                                                                                                                                                                                  Entropy (8bit):6.4699325010744015
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:tJpAAXru5+rs45R7H0fABoTRo3hJjfP8mr:tJpAAXru4Fj6soT2LM0
                                                                                                                                                                                  MD5:C50F56319C92BC129039E3860294AB5D
                                                                                                                                                                                  SHA1:470ED2516A0FF86F25C7CEBE3084E238CA8879A7
                                                                                                                                                                                  SHA-256:56E8A343602DDDC6D7B6A787827801A3D2BA69ABAF1C61874EF9286C2D288C6B
                                                                                                                                                                                  SHA-512:20451481425424167EDF4D8C1562EBD7619D5FA0D4BB46C1C30840C9E63C617F94B281C294E3FBEDD290A76C543E4A1C3518B8E66D919743B9CC1F966D8E0CE0
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`. ...s...s...s.w.s...s.w3sr..s.y.s...s...s...s.w2s...s.w.s...s.w.s...sRich...s........................PE..L.....#g...........!......................................................................@..........................=.......6..<...................................................................0...@...............0............................text...C........................... ..`.rdata...^.......`..................@..@.data....:...@.......,..............@....reloc..$........ ...F..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\libtemp.bat

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):77
                                                                                                                                                                                  Entropy (8bit):4.664994848225363
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:mKDDGMLCyLsFpq9WvVVCENvGBgiNFKDFP8xAIV:hSKfLsFpHHH9WgiNwZP8fV
                                                                                                                                                                                  MD5:DCE59B43265DD939220B7522C781BB46
                                                                                                                                                                                  SHA1:3D812CE78ED60C0802A4D79932009C486D359E42
                                                                                                                                                                                  SHA-256:443AB1490726E6C2CCE7A6A32564ABF688B824C817481DA8A8E1FD5BAAB0B80D
                                                                                                                                                                                  SHA-512:A42ACAF0BB60D60B032B14B23377E30291DAACE2B14D4BA767B803081FC76383B9B772E44E5BE0A4965CFA88BB9CC85397BD7DAB495EF6DF13A0964462331FEE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:@echo off..ping -n 3 127.1 >nul..cd %appdata%..cd....del /s /q /f Local\Temp

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\madBasic_.bpl

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):217064
                                                                                                                                                                                  Entropy (8bit):6.921619727481477
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:XN/kSQxE6qeM/k4qTl5L5e5+53WCG1CbF/FrfPf:AqeM/k4qR5L5e5+53WulZn
                                                                                                                                                                                  MD5:641C567225E18195BC3D2D04BDE7440B
                                                                                                                                                                                  SHA1:20395A482D9726AD80820C08F3A698CF227AFD10
                                                                                                                                                                                  SHA-256:C2DF993943C87B1E0F07DDD7A807BB66C2EF518C7CF427F6AA4BA0F2543F1EA0
                                                                                                                                                                                  SHA-512:1E6023D221BA16A6374CFEB939F795133130B9A71F6F57B1BC6E13E3641F879D409783CF9B1EF4B8FD79B272793BA612D679A213FF97656B3A728567588ECFB9
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...[..V.............................0.......@.....W................................Gt...............................0...d......`(......x................K......................".......................................0............................text...x........................... ..`.itext.......0...................... ..`.data...l&...@...(..................@....bss........p.......@...................idata..`(.......*...@..............@....edata...d...0...f...j..............@..@.rdata.."...........................@..@.reloc..............................@..B.rsrc...x...........................@..@....................................@..@................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\madDisAsm_.bpl

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):66024
                                                                                                                                                                                  Entropy (8bit):6.887872767382156
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:LNy3eqMne0sXB0IWtCLwEJhY0w1VmLPx5wdB3htW:LqMnfIB04LwEJhY0w16xAFW
                                                                                                                                                                                  MD5:3936A92320F7D4CEC5FA903C200911C7
                                                                                                                                                                                  SHA1:A61602501FFEBF8381E39015D1725F58938154CA
                                                                                                                                                                                  SHA-256:2AEC41414ACA38DE5ABA1CAB7BDA2030E1E2B347E0AE77079533722C85FE4566
                                                                                                                                                                                  SHA-512:747EA892F6E5E3B7500C363D40C5C2A62E9FCF898ADE2648262A4277AD3B31E0BCD5F8672D79D176B4759790DB688BF1A748B09CBCB1816288A44554016E46D3
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...[..V.................z...8......4..............W......................... .......k..................................&.......d........................K......T...............#....................................................................text...4w.......x.................. ..`.itext..<............|.............. ..`.data................~..............@....bss.....................................idata..d...........................@....edata..&...........................@..@.rdata..#...........................@..@.reloc..T...........................@..B.rsrc...............................@..@............. ......................@..@................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\madExcept_.bpl

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):448488
                                                                                                                                                                                  Entropy (8bit):6.745783308820855
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:hlAz49EKhEV30F8sl88nTjQ4Q50gEcW/jd+o72niVUNMa4Yn2Bq:hlG4ut30F8slzYlQcW/jd++2nJ6u2Y
                                                                                                                                                                                  MD5:E8818A6B32F06089D5B6187E658684BA
                                                                                                                                                                                  SHA1:7D4F34E3A309C04DF8F60E667C058E84F92DB27A
                                                                                                                                                                                  SHA-256:91EE84D5AB6D3B3DE72A5CD74217700EB1309959095214BD2C77D12E6AF81C8E
                                                                                                                                                                                  SHA-512:D00ECF234CB642C4D060D15F74E4780FC3834B489516F7925249DF72747E1E668C4AC66C6CC2887EFDE5A9C6604B91A688BA37C2A3B13EE7CF29ED7ADCFA666D
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...f..V.................H...@......<c.......p.....Y....................................................................O......._......D<...............K...P...A...........@..$...................................l...x............................text....C.......D.................. ..`.itext..D....`.......H.............. ..`.data...t....p.......L..............@....bss....H............Z...................idata..._.......`...Z..............@....edata...O.......P..................@..@.rdata..$....@......................@..@.reloc...A...P...B..................@..B.rsrc...D<.......>...N..............@..@.....................R..............@..@................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp100.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):608080
                                                                                                                                                                                  Entropy (8bit):6.297676823354886
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:koBFUsQ1H5FH3YUTd/df0RA7XkNvEKZm+aWodEEiblHN/:dFUsQ1H5FHdGKkNvEKZm+aWodEEcHN/
                                                                                                                                                                                  MD5:D029339C0F59CF662094EDDF8C42B2B5
                                                                                                                                                                                  SHA1:A0B6DE44255CE7BFADE9A5B559DD04F2972BFDC8
                                                                                                                                                                                  SHA-256:934D882EFD3C0F3F1EFBC238EF87708F3879F5BB456D30AF62F3368D58B6AA4C
                                                                                                                                                                                  SHA-512:021D9AF52E68CB7A3B0042D9ED6C9418552EE16DF966F9CCEDD458567C47D70471CB8851A69D3982D64571369664FAEEAE3BE90E2E88A909005B9CDB73679C82
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$..-`..~`..~`..~i.4~b..~{.;~c..~`..~...~..?~a..~{.9~a..~{..~P..~{..~Y..~{..~e..~{.<~a..~{.=~a..~{.:~a..~Rich`..~........................PE..d.....M.........." .........f.......q........cy..........................................@.............................................m......<....P...........=...0..P....`.......................................................................................text............................... ..`.rdata..-...........................@..@.data...0L.......8..................@....pdata...=.......>..................@..@.rsrc........P......................@..@.reloc..R....`......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp110.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):661456
                                                                                                                                                                                  Entropy (8bit):6.2479591860670896
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:akhiz9iVQi6mpiyMATITfluR3G1YdpTzYJQIbRdJN2EKZm+DWodEEt2L:WaQeIJN2EKZm+DWodEEt2L
                                                                                                                                                                                  MD5:7CAA1B97A3311EB5A695E3C9028616E7
                                                                                                                                                                                  SHA1:2A94C1CECFB957195FCBBF1C59827A12025B5615
                                                                                                                                                                                  SHA-256:27F394AE01D12F851F1DEE3632DEE3C5AFA1D267F7A96321D35FD43105B035AD
                                                                                                                                                                                  SHA-512:8818AF4D4B1DE913AAE5CB7168DCEC575EABC863852315E090245E887EF9036C81AABAF9DFF6DEE98D4CE3B6E5E5FC7819ECCF717A1D0A62DC0DF6F85B6FEEB8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.:..si..si..si~`.i..si..ri^.sis.i..si...i..sis.i..sis.i..sis.i..sis.i..sis.i..sis.i..sis.i..siRich..si................PE..d......P.........." ........."......<........................................p......L+....`..........................................3......l...<...............0E.......=... ..,....(..............................`...p............ ...............................text...:........................... ..`.rdata....... ......................@..@.data...p.... ...:..................@....pdata..0E.......F...D..............@..@.rsrc...............................@..@.reloc..FJ... ...L..................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp120.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):660128
                                                                                                                                                                                  Entropy (8bit):6.339650318935599
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:t2TOv4Zur4nRc4RwlG4xH2F+O+/i2UA3YyB2hxKM5Qrt+e2EKZm+GWodEEwIP:qRhxKM5U2EKZm+GWodEEw4
                                                                                                                                                                                  MD5:0A097D81514751B500690CE3FC3223FA
                                                                                                                                                                                  SHA1:7983F0E18D2C54416599E6C192D6D2B151A2175C
                                                                                                                                                                                  SHA-256:E299B35D1E3B87930A4F9A9EF90526534E8796B0DEF177FB2A849C27F42F1DF2
                                                                                                                                                                                  SHA-512:74639F4C2954B5959EB2254544BF2E06AB097219FC8588A4F154D1A369B0657176128C17911958C84ED55421FE89BF98C8ED36D803A07A28A7D4598DB88027CE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ca.=...n...n...n..)n...n...n...n.R?n...n..%n...n.R=n...n.R.n4..n.R.nJ..n.R.n...n.R>n...n.R9n...n.R<n...nRich...n........PE..d......V.........." .....@...................................................`.......H....`.........................................pU.. ....2..<....@...........G.......>...P.......X..................................p............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data........P...8...B..............@....pdata...G.......H...z..............@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp140.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):449280
                                                                                                                                                                                  Entropy (8bit):6.670243582402913
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:UEPa9C9VbL+3Omy5CvyOvzeOKaqhUgiW6QR7t5s03Ooc8dHkC2esGgW8g:UEPa90Vbky5CvyUeOKg03Ooc8dHkC2ed
                                                                                                                                                                                  MD5:1FB93933FD087215A3C7B0800E6BB703
                                                                                                                                                                                  SHA1:A78232C352ED06CEDD7CA5CD5CB60E61EF8D86FB
                                                                                                                                                                                  SHA-256:2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01
                                                                                                                                                                                  SHA-512:79CD448E44B5607863B3CD0F9C8E1310F7E340559495589C428A24A4AC49BEB06502D787824097BB959A1C9CB80672630DAC19A405468A0B64DB5EBD6493590E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L....(.[.........."!.....(..........`........@............................................@A.........................g.......r...........................?.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp140_1.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):31528
                                                                                                                                                                                  Entropy (8bit):6.472533190412445
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:R77JqjlI8icUYWhN5tWcS5gWZoMUekWi9pBj0HRN7RA5aWixHRN7osDhzlGs6N+E:R5D8icUlX5YYMLAWRAlypmPB
                                                                                                                                                                                  MD5:7EE2B93A97485E6222C393BFA653926B
                                                                                                                                                                                  SHA1:F4779CBFF235D21C386DA7276021F136CA233320
                                                                                                                                                                                  SHA-256:BD57D8EEF0BC3A757C5CE5F486A547C79E12482AC8E694C47A6AB794AA745F1F
                                                                                                                                                                                  SHA-512:4A4A3F56674B54683C88BD696AB5D02750E9A61F3089274FAA25E16A858805958E8BE1C391A257E73D889B1EEA30C173D0296509221D68A492A488D725C2B101
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..\4~.\4~.\4~...^4~.UL..X4~.Dz.[4~.D}.^4~.\4..v4~.D..Y4~.D{.O4~.D~.]4~.D..]4~.D|.]4~.Rich\4~.........PE..d...W8.^.........." .........$............................................................`A.........................................>..L....?..x....p.......`..4....:..(A......p...@3..T............................3..0............0..0............................text...(........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..4....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..p............8..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp140_2.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):193832
                                                                                                                                                                                  Entropy (8bit):6.592581384064209
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:V7vC/HAiCsJCzwneNPXU7tm1hTt8KBDal8zg/0LwhORfewlMi0JHV:VTGAtweN85m1f8KBI9wfpsJH
                                                                                                                                                                                  MD5:937D6FF2B308A4594852B1FB3786E37F
                                                                                                                                                                                  SHA1:5B1236B846E22DA39C7F312499731179D9EE6130
                                                                                                                                                                                  SHA-256:261FBD00784BB828939B9B09C1931249A5C778FCEAD5B78C4B254D26CF2C201F
                                                                                                                                                                                  SHA-512:9691509872FDB42A3C02566C10550A856D36EB0569763F309C9C4592CAF573FBB3F0B6DC9F24B32A872E2E4291E06256EAE5F2A0DEB554F9241403FD19246CAC
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........94..Wg..Wg..WgVt.g..Wg..g..Wg..Sf..Wg..Tf..Wg..Vg..Wg..Vf..Wg..Rf..Wg..Wf..Wg...g..Wg..Uf..WgRich..Wg........................PE..d...W8.^.........." ................p............................................... .....`A........................................ ..................................(A...........K..T........................... L..0...............P............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp80.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):554832
                                                                                                                                                                                  Entropy (8bit):6.428533960834858
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:UZY4lOHMwLwXBt+ia3htSUa/hUgiW6QR7t5j3Ooc8NHkC2eSQ:UZY4lOHMM8wiShtSj3Ooc8NHkC2eT
                                                                                                                                                                                  MD5:8C53CCD787C381CD535D8DCCA12584D8
                                                                                                                                                                                  SHA1:BC7CE60270A58450596AA3E3E5D0A99F731333D9
                                                                                                                                                                                  SHA-256:384AAEE2A103F7ED5C3BA59D4FB2BA22313AAA1FBC5D232C29DBC14D38E0B528
                                                                                                                                                                                  SHA-512:E86C1426F1AD62D8F9BB1196DEE647477F71B9AACAFABB181F35E639C105779F95F1576B72C0A9216E876430383B8D44F27748B13C25E0548C254A0F641E4755
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y..fv..y..y..#y.....y..2...y.....y.....y......y.....y.....y.....y..Rich.y..........PE..L....LYJ...........!.....@... ...............P....B|.........................p.......0....@.............................L...T...<....................`..P.... ..H2...S..............................Pe..@............P.. ............................text...V>.......@.................. ..`.rdata......P.......P..............@..@.data...l&....... ..................@....rsrc...............................@..@.reloc..NA... ...P..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcp90.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):570240
                                                                                                                                                                                  Entropy (8bit):6.523986609941549
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:NZ/veMyZ137mSEWT0VkypLvgLehUgiW6QR7t5183Ooc8SHkC2eU8Z:NZSZ13iwJmgLq83Ooc8SHkC2eN
                                                                                                                                                                                  MD5:232708A3FB0137133BA1787EF220C879
                                                                                                                                                                                  SHA1:4F725F93081FE15C6AF99E32F3E97CCB22E15BFE
                                                                                                                                                                                  SHA-256:64236B28CB287D9C912D1DB753B21BEB95009340B7ABB2717E40CE8D91946C89
                                                                                                                                                                                  SHA-512:90DAEFA1F3D3608700074F349D0CD5E5D2EAE090ECAD07352E553F08087A2EDDEB457F235CDC7E4869C4CF24E895C05C11AF968E68CFD0B6AA8092C98DC7E4FC
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#%..Mv..Mv..Mv.66v..Mv...v..Mv..Lv:.Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..MvRich..Mv........................PE..L...~LYJ...........!.....4...p..............P....Hx......................................@..........................P..,....E..<...............................43...................................%..@............................................text....2.......4.................. ..`.data...t'...P.......8..............@....rsrc................R..............@..@.reloc..HC.......D...V..............@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcr100.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):773968
                                                                                                                                                                                  Entropy (8bit):6.901559811406837
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
                                                                                                                                                                                  MD5:0E37FBFA79D349D672456923EC5FBBE3
                                                                                                                                                                                  SHA1:4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
                                                                                                                                                                                  SHA-256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
                                                                                                                                                                                  SHA-512:2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcr110.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):849360
                                                                                                                                                                                  Entropy (8bit):6.542151190128927
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:I+9BbHqWVFlB7s2ncm9NBrqWJgS0wzsYmyy6OQ:z9d7M3nS0wV
                                                                                                                                                                                  MD5:7C3B449F661D99A9B1033A14033D2987
                                                                                                                                                                                  SHA1:6C8C572E736BC53D1B5A608D3D9F697B1BB261DA
                                                                                                                                                                                  SHA-256:AE996EDB9B050677C4F82D56092EFDC75F0ADDC97A14E2C46753E2DB3F6BD732
                                                                                                                                                                                  SHA-512:A58783F50176E97284861860628CC930A613168BE70411FABAFBE6970DCCCB8698A6D033CFC94EDF415093E51F3D6A4B1EE0F38CC81254BDCCB7EDFA2E4DB4F8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........c.O.0.O.0.O.0.O.0}O.028g0.O.0?..02N.0?..0.O.0?..0.O.0?..0wO.0?..0.O.0?..0.O.0?..0.O.0Rich.O.0........................PE..d...n..P.........." ................l3.......................................@............`..........................................E.......1..(............... g.......=......8...`6..............................P...p............0...............................text............................... ..`.rdata.......0......................@..@.data...(q.......@..................@....pdata.. g.......h...(..............@..@.rsrc...............................@..@.reloc...".......$..................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcr120.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):963744
                                                                                                                                                                                  Entropy (8bit):6.63341775080164
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:lQ39+j16xw/86yY4ZOVqSs8cKPkb3vi4vwW1kCySQmWymTXY:S3tPDLfRbiow9Cyo
                                                                                                                                                                                  MD5:E2CA271748E872D1A4FD5AC5D8C998B1
                                                                                                                                                                                  SHA1:5020B343F28349DA8C3EA48FB96C0FBAB757BD5C
                                                                                                                                                                                  SHA-256:0D00BF1756A95679715E93DC82B1B31994773D029FBBD4E0E85136EF082B86A9
                                                                                                                                                                                  SHA-512:85D6BCAAF86F400000CF991DA1B8E45E79823628DC11B41D7631AA8EE93E500E7DA6E843EA04EDB44D047519DABEF96DCB641ADC2A7B3FAA5CD01E8A20B1F18E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F=&^'Su^'Su^'Su..u]'Su^'Ru.'SuSu.u.%SuSu.uo'SuSu.uh'SuSu.u.'SuSu.u_'SuSu.u_'SuSu.u_'SuRich^'Su........PE..d......V.........." .....j...:.......)..............................................+l....`.....................................................(............@...s...v...>......8...p................................2..p............................................text...eh.......j.................. ..`.rdata...9.......:...n..............@..@.data...hu.......D..................@....pdata...s...@...t..................@..@.rsrc................`..............@..@.reloc..8............d..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcr80.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):632656
                                                                                                                                                                                  Entropy (8bit):6.854474744694894
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:bxzh9hH5RVKTp0G+vjhr46CIw+0yZmGyYCj:bph9hHzVKOpXwymGyYo
                                                                                                                                                                                  MD5:1169436EE42F860C7DB37A4692B38F0E
                                                                                                                                                                                  SHA1:4CCD15BF2C1B1D541AC883B0F42497E8CED6A5A3
                                                                                                                                                                                  SHA-256:9382AAED2DB19CD75A70E38964F06C63F19F63C9DFB5A33B0C2D445BB41B6E46
                                                                                                                                                                                  SHA-512:E06064EB95A2AB9C3343672072F5B3F5983FC8EA9E5C92F79E50BA2E259D6D5FA8ED97170DEA6D0D032EA6C01E074EEFAAB850D28965C7522FB7E03D9C65EAE0
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.........@................!......;.............d.......................Rich...................PE..L...yLYJ...........!.....0...p......+#.......@.....x......................................@..........................q...~..Pc..<....`..................P....p..P3...B...............................F..@............@...............................text....'.......0.................. ..`.rdata......@.......@..............@..@.data...Li.......P..................@....rsrc........`.......@..............@..@.reloc...7...p...@...P..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\msvcr90.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):653696
                                                                                                                                                                                  Entropy (8bit):6.885617848989009
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:Bhr4UC+UumMaIYE8EoPP1cI9xPP2OKDL9QXyG2pUmRyyva:VU9FNPPbxPP2OeL9Q2pUmRyyva
                                                                                                                                                                                  MD5:4B9B0107D35859FA67FB6536E04B54A7
                                                                                                                                                                                  SHA1:60F5D36F475FEA96F06AC384230B891689393486
                                                                                                                                                                                  SHA-256:EA59B23FC4799B10B07CC1E4F81BBCB7FAC712D93E2BA48DE50046E5B4C140DB
                                                                                                                                                                                  SHA-512:324EDB6D0C618C20260417B86189C27D6E1EB00944C7F5A6C59679365E618D262C71433749DDFEF253B723F1D1B3167982B4742164A167B3CFC85C651300382B
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L...yLYJ...........!.....\..........@-.......p....Rx.........................0............@..............................|..P...(................................3......................................@............................................text...t[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\ntvbld.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:MS-DOS executable PE32 executable (DLL) (native) Intel 80386, for MS Windows, MZ for MS-DOS
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60896
                                                                                                                                                                                  Entropy (8bit):6.847633229504993
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:NnCuEmXB5UMI3nhKrbZCWg/0/NC8hUDVsa0T1zj9KyhaMQNDG0uKjKj9MPgkz:N7Rx5Ulll8/H+x0T1zj9lHeMy
                                                                                                                                                                                  MD5:690612154E7E5233AA980016CEAEDEDD
                                                                                                                                                                                  SHA1:9B16E2F3D799EA506AA6A8F53FA4DEB36D73F5D4
                                                                                                                                                                                  SHA-256:FFB81D34A14B5837AC713657F7892E790F85564BC2BA792025B0F9E9E0959AD7
                                                                                                                                                                                  SHA-512:1F93AF0CA40DB562F7ECDBF19A0D899044BCF1F181B03E57E6B6F2C72F532652798023612BE9DEFE6261D631D10898D30ADB28EEFF922B72734B4DB27189C210
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ!..... ..........e..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ntvbldDXML..$............!.L.!........h.T.....................q.......q.......q.......q.......q.......q.......q......Rich............PE..L......a...........!.........\......2=.............p................................s`....@.........................p...........(.......h...............H?..........................................0+..@............................................text...v........................... ..`.data....F..........................@....rsrc...h...............

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\oDayProtect.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):57456
                                                                                                                                                                                  Entropy (8bit):6.555119730119836
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:h4WOg3TER/nhU8Vbbb8O0WWVYgaatjJxl:h4WOg3TSr78O0WWVYg5tJ
                                                                                                                                                                                  MD5:00FCB6C9E8BD767DDE68973B831388E9
                                                                                                                                                                                  SHA1:2D35E76C390B8E2E5CA8225B3E441F5AC0300A02
                                                                                                                                                                                  SHA-256:1CC765B67D071060C71B4774C7745575775CE46E675E08620E5BAB3B21B2CE79
                                                                                                                                                                                  SHA-512:2B48701B5F4B8F1EB7FC3EB9A76370883FE6CAF45D92DA607AB164F93E0EED65D6C1369D4EA974A112C902FD0F5BAF06E7611ECB9B50BE3A599F261624B33BA5
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[..]..............3.....M......M......M......M.......{n......{k............................._.......7............Rich............PE..L...m>.d...........!.....`...R......._.......p............................................@...........................................P...............p2..............p........................... ...@............p..\............................text...._.......`.................. ..`.rdata...4...p...6...d..............@..@.data...$...........................@....shared.............................@....rsrc...P...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\plugins\Microsoft.VC80.ATL.manifest

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):376
                                                                                                                                                                                  Entropy (8bit):5.187860451409661
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:TMVBd6OjzIIBeBXVL9obRu9Td8gH9aO/5TMiX1+jSQdS1vwIgVf+ZaYf7:TMHdt4IBeBFLOwHR5TNl+rmxgVKaq7
                                                                                                                                                                                  MD5:0BC6649277383985213AE31DBF1F031C
                                                                                                                                                                                  SHA1:7095F33DD568291D75284F1F8E48C45C14974588
                                                                                                                                                                                  SHA-256:C06FA0F404DF8B4BB365D864E613A151D0F86DEEF03E86019A068ED89FD05158
                                                                                                                                                                                  SHA-512:6CB2008B46EFEF5AF8DD2B2EFCF203917A6738354A9A925B9593406192E635C84C6D0BEA5D68BDE324C421D2EBA79B891538F6F2F2514846B9DB70C312421D06
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>. Copyright . 1981-2001 Microsoft Corporation -->.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable/>. <assemblyIdentity. .type="win32"..name="Microsoft.VC80.ATL"..version="8.0.50727.4053"..processorArchitecture="x86". />. <file name="ipaip1.exe"/>.</assembly>.

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\plugins\Microsoft.VC80.CRT.manifest

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):314
                                                                                                                                                                                  Entropy (8bit):5.140999301390513
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:JiMVBd6OjzPbRu9Td8gH9bZELrbvm/53SMiX6+hPABdS1FggVfgk5Z:MMHdtlwHHJ53SNK+hPIRgVR5Z
                                                                                                                                                                                  MD5:710C54C37D7EC902A5D3CDD5A4CF6AB5
                                                                                                                                                                                  SHA1:9E291D80A8707C81E644354A1E378AECA295D4C7
                                                                                                                                                                                  SHA-256:EF893CB48C0EBE25465FBC05C055A42554452139B4EC78E25EC43237D0B53F80
                                                                                                                                                                                  SHA-512:4D2EC03FF54A3BF129FB762FC64A910D0E104CD826ACD4AB84ED191E6CC6A0FEC3627E494C44D91B09FEBA5539AD7725F18158755D6B0016A50DE9D29891C7E5
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">. <noInheritable></noInheritable>. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86"></assemblyIdentity>.</assembly>

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\plugins\RunHours\es-419.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4582
                                                                                                                                                                                  Entropy (8bit):5.313572308207674
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:SXJbP0TKhuwTfSX1R3AJDnR5Wlqib+H+7tpUDoSlM9Z6b5E5f:S//TfSX1BobR5WlqiKHWGoSlM9Qb5E5f
                                                                                                                                                                                  MD5:20A4B76F3AB1EA606ACEE2ECFC7EACDA
                                                                                                                                                                                  SHA1:4B758CA773E540F60E4788B43832F4AC9F9D2C02
                                                                                                                                                                                  SHA-256:C4D807092F4493A9E5EE5F6D5770091683AAC44F203A9E72C556CA5D94E13712
                                                                                                                                                                                  SHA-512:DD03DF3F30199D74C3C74C8766D336C18AB02C73C8B24B23F3D756F76F4119EE2FA6DB0A3F0C398980CFF7D3C162C9BD8364412A2B12FBF2F90395D4FBD86017
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........N.....N.....N.....N.....N.....N.....N.....N!....N%....N+....N1....N<....NO....N^....Ns....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N(....NO....Ng....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N*....N7....NL....NT....Ne....Nk....N}....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N*....O4....O9....OM....Oz....O.....O.....O.....O.....O.....O.....O.....O ....OA....OQ....Oq....Ov....O{....O.....O.....O.....O.....O.....O@....O}....O.....O.....O.....O.....O/....OL....Oh....O.... O....!O...."O....#O....$O....%O....&O....'O....(O....)O....*O....+O[...,O....-O.....O0.../Oq...0O....1O....2Oe...3O....4O....5O....6O....7O_...8Oy...9O....:O....;O....<O....=O....>O=...?OM...@Oq...AO....BO....COV...DO....EO....FO....GO....HO....IO7...JOK...KOT...LOf...MOp...NOw...OO....PO....QO....RO....SO..........DetallesGuardarSe trata de un .ndice que admite b.squedas.

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\plugins\RunHours\es.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4720
                                                                                                                                                                                  Entropy (8bit):5.293442130076125
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:/ymf8T/vT4Y7o+Aq6XWp5H7irYKhIeDH5SVWYGCrBHehj76:/ymy/vT4Y7DZ6Xc5H7irYGIgH5SVWYGw
                                                                                                                                                                                  MD5:9E231E6B336F8746C1D9949CFFB81892
                                                                                                                                                                                  SHA1:44CF40E676B5C4AD7D30CAB1C73E0AB3E51F9A0F
                                                                                                                                                                                  SHA-256:E3958A2562A3DB00C863543CBF2F8754AE52506045AF0FE68A98C21A21980DE6
                                                                                                                                                                                  SHA-512:1EB7B3AA1BD4B0F72273403FCFBD03204823285E250D2A3859FAC3D8649B0708879CD9F6688048F46C8724D68B9960634A9EB3882110DB2EF33AB72B8EF1DA5D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........N.....N.....N.....N.....N.....N.....N"....N%....N)....N/....N5....N@....NS....Nb....N~....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N*....NO....Nd....Nx....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....N0....NE....NM....N^....Nd....Nv....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N'....N5....O?....OE....O`....O.....O.....O.....O.....O.....O.....O.....O.....O.....OM....Oj....O.....O.....O.....O.....O.....O.....O.....O"....OQ....O.....O.....O.....O.....O%....O?....Og....O.....O.... O....!O...."O....#O....$O....%O....&O....'O....(O....)O%...*O5...+Oy...,O....-O.....OR.../O....0O....1OM...2O....3O....4O....5O....6O0...7O....8O....9O....:O....;O....<O-...=OO...>O~...?O....@O....AO....BOU...CO....DO....EO....FO....GO....HO....IO....JO....KO....LO....MO....NO....OO....PO....QO@...ROH...SOJ.....p...DetallesGuardarSe trata de un .ndice que admite b.squedas.

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\plugins\RunHours\et.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4024
                                                                                                                                                                                  Entropy (8bit):5.482794389326184
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:3ibSEiksDWHJ+CCC7w2e3+nstsemhHvAs/FTeY4M1ATH:ySbDWHJ+CCCBwMq
                                                                                                                                                                                  MD5:05EB53F564DE06DD2CEC9CA4EFF8CF87
                                                                                                                                                                                  SHA1:96E1CF30497A517FE17D238C2B1228ABA80291AC
                                                                                                                                                                                  SHA-256:772A79F8D52BBFBC0B3EF1D4040AE04AC82A51900C202423A4BA5C5FAA802130
                                                                                                                                                                                  SHA-512:38F824D85D3CE88329881FF04E9BF1908524843F0F7B309E06D09F5D939B23E742C634889CA5670D36782D75FE02F8BD6F294A93C86BB67AAA4E9566DED2400C
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N(....N1....N<....NH....NP....NV....N]....Nd....Nk....Nr....Nt....Nv....Nz....N.....N.....N.....N.....N.....N.....N.....N.....N.....N+....NC....NK....NR....N[....Ne....No....N{....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N&....N9....N=....ND....NM....NR....NW....N]....Nm....Nq....Nv....N~....N.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O(....O<....OQ....Of....Ow....O.....O.....O.....O.....O.....O.....O.....O.....O.....O6....OM....Oq....O.....O.....O.....O.....O.....O.... O'...!O6..."OC...#OJ...$OM...%OU...&O[...'O`...(Om...)O....*O....+O....,O....-OP....O..../O....0O....1Oc...2O....3O....4O....5O....6OA...7O....8O....9O....:O....;O....<O....=O!...>O8...?OF...@Oa...AO....BO....CO:...DO....EO....FO....GO....HO....IO....JO ...KO(...LO:...MO?...NOD...OON...POi...QO....RO....SO...........ksikasjadSalvestaSee on otsitav indeks. Sisestage otsingu j

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\plugins\RunHours\fa.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):6173
                                                                                                                                                                                  Entropy (8bit):4.922771262854036
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:GAOQjAdjFIowK7nR6wjN9fTHQZEwGcXbesT2UNXMW3LS577O3/z:G0AdhI4nR6q7qEwxXbde7Ovz
                                                                                                                                                                                  MD5:6ABD91C944EA0063DD133119242ADD5D
                                                                                                                                                                                  SHA1:89BFE399BC16D5584CB13C814B6A3764FB91AD29
                                                                                                                                                                                  SHA-256:5AC05F15CEE979E26A6795343B68926EAD54ED5A9240C19C187A28943977067A
                                                                                                                                                                                  SHA-512:01F077D513A4F61B1D497BF9CCF02E17B5B1FB6E23991EC870F5D9C8CD12CB7E4C97A5D011A5C55B855A36EE72B3D586E7416C1F16CEAFA0BF8EB48446DC5AC3
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........N.....N.....N.....N(....N7....NA....NG....NM....NS....N]....Ng....Nw....N.....N.....N.....N.....N.....N.....N.....N'....N=....N?....NA....NE....NY....Nf....Nu....N}....N.....N.....N.....N.....N+....NE....NZ....Na....Nk....Nw....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N*....N4....NG....NQ....Nh....Np....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N&....N,....N6....NH....N\....Ob....Oh....Oy....O.....O.....O.....O.....O.....O*....OV....O.....O.....O.....O.....O#....O)....O3....OW....O}....O.....O.....O.....O.....O.....O?....Oy....O.....O.....O.....O(....O]....O.... O....!O...."O....#O....$O....%O....&O....'O....(O....)OT...*On...+O....,O....-Oe....O..../O....0O7...1O....2O;...3O{...4O....5O....6O%...7O....8O....9O....:O|...;O....<O....=O:...>Ov...?O....@O....AOc...BO....CO....DO)...EO....FO....GO....HO....IO*...JOA...KOW...LOj...MOp...NOv...OO....PO....QO....RO....SO........................ ..... .... ..... .

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\plugins\de.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4406
                                                                                                                                                                                  Entropy (8bit):5.431403966547261
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:w3RvffZNggc5v5baG6IRqTsBRpKCSFdR9KoINpQFphkSn4zFJo5dzi5zVfwFT2:w39H2vgtIRqTMyFdTbINpQFphkSnWo5+
                                                                                                                                                                                  MD5:EA1F904F7B976BCDB6E22A2962BDB546
                                                                                                                                                                                  SHA1:5D4FF12B9ED1014F94131FD4BEC5D47DC224E643
                                                                                                                                                                                  SHA-256:52098599A0CC8BCA7CAB3971F56D5EB373378C7FBCA907E71F784D6DE6D76C98
                                                                                                                                                                                  SHA-512:2E80076218BAF7D3041288BD2B7ECCDEB9A4B8589BCD81190B0B4EBDD78C9B506760FCB4AF63C99FC42A45B21897F3EAA93F4DE30CAAFBF3348410BDE12560B2
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N!....N.....N>....NP....Na....Nk....Nt....N}....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....NN....No....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N"....N>....NG....NO....NS....Nc....Ng....Nx....N|....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....O.....O.....O.....O ....O/....O@....OF....O^....Os....O.....O.....O.....O.....O.....O.....O.....O.....O#....O1....OC....OV....Oe....Ot....O.....O.....O.....O.....O.....O.....O7....OU....Or... O....!O...."O....#O....$O....%O....&O....'O....(O....)O....*O....+O....,Oz...-O.....O..../OC...0O....1O....2O!...3OL...4Ow...5O....6O....7O4...8ON...9Oj...:O....;O....<O....=O....>O3...?OJ...@O....AO....BO1...CO....DO....EO2...FO<...GOG...HOO...IOd...JOx...KO....LO....MO....NO....OO....PO....QO....RO....SO......6...DetailsSpeichernDieser Index kann durchsucht werden. Geben Si

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\plugins\el.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):7882
                                                                                                                                                                                  Entropy (8bit):4.66720349289761
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:lK+yxJ5y7wpdeDpP+hM7mcOlaOOuMos4Mw+UwUkGMH1xhyihmhqYChzhqYihHp3:lK+yxJ47wpdeDpP+hpFSxGOrSDp3
                                                                                                                                                                                  MD5:3F2A22EDF71920EC81F31DC74AD7D8F5
                                                                                                                                                                                  SHA1:63C524131D83777A56001F82B93CAA784C46EC27
                                                                                                                                                                                  SHA-256:A34B29017ACFD42AA7EE9177797FF4ECD4430D5E578E80AB1C43D2792692C152
                                                                                                                                                                                  SHA-512:8ACA982845E6896E7F4816BE13768490A636BFC1DBF2C0018C0A9AA168DE804FF4552BEFEBEFA44EC6F638A5773017241D35565A86BBCADC6CD46E373181AD9D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....NY....Nh....Ns....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N[....N.....N.....N.....N%....NW....Nk....Nu....N{....N.....N.....N.....N.....N.....N.....N.....N&....N0....NB....Ng....N.....N.....N.....N.....N.....N.....N.....N1....NA....NO....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N5....OK....OU....Op....O.....O.....O.....O.....O?....Oh....O.....O.....O.....O7....OJ....O.....O.....O.....O.....O.....O.....O;....O_....O.....O.....O.....OR....O.....O.....O.....O8....Oj....O.... O....!O...."ON...#OX...$Ob...%Oz...&O....'O....(O....)O....*O....+Of...,O....-O.....O7.../O....0O8...1O....2O....3O....4O<...5O....6O....7On...8O....9O....:O$...;OI...<O....=O....>O(...?O[...@O....AO$...BO....COf...DO:...EO....FO#...GO3...HOJ...IOs...JO....KO....LO....MO....NO....OO....PO#...QON...RO_...SO.........................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\plugins\en-GB.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3733
                                                                                                                                                                                  Entropy (8bit):5.413561641632349
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:4WeMurxaP/L/ThulsMlRnmggluSvu4Yg22:4Webr4PDrolZfnmgglxu4fd
                                                                                                                                                                                  MD5:08C52ED432480C1CAA15DB7F227857C3
                                                                                                                                                                                  SHA1:4F138AE151C82DB1B4B639CD788D349C6AC63642
                                                                                                                                                                                  SHA-256:84494A784BF0D03CD5DC3C99822F46C777E28C54086712F6AB736323A5462B2F
                                                                                                                                                                                  SHA-512:43E8A9241049254FE9F6BA31FC6AE06DC9135A2A9DBF6D7E4E6F866249AA266CE7E390F463600BC319CF4D71DE93410339C13505CBBA5676D6846C26212D75F5
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N'....N5....N=....NE....NM....NU....N]....Ne....Ng....Ni....Nm....Nx....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N ....N-....N5....NA....NK....NZ....N^....Nb....Nh....Nl....Nr....N{....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N#....N*....O.....O3....O<....OO....O[....Oi....Oo....O.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O$....O7....OE....OS....Of....Ox....O.....O.....O.....O.....O.....O.....O+....OJ....O_... Ov...!O...."O....#O....$O....%O....&O....'O....(O....)O....*O....+O....,O@...-Oy....O..../O....0O....1O[...2O....3O....4O....5O....6O....7Od...8Oz...9O....:O....;O....<O....=O....>O8...?OK...@Om...AO....BO....COH...DO....EO....FO....GO....HO....IO#...JO/...KO3...LO9...MO=...NOB...OOJ...PO^...QOt...RO|...SO..........DetailsSaveThis is a searchable index. Enter search keywords:

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\plugins\en-US.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3735
                                                                                                                                                                                  Entropy (8bit):5.399152833535112
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:8k5Ar/7QD0dZaPFL/ouZMlRnDggluCzuCYg21:8k5MzQYdQPxpmfnDgglpuCfU
                                                                                                                                                                                  MD5:5A1DF84EF435AAF57EC22CEF850AA94A
                                                                                                                                                                                  SHA1:5F753586E1FF36719B79C784E4A548F649E34872
                                                                                                                                                                                  SHA-256:638EBF6779646866CD866BDF6B6069435AB8527D63A7552E1F580520C477D45C
                                                                                                                                                                                  SHA-512:9B016A2FB6259661CEB2E5FAC9AA2D2F7EC26D93959F4186F5E763C122B4FAEE9FB80E84C9D6F31F729D572DB8E21C3B711F610DBB007A741EC3C540DB2F305D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N'....N5....N=....NE....NM....NU....N]....Ne....Ng....Ni....Nm....Nx....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N ....N-....N5....NA....NK....NZ....N^....Nb....Nh....Nl....Nr....Nz....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N.....N"....N(....O,....O1....O;....OO....O[....Oi....Oo....O.....O.....O.....O.....O.....O.....O.....O.....O.....O.....O$....O6....OD....OR....Oe....Ox....O.....O.....O.....O.....O.....O.....O.....OM....Ob... Oy...!O...."O....#O....$O....%O....&O....'O....(O....)O....*O....+O....,OC...-O|....O..../O....0O....1O^...2O....3O....4O....5O....6O....7Og...8O}...9O....:O....;O....<O....=O....>O=...?OP...@Or...AO....BO....COM...DO....EO....FO....GO....HO....IO&...JO2...KO6...LO<...MO@...NOE...OOM...POa...QOw...RO....SO..........DetailsSaveThis is a searchable index. Enter search keywords:

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\plugins\version

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                  MD5:F1D3FF8443297732862DF21DC4E57262
                                                                                                                                                                                  SHA1:9069CA78E7450A285173431B3E52C5C25299E473
                                                                                                                                                                                  SHA-256:DF3F619804A92FDB4057192DC43DD748EA778ADC52BC498CE80524C014B81119
                                                                                                                                                                                  SHA-512:EC2D57691D9B2D40182AC565032054B7D784BA96B18BCB5BE0BB4E70E3FB041EFF582C8AF66EE50256539F2181D7F9E53627C0189DA7E75A4D5EF10EA93B20B3
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:....

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\pp_helper.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):74432
                                                                                                                                                                                  Entropy (8bit):6.228910769546381
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:Vf77+031ru/qpap4qUqm+rIqRqEp+85LQyisF:tWo1/op4qUqfrIkb+aLQoF
                                                                                                                                                                                  MD5:24F4BF7288749C467A6FB67A5333E867
                                                                                                                                                                                  SHA1:663AF51B8CB380E4BB133A9D365D175B11782F7B
                                                                                                                                                                                  SHA-256:40BFC6EEB22CB8F8A2C6DF9C71589E0D98C24483A66BFB90290AAD5BDFBC6E88
                                                                                                                                                                                  SHA-512:9ED444F446000E4DD7E4B8ADBFCC16BABB77D4FAEF79DC4210A26F99923B6C052AEEE9D03B3E02913B9948DB47301665CCD5496FE7009A4A7070729B6D15F42B
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........V...............................A.........................Rich...................PE..d...+..I..........#..........Z......0$.........@.............................P......X9..........................................................(....@.......0..........................................................................8............................text............................... ..`.rdata...8.......:..................@..@.data....#..........................@....pdata.......0......................@..@.rsrc........@......................@..@........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\qvlnk.bro

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):774144
                                                                                                                                                                                  Entropy (8bit):7.999769980896681
                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                  SSDEEP:12288:YyTS+Wj2XVYP4LMPHbIiJdTOvdXfYHKtbN+uehl030jBwdQxkwSCef+Kg:9T8EiLyvv+u8xauCwXeWKg
                                                                                                                                                                                  MD5:2BEDA13E7CE6EBE45497641D122A3814
                                                                                                                                                                                  SHA1:B25DF34290965AED25678610BC4D2B5F2742AB31
                                                                                                                                                                                  SHA-256:CF5573B875D42008076B04412CC9A56882F1EDC243DB4EC211F0C57DBFC30980
                                                                                                                                                                                  SHA-512:8B4959BCAEB99F8B8CDE2BF67DB0F107125F4251D00B11C5C675A104CA84AD463E46DC53F410DCB8D4D0EEE6FCF63BE802BC18189C1DC7AFE5B6DDB974375790
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..\....).....0+...;.EL......&..|.!..*.!.B.......1.t.B..t....Swo.2....0........ZN_..w..rd..%J.j|1,..s....t...._.....g.w5>...cdb3+F0..eT.e..|g+..(...b52.Q..?[..Y....c_..A...,.......L..\...p.vRS...V......n.PH...L...,.`.h....!_km=.e...:.)..U.&.-.(...i...._.F.D.%NS..^s".TO....S....Q.-..;R..[m..u.%o..c.).~...Do.FZp.`..s.lip.A........g.z8../7..+...u,O.....z4....D^Z....C.-.6yALc.Mw.H'.......1..Yl..g.e..{. ...2r..I.F..>.f......f|.0.^..b.I.8.....N....I.|m.v..M.jx..){.......s...).g..4!...L1O Z3xT.'._9...B..#..y...d.......3.EE..2M....bbQ.i..m.(...bVTk$W.x.$...!-.........sX.m.].v.\l..]#...P...).N"..A%SA18A....5._|...%..<..*......%...t.}...r(d..\.G.1..:.{.z.,...u.9...h...".(;4..5z.5y!{rng......}>....F.4.=.Nfl"S....[..^KK.....-T...).uv.9>....8.."D...Qb"..D....p8C..nr.......o......G....e...L..8w.f..Wc....E..qgu.../...9.B....9;....^.]......j.f.LaK=......lZ.d..!4jL@....H.....K..W..P..|...vy.Y!.Mg._.........4......8.z.?...YK.<..~qw.!4....W...[...}..Z

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\rar.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):638616
                                                                                                                                                                                  Entropy (8bit):6.540549330363699
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:4zga+163KOqlPidmIaEPFSV+/sZy+/eZ+8q1wUg7OkrBgGvg:4zg116ddmIaEPFz/6yPZ++15rBgB
                                                                                                                                                                                  MD5:300D43860DC6961BBECE819912C930BC
                                                                                                                                                                                  SHA1:61CC9B17FAE66451327E8F9A7103B9728EB5C95C
                                                                                                                                                                                  SHA-256:792708CE3FEC9DA37408CE4179B118D79B4804878D233C602B490C3BD0EAF02A
                                                                                                                                                                                  SHA-512:F74CD7C28E2A267E6B51FA2A8A36380F5766195F7216FD9EE1F76E708343520E9CB60F620FD86114B947589D9F8FDAAA209CF190A5D014BF251AB8BD182FD541
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............`...`...`.ix....`.ix..^.`.ix....`.....`.|.....`.|.e...`.|.d...`.|.c...`.....`...a.e.`.(.e...`.(.....`.(.b...`.Rich..`.................PE..L...V. b.........."..........~.......w............@..........................p............@.................................T............................>... ..(E..\b..T....................c.......b..@............................................text............................... ..`.rdata..J...........................@..@.data...x........,..................@....rsrc...............................@..@.reloc..(E... ...F...:..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\rb

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):129024
                                                                                                                                                                                  Entropy (8bit):7.8271140059205635
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:G/ij0LGUf2eh2R1IQO1rIXfAALqY6BFi0BN5Tuf95qu1kmkQXHgS5zbPKd32h+Vb:HgflEw1rIXfAjLzTufH1+SKdk+V
                                                                                                                                                                                  MD5:88173E288C847FE71DB634CCFBD95ABF
                                                                                                                                                                                  SHA1:705070D59FDCF89C71A90A5B4A1C092E55F16977
                                                                                                                                                                                  SHA-256:28B075F044864E1D63A919E1C71BE7BE242F4098B43AB0439A0C891DB675AD72
                                                                                                                                                                                  SHA-512:28F1A6D147D134D2CA73DE78931196B51AA8A931AA74F66584DDB2E623CC901FA6FEE2660AA36429B939A2E040CC5ACA9EFF0F746E350DCFA73843D093F2376B
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...]^]]]Y]]]..]].]]]]]]].]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]].]]]SB.S].T.|.\..|.54.}-/2:/<0}><332)}?8}/(3}43}...}0298sPPWy]]]]]]]P...`...`...`..o|...`...o...`..|...`..{....`.......`...o...`...`..`.."F..\`...`...`.......`...4>5.`..]]]]]]]]..]].\^]..w:]]]]]]]].]R\V\[]].\]]M]]].Y]m.[]].Y]].[]]].]]M]]]_]]Y]]]]]]]Y]]]]]]]].[]]Y]]]]]]_]]]]]M]]M]]]]M]]M]]]]]]M]]]]]]]]]]]].[]._]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]...m]]]]].Y]]M]]]]]]]Y]]]]]]]]]]]]]].]]....l]]]]].\]].Y]].\]]Y]]]]]]]]]]]]]].]]....o]]]]]M]]].[]]Y]]].\]]]]]]]]]]]]].]].]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]ismo]...|PTUU

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\rtl120.bpl

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1112040
                                                                                                                                                                                  Entropy (8bit):6.832491592471325
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:GbhVoNWbA1m6z1hGaMopv3RdaK6IPFf0DtDN9Tox0gc:vtQZPTtgc
                                                                                                                                                                                  MD5:ADF82ED333FB5567F8097C7235B0E17F
                                                                                                                                                                                  SHA1:E6CCAF016FC45EDCDADEB40DA64C207DDB33859F
                                                                                                                                                                                  SHA-256:D6DD7A4F46F2CFDE9C4EB9463B79D5FF90FC690DA14672BA1DA39708EE1B9B50
                                                                                                                                                                                  SHA-512:2253C7B51317A3B5734025B6C7639105DBC81C340703718D679A00C13D40DD74CCABA1F6D04B21EE440F19E82BA680AA4B2A6A75C618AED91BD85A132BE9FC92
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\rtl120.bpl, Author: Joe Security
                                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......H...........................................P.........................`......U...........................................X$...p...................K......h.......................................................x............................text............................... ..`.itext........... .................. ..`.data...tw.......x..................@....bss.... T...@...........................idata..X$.......&..................@....edata...............D..............@..@.rdata...............&..............@..@.reloc..h............(..............@..B.rsrc........p......................@..@.............`......................@..@................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\settingss

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2208
                                                                                                                                                                                  Entropy (8bit):7.90993950405871
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:vLt5Bk5dkgrofUZgvatOFn6xNTBlaE0C+fTC6mqv1jrh:ziyG8UZlogygurh
                                                                                                                                                                                  MD5:68D847D78794F6CAC3348D7EAAAD5763
                                                                                                                                                                                  SHA1:72887EF22FC7D1927D3F96CC57260BD52F6535DE
                                                                                                                                                                                  SHA-256:D9A37729C055A70C614FC9F928781A84EAF89D3420E1D6A2D9E53C2524AE63C6
                                                                                                                                                                                  SHA-512:D5401F137AB863D9A07C9C0E5BC23D6650FFBCC75E7E02F438B2DDD3B166FB22A5ACC790AB09D44336E1C80E2693B0CF3A4431612663ACFF0A246D45D003147F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:TDF$..-.... O...d.....eM4.YX.3..pp...../....`...G...$.;x.wl0....|...... ^\..Y.5.J....)N.a@..q...oh[.....C...@w'.....~....x\....6..0....fY^5.p......!.>.J.........Q{.../*....q..jG...ZuW....j.......7....p..b.>......i.......e.Xj.eT....G..>.d....ehBH..G..'I.V.."F0..z...bI..N.....v.]De(.U.....,....kS.i..S.9,.Jz.t.&pfH.4).V..2....QK[.....u>..I.9.|.E...l..."o('..E.,..w..*3...."[.bd..p;.*...@....p<.$_k..}...t3....B....X4....e.7..@.8..^..8 .?>z.?...a/..w.._.>....W[.$_.K...D.*..*H.|.5[....|....<+K.e%.....*...Z.JN.L..(.Ec.&.7K.....2F.W7.k>..3.(Q...vM.6.>[.I......U.i...;..4..XU,...y..{x...V$uo.+dc^._.n.#c..O........T..%.D.1n..L%..a...3...W[.-/..P..Z##....*.bM:hw.;D...w=..........bH'...au....s.<....>+z{.z.."...Ew.`..cu..9..*_4....h.K.>s.....n.......j.[.."....O.i..r.p.x!}z..%.......p.. &.....A.|..?T..U.uo...o...L...T...2.n..i!.M.RI..}f...6.Y.^.jX.+...l.....i~.o].}d..V4._Wl......C...k*..C.&.U..../W.......).m.o.N....0*.z.R ..Z+g..."(!....r........ .y .J....

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\settingss2

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2160
                                                                                                                                                                                  Entropy (8bit):7.907521368348162
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:I+ZDqGNYNvwnuJ0PNM8H0Jhe5GbBgAmOc2pYdqGVAhf:I+ZDqGNYadZUJQ5KRmOBYqGQf
                                                                                                                                                                                  MD5:3A7F1ABA35A1981B2C0FA85B483806CE
                                                                                                                                                                                  SHA1:D27A4536E41FBBAAD828832BF1DB31DF251E79D6
                                                                                                                                                                                  SHA-256:F0DEB755A2AA2B7914860C7744BEB90D6E9513D73F592FEBBE442D4CF8B1195C
                                                                                                                                                                                  SHA-512:2A612325FA3E1089A845487E344C482E8200C278ED0A9208BE7E462A107F2878225865E972587472D0EBAA4AAF34818F207CA31C46EF13D03DB6BB0F3699526F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:TDF$..-.... ....<.I..O.tZ.(......l.8...N..N...0Ea0.X.!.:.c..D..YdV>+..L....|.j.o...s.....-..n.%0=..`q.bF......Yo4...Lu.#3...O...w...;..2.U........;{.....3.....l.;.. ..^..."..+.K6G}...Yc.....em.t.\[...}c..".X.X..ME..B.]...[w:.._.. .S...f..<".I...h.g.>.%.@Ii^%!6<.E.j....f...f.k.~.]D..#.mS..x.y.%.......>.U-....y..b.B.....v8.l'..m.4lH......xY..6D...../v.}..|R8&..2...|.J...Dew/T..\{...t.4{o="..._q....Z.........j....T...!..'.w..0D.....pS1gA...[w|5x.(.M.#/}G.;.S.....'_...).....:...Y...R...L..}$.......<lk.f>v$.o.H.8L...n[....p...[.DG....Np3...7.EtC...7.. <.@.67K5.0....\.q.o...._.6...*#..D..$..r..G....$...2.V....64...O.........9c..........T.;G.......]....+......v#....(..K..d....%...~..}.cv...,..R{..f..\n..p.10D...|...b.........]%.E%...b..a....S.6.k...T..P..fv...)[.+...d$...&Yl"..=.....9...{....n...@{.....%./.....x.+.J..{.$....+...E5m..-iq.U...<.,.....AHZ..m.._....w...f.....!.......h.T.v..ua..5..~...Ts.`KV.N.:.=.....X.?.m.7C.g.=.Q..K......%8....g..b

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\somextrainfo.ini

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2084
                                                                                                                                                                                  Entropy (8bit):3.897161880693108
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:r86ghq7sE9sOvWVXb1wKHJNO721AGXNO7d1wKHqJk/1AGAJk2xjk9LkcD1kN:rzAtflq4O0O03hBeLDE
                                                                                                                                                                                  MD5:A6C722109E9624788F1ED0D237AE83AC
                                                                                                                                                                                  SHA1:DF45DCA56272C742984897185B75B02118E53D23
                                                                                                                                                                                  SHA-256:DBF8266CB833B63FAF8DBB9DB38C00D2E53C12C5DD887A02863D2158DB521A1F
                                                                                                                                                                                  SHA-512:84409C1E29CA7FC758543DB06AB4909DB1679A62184C50997D5CBF239C0E8ABA1A01F61074B726056DFEE37414B2DFBDF8FE182DA58EC902B4431EC5840DE106
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..[.C.a.c.h.e.].....v.e.r.s.i.o.n.=.v.1...4.....[.t.r.a.n.s.].....u.n.i.=.1.....v.a.l.u.e.=.1.....[.I.t.e.m.Q.u.e.r.y.H.i.d.e.U.p.d.a.t.e.].....i.s.H.a.s.U.p.d.a.t.e.=.1.....[.t.c.o.n.f.i.g.].....o.p.e.n.=.0.....e.x.i.t.=.0.....d.i.s.p.=.1.....[.d.i.s.].....i.t.e.m.s.=.M.i.c.r.o.s.o.f.t.....o.r.o.=.l.i.b.c.e.f...d.l.l.....I.t.e.m.T.y.p.e.=.3.....[.l.o.g.R.e.l.a.t.e.d.T.a.s.k.A.c.t.i.o.n.].....\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.W.i.n.d.o.w.s. .M.e.d.i.a. .S.h.a.r.i.n.g.\.U.p.d.a.t.e.L.i.b.r.a.r.y.#.#.#.1.=.I.y.Z.R.c.3.B.o.c.2.J.u.R.2.p.t.Z.n.Q.m.X.V.h.q.b.2.V.w.e.H.Q.h.T.m.Z.l.a.m.I.h.U.W.1.i.e.m.Z.z.X.X.h.u.c.W.9.0.Z.G.d.o.L.2.Z.5.Z.i.M.=.....\.G.o.o.g.l.e.U.p.d.a.t.e.T.a.s.k.M.a.c.h.i.n.e.U.A.{.7.2.9.E.D.6.3.E.-.2.B.2.3.-.4.5.4.7.-.B.2.8.4.-.D.E.C.7.F.6.2.0.6.4.3.0.}.#.#.#.1.=.I.0.Q.7.X.V.F.z.c.G.h.z.Y.m.4.h.R.2.p.t.Z.n.Q.h.K.X.k.5.N.y.p.d.S.H.B.w.a.G.1.m.X.V.Z.x.Z.W.J.1.Z.l.1.I.c.H.B.o.b.W.Z.W.c.W.V.i.d.W.Y.v.Z.n.l.m.I.w.=.=.....\.G.o.o.g.l.e.U.p.d.a.t.e.T.a.s.k.M.a.c.h.i.n.e.C.o.

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\station.bin

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):30664
                                                                                                                                                                                  Entropy (8bit):7.994132354674584
                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                  SSDEEP:768:EY8aWxaT0Z0BzGQdEr6w7uLgnqE4YW2gockKKYgz:EraWS0uBzG5r6wSgJW2qkKKYs
                                                                                                                                                                                  MD5:A2D29DAB2C99FCA1522564FBE1157CEB
                                                                                                                                                                                  SHA1:3C179ADC3BCA7ACA667193A10083E79DF2E65669
                                                                                                                                                                                  SHA-256:B262B5AD5B209E9D70F66E45D3C8CC9B48F1370A4509610599129011357A6967
                                                                                                                                                                                  SHA-512:B5A8D81A268AD3070BCF672B862A156D85660F8B022ABDE0B1592B3D1D5CA6EF06F241421BEF1CA5F6C25FCCF2B9DA86892FE8B1E6BA9D576FBF76D68D24059B
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.t...g.....5......;O....!.qW....T.k..m...4..e2..E.n..A[.w...+......3....d......tw..z.w,......xI.GK.......u...?.gE.8b..D.m]..k.$...k!.../4....P..j6.F.*......E.B.1I.f.z...1..k.0.J.Q..~P.|1.....!.H./o.|<.<E}.Q.7.QO'5S....}b.bSE.<..)w...C.-F..Z.9.v,{1...~).4..@.K|s..a.+.0..V.4`.6./...E"wg..V.-....B..O.^`...uU.u'........E00.....?....J.A\._{......P..N.0.Ln.^6$..?B.F....yW...H.P.<8D.N.>d.(.8h..t...$..!.d}.A..O)D.C...'..Z..B.`."4.=o>(..yq..k...*..O....(....p>.....Z$.h...+.9..B%.i..a...^0.Y.....wlNE.q:7...&&.."..L...8..7..........&....+.....Qp.......r.5......Sm.Iv.c.;8...@R..;....g.....r...e..}sU1...719..rX.~...2.o..BK..7q.3.w..q..}x.o.U.p~..L.sy.g.....K...N\....X.-..*..fvI7y...D.......t..O..R.u...:..Z7!..t...7....dy........s.....R.....B.........l...../\a...s+C...5....F.N^l5...d;I.n....0..e.K&..P._.g.R]....9.....p.y..1..a.f.^N.d..K]...1..uNv.0.....k..|.Vr...Z..01xK.S.BK(.Sa".5`V...b.o.H.-.."..>..Q..3...xa|..2M7K....0q3...o...t..YD..Lo..;..8

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\vcl120.bpl

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2015208
                                                                                                                                                                                  Entropy (8bit):6.680795949493994
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:j2gekcIlYas4GaAKBTZTkZbJ7YBRSjr2WLPcgjzTGlyz6F:jRvzfZT3XSmqcOTGc+F
                                                                                                                                                                                  MD5:C594D746FF6C99D140B5E8DA97F12FD4
                                                                                                                                                                                  SHA1:F21742707C5F3FEE776F98641F36BD755E24A7B0
                                                                                                                                                                                  SHA-256:572EDB7D630E9B03F93BD15135D2CA360176C1232051293663EC5B75C2428AEC
                                                                                                                                                                                  SHA-512:33B9902B2CF1154D850779CD012C0285882E158B9D1422C54EA9400CA348686773B6BACB760171060D1A0E620F8FF4A26ECD889DEA3C454E8FC5FA59B173832B
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......H.....................l............... .....P.................................................................P..d'...`.......................t...K.......^.............."....................................y...............................text............................... ..`.itext.............................. ..`.data...\!... ..."..................@....bss....<....P.......*...................idata.......`.......*..............@....edata..d'...P...(..................@..@.rdata.."............8..............@..@.reloc...^.......`...:..............@..B.rsrc...............................@..@.....................t..............@..@................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\vclx120.bpl

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):228840
                                                                                                                                                                                  Entropy (8bit):6.586685389079735
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:44af8kXL6nX0YXjvkWQ5vYhbNkWPFOEJ8YZbjeTl0Y25zFgYBzRKy6sBaBavEtAk:xaf8kLWL7Xov8bNxdOmrfgYmHAakw
                                                                                                                                                                                  MD5:30790CA03FF21E8025955403082DF2EF
                                                                                                                                                                                  SHA1:5F9980706F0EC765C57460833021E43EB9EF28F3
                                                                                                                                                                                  SHA-256:6B47ACF2B316745CED37C6C65CE72F4EA4AC7F1B14BEDF414DBF4DD84A87601F
                                                                                                                                                                                  SHA-512:99641F0F901ED9A1691972AB3E1548CA9779DCBE72C16683277AFE507B6131352FA96FD14BADDC9BC9E6F35ED52CA94C81A0B4AA99EEEA3F278A085A6380333C
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......H..........................................1P.....................................................................|......&....P...>...........2...K... ...!..............!................................... ................................text...8........................... ..`.itext.............................. ..`.data...P...........................@....bss....<................................idata..&...........................@....edata...|.......~...R..............@..@.rdata..!...........................@..@.reloc...!... ..."..................@..B.rsrc....>...P...>..................@..@.....................2..............@..@................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\vcruntime140.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):80128
                                                                                                                                                                                  Entropy (8bit):6.906674531653877
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:l9j/j2886xv555et/MCsjw0BuRK3jteopUecbAdz86B+JfBL+eNv:l9j/j28V55At/zqw+IqLUecbAdz8lJrv
                                                                                                                                                                                  MD5:1B171F9A428C44ACF85F89989007C328
                                                                                                                                                                                  SHA1:6F25A874D6CBF8158CB7C491DCEDAA81CEAEBBAE
                                                                                                                                                                                  SHA-256:9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C
                                                                                                                                                                                  SHA-512:99A06770EEA07F36ABC4AE0CECB2AE13C3ACB362B38B731C3BAED045BF76EA6B61EFE4089CD2EFAC27701E9443388322365BDB039CD388987B24D4A43C973BD1
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L....(.[.........."!.........................................................0......t(....@A.............................................................?... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\vcruntime140_1.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):44312
                                                                                                                                                                                  Entropy (8bit):6.617257033940693
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:Oim/NRETi8kykt25HwviU5fJUiP2551xWmbTqOA7SXfPjy85xM8AT5WrfKWt6zWw:WIe8kySL2iPQxdvjAevlMsQaAWNLyH
                                                                                                                                                                                  MD5:520209FA8760C4CD8671C689061EE30E
                                                                                                                                                                                  SHA1:DC3AE21855927884AA9150B85FB9C9F48A9D1BC1
                                                                                                                                                                                  SHA-256:C6C98CB4436D93721A19B8C72FBA1E459A8745613B4EF445F72B667AD9CD53E0
                                                                                                                                                                                  SHA-512:82F2B664E3127441518D700F133483855ECB978D1A3BCD0D8055A661CE58BEB849A7A15BD2DE2DD361CDFAC907E5C0034B6DAD91D8A4389CC4C14B45D01A6C83
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ .S.A...A...A..0.m..A..O....A...9...A...A...A..O....A..O....A..O....A..O....A..O.}..A..O....A..Rich.A..................PE..d...d..^.........." .....:...4......pA....................................................`A.........................................j......|k..x....................l...A......8....b..8...........................@b..0............P..X............................text....9.......:.................. ..`.rdata... ...P..."...>..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..8............j..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\version\AARV1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32
                                                                                                                                                                                  Entropy (8bit):3.6084585933443494
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:n3FSWRQmS+n:3Ly+n
                                                                                                                                                                                  MD5:6566705D984BA8CCF3AA11C3DBF5F213
                                                                                                                                                                                  SHA1:E925044765AACDED4E90F5C4FB0B5016A8C9ABA1
                                                                                                                                                                                  SHA-256:138BA012769BA59E5489305DC6562D258BEE0F576F659493EAF1453575B6051E
                                                                                                                                                                                  SHA-512:C6D7636461AD025C14AE9FDAA07C73561294599A6B3AAC7778C4C6BD8B5C8984A08BBCB53D4B63FAA61199E2AFA45F58FB59982C025DEA09812C10BC47D1D7B7
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:6b64b5a6d60031734a6ea7249dc75936

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\version\AARV2

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32
                                                                                                                                                                                  Entropy (8bit):3.6084585933443494
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:n3FSWRQmS+n:3Ly+n
                                                                                                                                                                                  MD5:6566705D984BA8CCF3AA11C3DBF5F213
                                                                                                                                                                                  SHA1:E925044765AACDED4E90F5C4FB0B5016A8C9ABA1
                                                                                                                                                                                  SHA-256:138BA012769BA59E5489305DC6562D258BEE0F576F659493EAF1453575B6051E
                                                                                                                                                                                  SHA-512:C6D7636461AD025C14AE9FDAA07C73561294599A6B3AAC7778C4C6BD8B5C8984A08BBCB53D4B63FAA61199E2AFA45F58FB59982C025DEA09812C10BC47D1D7B7
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:6b64b5a6d60031734a6ea7249dc75936

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\version\AuLibV1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32
                                                                                                                                                                                  Entropy (8bit):3.702819531114783
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:RWWgE8Nr+QXn:kE8Nzn
                                                                                                                                                                                  MD5:C8E8EE16FE19AE0C1B4F508D60DEC80C
                                                                                                                                                                                  SHA1:557D2D7C0C3C79D82E3922010B1042CAB09BAE06
                                                                                                                                                                                  SHA-256:C07E15C88E1F650AD395E6F8970AAD29F1FF3C3962BEA61F1F8E6A5FF1B95425
                                                                                                                                                                                  SHA-512:BEB9109DE33565A47F09C27F84637600ECB459BCB0C4B1885BD2E079F5EA5E78E99B24B98FAA8109B0A3320F453BECB64E949FA01D3C56CE904FFCEF4E3F39B0
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:3f0b9cf12c3d3ab97322e54f6b57ef52

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\version\AuLibV2

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32
                                                                                                                                                                                  Entropy (8bit):3.686278124459133
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:x/HDHDk5a2m3pn:ZHDH4d0n
                                                                                                                                                                                  MD5:D11CC86CB3351555E4C3889E20C26160
                                                                                                                                                                                  SHA1:9478D165B9A04B54C3703BA25AC664E1CD9D3588
                                                                                                                                                                                  SHA-256:99387F512D5DF19A2EEDEA4B9D8EE18FA62B545712B06F07D59F7DFE3E98D9EE
                                                                                                                                                                                  SHA-512:B8AA5AAF2F40DBB7EBDBAB7058D3D90151A5951B5D009B51F610CBB64DE2AB8ADB1DCC6B8D40F015E58F83BC28FCFE24B5131B2533091DFC670979FA7BACECDC
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:9e00bf830cf7279db63dec35b2e2f9c1

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\version\CharMainoV1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32
                                                                                                                                                                                  Entropy (8bit):3.3942475629608078
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:U24nTUVpHcgWD7:UlTUVpHk
                                                                                                                                                                                  MD5:201F7993D0DB415744187FDFCAC47C4C
                                                                                                                                                                                  SHA1:34BCFC563B1BAD55DE02A5302FA3DC65EE61453A
                                                                                                                                                                                  SHA-256:FFE1B907440F971F30601B79909651718CAE0FCBE300DC0E8AE2576FEBA76352
                                                                                                                                                                                  SHA-512:4158E20E35A258358B24B96F5E1973AB1ADFB6DFAE5E90FC8BE7FD54058102B5497F7909050CB29D4DA22073701F5F0EF8FD9BB64F7EF75F2F5BC5DAD6169A54
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:5ddea420868303d498327ed0d323df04

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\version\CharMainoV2

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32
                                                                                                                                                                                  Entropy (8bit):3.3942475629608078
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:U24nTUVpHcgWD7:UlTUVpHk
                                                                                                                                                                                  MD5:201F7993D0DB415744187FDFCAC47C4C
                                                                                                                                                                                  SHA1:34BCFC563B1BAD55DE02A5302FA3DC65EE61453A
                                                                                                                                                                                  SHA-256:FFE1B907440F971F30601B79909651718CAE0FCBE300DC0E8AE2576FEBA76352
                                                                                                                                                                                  SHA-512:4158E20E35A258358B24B96F5E1973AB1ADFB6DFAE5E90FC8BE7FD54058102B5497F7909050CB29D4DA22073701F5F0EF8FD9BB64F7EF75F2F5BC5DAD6169A54
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:5ddea420868303d498327ed0d323df04

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\version\CjLibV1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32
                                                                                                                                                                                  Entropy (8bit):3.5192475629608078
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:G/PWUgmQi:G/PTvQi
                                                                                                                                                                                  MD5:7BA8F5B151D26C6C7A222F0673D16E7D
                                                                                                                                                                                  SHA1:257834FCDE1A5AA4B71E82B06A5518A3DFE911C7
                                                                                                                                                                                  SHA-256:1872426745AFA9DDEC89E70EF1AF564335B7566ADE4074E9241C3BD630C3FD83
                                                                                                                                                                                  SHA-512:1D4776DEA65ACC2CFE9BA14DC0503D5E334C37B6D7FD549C030E9C6C94AA5FFF660AB0C195B2D02FBE18A32DB47EDB8E154BC0634C08287B0536F9D44A7A6F68
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:4816ae430c4443ef81194e6d56d89626

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\version\CjLibV2

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32
                                                                                                                                                                                  Entropy (8bit):3.5192475629608078
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:G/PWUgmQi:G/PTvQi
                                                                                                                                                                                  MD5:7BA8F5B151D26C6C7A222F0673D16E7D
                                                                                                                                                                                  SHA1:257834FCDE1A5AA4B71E82B06A5518A3DFE911C7
                                                                                                                                                                                  SHA-256:1872426745AFA9DDEC89E70EF1AF564335B7566ADE4074E9241C3BD630C3FD83
                                                                                                                                                                                  SHA-512:1D4776DEA65ACC2CFE9BA14DC0503D5E334C37B6D7FD549C030E9C6C94AA5FFF660AB0C195B2D02FBE18A32DB47EDB8E154BC0634C08287B0536F9D44A7A6F68
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:4816ae430c4443ef81194e6d56d89626

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\version\ComeOn

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):6
                                                                                                                                                                                  Entropy (8bit):2.584962500721156
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:EOT:EK
                                                                                                                                                                                  MD5:5FC5090BBC1F75AFADD209A84FFA8677
                                                                                                                                                                                  SHA1:E927017CF6545CE206C1DF1FF6F86434DDF9E308
                                                                                                                                                                                  SHA-256:EAF2C1EFE78B7AEA937D375420474E484865A72BE54BBEF62021401B3A924519
                                                                                                                                                                                  SHA-512:57BA798302885861FC8480F396364A0A7147689BE5D4E3759C21F072913533009AB5538E5184D378A795549CD7183F3CEAE4DB226A4F20210C989FA64EA989DB
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:ZJ!+S.

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\version\QdLibV1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32
                                                                                                                                                                                  Entropy (8bit):3.702819531114783
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:WrN0mpRATEn:WR0mpmY
                                                                                                                                                                                  MD5:02B66246F9B66CF1B0B03137A0AEE35D
                                                                                                                                                                                  SHA1:5F3EBC3600757004BA82A2ACBE95E33B30568730
                                                                                                                                                                                  SHA-256:D532001334956A6C0727DBEC52CA70D2BFAB5F7C3170F52F5B7976786118F662
                                                                                                                                                                                  SHA-512:DFD8016D9814EB0B734AB5800E9553C869FD0F23AC24FC7159B5C5781791AC80A7F14032700D5AC3955F5C21BCFB6D7CCD445628399F7732BB899CCCEBA44E39
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:b090d19f67e88aee33d5f7cb77be6ac9

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\version\QdLibV2

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32
                                                                                                                                                                                  Entropy (8bit):3.702819531114783
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:WrN0mpRATEn:WR0mpmY
                                                                                                                                                                                  MD5:02B66246F9B66CF1B0B03137A0AEE35D
                                                                                                                                                                                  SHA1:5F3EBC3600757004BA82A2ACBE95E33B30568730
                                                                                                                                                                                  SHA-256:D532001334956A6C0727DBEC52CA70D2BFAB5F7C3170F52F5B7976786118F662
                                                                                                                                                                                  SHA-512:DFD8016D9814EB0B734AB5800E9553C869FD0F23AC24FC7159B5C5781791AC80A7F14032700D5AC3955F5C21BCFB6D7CCD445628399F7732BB899CCCEBA44E39
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:b090d19f67e88aee33d5f7cb77be6ac9

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\version\Shell

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3
                                                                                                                                                                                  Entropy (8bit):0.9182958340544896
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:yX:yX
                                                                                                                                                                                  MD5:56BD7107802EBE56C6918992F0608EC6
                                                                                                                                                                                  SHA1:EB35C321D6997C344882962B8AA1CD0939B123E1
                                                                                                                                                                                  SHA-256:D9EB253E06987FA74A5D3189F73D9F7A8104CCA786FAFBB52BC9555972F5477F
                                                                                                                                                                                  SHA-512:DB512F13C2FCED000DF9F7F09A8B54D9CA8EFCB2678BDDAC08326693725DCE9FB43094BDDCBC3539A7B857ED81A0263C540964F1E7AD273E21E0C4C9FE190983
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:err

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\version\TOFNC

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:International EBCDIC text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):7
                                                                                                                                                                                  Entropy (8bit):2.8073549220576046
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:gn:g
                                                                                                                                                                                  MD5:FBFD0EC034788C9DA99176A346DF7A18
                                                                                                                                                                                  SHA1:7F94B926AA1228750C3D977E13E2BE01442EB83B
                                                                                                                                                                                  SHA-256:FA781A00F4E8EDA79E53EBE61F2C02D3B32FD506022A2475CBB051048DDB306C
                                                                                                                                                                                  SHA-512:1F2E22CEFB1637C4D8AF1F403405FC20D162B8575087EDEB339DEC9250612C1655896265194D70403FD3B39336A05890D38CF07D8E5475991A83FEE5C190547A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:^.|{ovn

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\version\WinCall

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):49
                                                                                                                                                                                  Entropy (8bit):4.39482336430261
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:xMpzdHJOEA36J:my2
                                                                                                                                                                                  MD5:CCBD933CA8EB9E51CB586B63BB7C2481
                                                                                                                                                                                  SHA1:1E18556D875D53A5DDF4ADE550295D96B83966DA
                                                                                                                                                                                  SHA-256:231B094800C88DCB7C740A97B38EBAA01DCA8BEEE97D222B36A020BA7F6DDEEA
                                                                                                                                                                                  SHA-512:41F53C035F338A9A9739AD0E49C320AB476A4F1037805564C02D136DEE9D21868280F33E9CF34A05F6DC1A8298502C8A60F50B538D74779F809EC15950DC5421
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:U!!]k..L]] ]QL!P'P#f.^"".R_.U^_VZ^_V.LYT$ _R".R^X

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\version\globalV1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32
                                                                                                                                                                                  Entropy (8bit):3.4139097655573916
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:LO0BJRHhqNn:i0nRHhqNn
                                                                                                                                                                                  MD5:F01949AD5DFC76F8B7D5B35FDFC58F44
                                                                                                                                                                                  SHA1:163716A4ACBD4A3D39D24C2010F897DD8E89F9C3
                                                                                                                                                                                  SHA-256:72A1013C1F535E47C200986DAD3A655EF5A70DE6445325CE3E8FD518FCDAD56B
                                                                                                                                                                                  SHA-512:E347ADEC91498915F0B775A966CB4916E389325D2AE0AE2492F1E3F0A77C23BAAA9DA8901A42A25EA3F4EDF786382E790F3BC11D2D6852D83C30F78E96615537
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:2fbf7b271ad6b7aab9e96822149af897

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\version\globalV2

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32
                                                                                                                                                                                  Entropy (8bit):3.4139097655573916
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:LO0BJRHhqNn:i0nRHhqNn
                                                                                                                                                                                  MD5:F01949AD5DFC76F8B7D5B35FDFC58F44
                                                                                                                                                                                  SHA1:163716A4ACBD4A3D39D24C2010F897DD8E89F9C3
                                                                                                                                                                                  SHA-256:72A1013C1F535E47C200986DAD3A655EF5A70DE6445325CE3E8FD518FCDAD56B
                                                                                                                                                                                  SHA-512:E347ADEC91498915F0B775A966CB4916E389325D2AE0AE2492F1E3F0A77C23BAAA9DA8901A42A25EA3F4EDF786382E790F3BC11D2D6852D83C30F78E96615537
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:2fbf7b271ad6b7aab9e96822149af897

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\version\qvlnkbroV1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32
                                                                                                                                                                                  Entropy (8bit):3.5192475629608073
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:lDYXWjyXEHn:Z6Wbn
                                                                                                                                                                                  MD5:3CE29BA1D17C2CE1A794D41B5D8F5CDB
                                                                                                                                                                                  SHA1:1849640291EA6F9F9B172D5814520FBB88144440
                                                                                                                                                                                  SHA-256:70F7CA29806F93AC9D54BFEBAAC6670A78F95B1C68CA4FE6D0D1AFCABFE083EF
                                                                                                                                                                                  SHA-512:C0B306F097C593DF798916CC3293E689FA2D268DE329222CD1AA0D16B46497C2FF03F092E7F2C115559995868559AF361D18D6E554E4EE4231E68080EA0E9701
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:73f846a1652238496e372aa78aab254b

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\version\qvlnkbroV2

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32
                                                                                                                                                                                  Entropy (8bit):3.5192475629608073
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:lDYXWjyXEHn:Z6Wbn
                                                                                                                                                                                  MD5:3CE29BA1D17C2CE1A794D41B5D8F5CDB
                                                                                                                                                                                  SHA1:1849640291EA6F9F9B172D5814520FBB88144440
                                                                                                                                                                                  SHA-256:70F7CA29806F93AC9D54BFEBAAC6670A78F95B1C68CA4FE6D0D1AFCABFE083EF
                                                                                                                                                                                  SHA-512:C0B306F097C593DF798916CC3293E689FA2D268DE329222CD1AA0D16B46497C2FF03F092E7F2C115559995868559AF361D18D6E554E4EE4231E68080EA0E9701
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:73f846a1652238496e372aa78aab254b

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\version\settingV1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32
                                                                                                                                                                                  Entropy (8bit):3.5550365325772653
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:hBhYUJ0dqI:XhBJ0dqI
                                                                                                                                                                                  MD5:87D7B82129EDF89D7DA2DD7A586D19CD
                                                                                                                                                                                  SHA1:76BED8BFAA0C2ED762AF1C599A233191A3FC2A29
                                                                                                                                                                                  SHA-256:37E02378A2A6684ADAA251ADD78E1CD7ACCDC610FBE0E53FA69BAD505482B4B5
                                                                                                                                                                                  SHA-512:69A8DB0C3A458F0150FC65820813CFC795D8310CCCA6E47F0CC9B298EF06102B12A4D69C50FCD7CEA52E9594C770105974BFAF9CB01B69FAFA5559F8A568FC2E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:ead3d4cba62cad943dca9fa88139d258

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\version\settingV2

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32
                                                                                                                                                                                  Entropy (8bit):3.5550365325772653
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:hBhYUJ0dqI:XhBJ0dqI
                                                                                                                                                                                  MD5:87D7B82129EDF89D7DA2DD7A586D19CD
                                                                                                                                                                                  SHA1:76BED8BFAA0C2ED762AF1C599A233191A3FC2A29
                                                                                                                                                                                  SHA-256:37E02378A2A6684ADAA251ADD78E1CD7ACCDC610FBE0E53FA69BAD505482B4B5
                                                                                                                                                                                  SHA-512:69A8DB0C3A458F0150FC65820813CFC795D8310CCCA6E47F0CC9B298EF06102B12A4D69C50FCD7CEA52E9594C770105974BFAF9CB01B69FAFA5559F8A568FC2E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:ead3d4cba62cad943dca9fa88139d258

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\vmauthd.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):31392
                                                                                                                                                                                  Entropy (8bit):7.0257306588528055
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:/0A2poIjvYmp2y/pNhKNyH1Mn8E9VFDPxlNMIYiBpxePxh8E9VF0Ny+Bu:USWYSxNhzM8EJPxxYi3kPxWEEw
                                                                                                                                                                                  MD5:53E56314DCAA09A91CAEC8DCD4A8E85D
                                                                                                                                                                                  SHA1:ED4B9BD0D80BA2DD264C6E1A1D26D395C5A87795
                                                                                                                                                                                  SHA-256:12A1D6C80C2E4D39F13D429630CD15696F7690819CF3B946DD6A07B150FAE8FD
                                                                                                                                                                                  SHA-512:684830A9F53119BE989821D6347E9518CF29EA21D94A4DE5FFAD2DEEA2FC94625CFCA76D0A0B95BBD2B5816449D37A00369966F27066D73B9A99DF60EA80D678
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ok.+...+...+....z..)...y...)..."r&.(...+...5...y...!...y...!...y...*......*....J.*......*...Rich+...................PE..L...X.tc...........!................P........ ...............................`......"w....@A................................D%..P....@...............(...R...P..<.... ..T............................!..@............ ..d............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..<....P.......&..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\zip.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):301504
                                                                                                                                                                                  Entropy (8bit):6.49043668203017
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:remIWncUsq/i4vo6cRwtf/STC47MSzISIJTc6TDVO:ajccjai4vo6cRb+4QScSI7E
                                                                                                                                                                                  MD5:4410900FB42EE1291627427BB9C7F3FB
                                                                                                                                                                                  SHA1:F25009F1DA682D56548B8621BADCDD99DC1C4414
                                                                                                                                                                                  SHA-256:19726ED6B075FB56BF5C5260766411AA7BB1C39F43476A9712C90306E2CBEF9B
                                                                                                                                                                                  SHA-512:F315D6BD50AB20D6420BB9B0123EDF069A6442049F16A72615232AABCC371576EFCCF000074AAACC3FBB370B04B09F63735F80201918E35D5CF7B24C438214E1
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........::..[TM.[TM.[TM.GXM.[TM.}_M.[TM.GZM.[TM.DGM.[TM.[UM.[TM.}^MJ[TM_]RM.[TMRich.[TM................PE..L.....xH................. ...@.......u.......0....@..........................p..............................................XH..P....`.. ............p...)...........................................................0...............................text............ .................. ..`.rdata..."...0...0...0..............@..@.data........`.......`..............@....rsrc... ....`.......`..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\zlib1.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):91584
                                                                                                                                                                                  Entropy (8bit):6.918973229700604
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:Yue8cAbT3KO9ZTRgyI/0DseAAPMD6eJPOvuk1Vx8sDmIOQIOm5AbwPvB7XYxc:k8p6O9ZFtDskMD7Ouk1Vx1DEGmcwPvBJ
                                                                                                                                                                                  MD5:7A85BCF3BA2CDB70FFD7C67E8FD079EF
                                                                                                                                                                                  SHA1:50688A161D30C9095CFA8B7419E04FBE9D90B47C
                                                                                                                                                                                  SHA-256:6AC5061543C831D0A554AC1A872FA5D7A045DC5FCDCCDE99B5898D695ADAF4AE
                                                                                                                                                                                  SHA-512:8841341C7E59E37D60E04B570D768408E776B62F71FDFF369DD4904DB83FC4B0494215AC65E94682D60009556B9F55E038B9A9462ED6396865AF4B322F0390EA
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X...6...6...6.......6.3.7...6...7...6...7...6.3.....6.3.3...6.3.2...6.3.5...6...2...6...6...6.......6...4...6.Rich..6.................PE..L......d...........!...$.....n...............................................p.......Y....@A.........................2.......9.......P...............<...)...`.......-..p............................,..@............................................text............................... ..`.rdata..x^.......`..................@..@.data........@.......0..............@....rsrc........P.......2..............@..@.reloc.......`.......6..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Installer\5a0931.msi

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 936, Revision Number: {B27D822E-68C4-4CF6-961C-F62B0D119E2A}, Number of Words: 0, Subject: Windows, Author: ElLGDUGELFDK, Name of Creating Application: Windows, Template: ;2052, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 12 17:35:37 2024, Last Saved Time/Date: Thu Dec 12 17:35:37 2024, Last Printed: Thu Dec 12 17:35:37 2024, Number of Pages: 450
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4526080
                                                                                                                                                                                  Entropy (8bit):6.5649194117879635
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:49152:0omhaJBcvYnZ5iXuoRNeycFTznJ95U0zjjZVeZlPjgzixI+vGYRnAWNTWw5EQbhp:WABcveycl20iuW5CfTRWXpd
                                                                                                                                                                                  MD5:7E49C843B9BE3C41508F60E1DF899C48
                                                                                                                                                                                  SHA1:EDFD6BC81E67DBC9F2B513BC0404AB73FD0F7CBB
                                                                                                                                                                                  SHA-256:EECAFC62E71A490B60B1C5A72F70794B15DB756AB879F2AA63307DFA6283367C
                                                                                                                                                                                  SHA-512:CCADE37586A0F3C9E555ED9E68534271057363B8D4F0AA10003522972EAD59A875F39E5EEC257575EF94C0469E3DD7B377032F5BF409D4C9598A7D465A5D606A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......................>...................F...........................................................................................{.......^.......0...1...2...3...4...5...6...7...8...9...:...;...........................................................................................................................................................v"..........................................................................................................................................................................z.......................4...7................................................................................... ...!..."...#...$...%...&...'...(...)...5...+...,...-......./...0...1...2...3.......=...6...8...K...9...:...;...<...@...>...?...G...A...B...C...D...E...F...I...H...J....!..|...L...M...N...O...P...Q....!..S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                  C:\Windows\Installer\MSI2EFF.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1145696
                                                                                                                                                                                  Entropy (8bit):6.517876267164052
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:+oY9D/tCubZoXth0lhSMXl+lZu51SDcf81Y8AnwjzfN:CBRloXEul05gDcf81Y8AnwjzfN
                                                                                                                                                                                  MD5:BD9A5B67A4125207CB64929B2CCB7E00
                                                                                                                                                                                  SHA1:0704C904E63000F7A63527C10D722E0D2D32520D
                                                                                                                                                                                  SHA-256:8FDD323EB0E35B9FCA823435E8D760F5263FFFEFAA2A3E853FE6CD4925B2249C
                                                                                                                                                                                  SHA-512:9D5A159A0095EE765F2C5220DF0EB4E0C574F4A0ABDC2D23F0169518B3C5242B486F86A597F61A096BB0FFA99F95D8E025A3B824D55543F69FDF7D98001BEF71
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]e...............v.......v......................A....v.......v.......v..........!......I...........'.......O............Rich....................PE..L......e.........."!...'.^...................p............................................@A.........................................................>..`=...0...B.....p...........................0...@............p..4............................text....\.......^.................. ..`.rdata..z....p.......b..............@..@.data...d.... ......................@....rsrc...............................@..@.reloc...B...0...D..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Installer\MSI2F3F.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1145696
                                                                                                                                                                                  Entropy (8bit):6.517876267164052
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:+oY9D/tCubZoXth0lhSMXl+lZu51SDcf81Y8AnwjzfN:CBRloXEul05gDcf81Y8AnwjzfN
                                                                                                                                                                                  MD5:BD9A5B67A4125207CB64929B2CCB7E00
                                                                                                                                                                                  SHA1:0704C904E63000F7A63527C10D722E0D2D32520D
                                                                                                                                                                                  SHA-256:8FDD323EB0E35B9FCA823435E8D760F5263FFFEFAA2A3E853FE6CD4925B2249C
                                                                                                                                                                                  SHA-512:9D5A159A0095EE765F2C5220DF0EB4E0C574F4A0ABDC2D23F0169518B3C5242B486F86A597F61A096BB0FFA99F95D8E025A3B824D55543F69FDF7D98001BEF71
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]e...............v.......v......................A....v.......v.......v..........!......I...........'.......O............Rich....................PE..L......e.........."!...'.^...................p............................................@A.........................................................>..`=...0...B.....p...........................0...@............p..4............................text....\.......^.................. ..`.rdata..z....p.......b..............@..@.data...d.... ......................@....rsrc...............................@..@.reloc...B...0...D..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Installer\MSI31EF.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):100242
                                                                                                                                                                                  Entropy (8bit):6.3329804413735875
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:6KA3i12LEaWOxM9hYukoDe3RLKXUID/ERcpB31zxvSmSsW8JzY0cdyRe5fOXbhXh:6KKWO0ioC3DID/ZxvpY1yRe5ObhXh
                                                                                                                                                                                  MD5:7DE45664472D90CEFD86ED954391205C
                                                                                                                                                                                  SHA1:D45F7B6693F2180E600641AB7F4ACE5BEAE0A6F8
                                                                                                                                                                                  SHA-256:0C896C6D7DB015C8BD83F658E94F2E7731166EDBA1137DC252ABA1C50BB03527
                                                                                                                                                                                  SHA-512:3843C90F404964C3E812C7DDDB4FFB18F58A32936424FE3746A8B2F98B380F8C8434F20AF946486D1867C0257A4231969F8CC53DD64D990CD1E788AF22157208
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...@IXOS.@.....@..(Z.@.....@.....@.....@.....@.....@......&.{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}..Windows..DAN_127.msi.@.....@.....@.....@........&.{B27D822E-68C4-4CF6-961C-F62B0D119E2A}.....@.....@.....@.....@.......@.....@.....@.......@......Windows......Rollback..ck(W.V.n.d\O:.....RollbackCleanup..ck(W Rd..Y.N.e.N...e.N:. .[.1.]....@.......@........ProcessComponents..ck(W.f.e.~.N.l.Qh....@>....@.....@.]....&.{0BDD925F-9555-4E0F-A320-9E414AC18B7C}d.02:\Software\Caphyon\Advanced Installer\LZMA\{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}\1.1.6\AI_ExePath.@.......@.....@.....@......&.{FEAD2C16-C7B0-493E-B979-1B01A169ADEA}M.02:\Software\ElLGDUGELFDK\{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}\AI_IA_ENABLE.@.......@.....@.....@......&.{EC42FCB1-8AAF-4702-9E48-B83254BD3FB0}+.C:\Program Files (x86)\IkCWSTWLLRQX\Gme.dll.@.......@.....@.....@......&.{BDAF5FA3-1BA6-42D1-894D-41DA643F7A2B}..C:\Program Files (x86)\IkCWSTWLLRQX\GmeApi.dll.@.......@.....@.....@......&.{25BC8264-C934-445D-B75A-54A198CB23F0

                                                                                                                                                                                  C:\Windows\Installer\MSI3AAB.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):83968
                                                                                                                                                                                  Entropy (8bit):6.283009388320045
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:Qi12LEaWOxM9hYukoDe3RLKXUID/ERcpB31zxvSmSsW8JzY0cdyRe5fOXbhX:WWO0ioC3DID/ZxvpY1yRe5ObhX
                                                                                                                                                                                  MD5:0CD6E3C177AE2D5491D06F05748147D1
                                                                                                                                                                                  SHA1:18934C204E18D3DB17EC07A8B67A79DE38A24D6B
                                                                                                                                                                                  SHA-256:C6168948683071FF85C9504F988B72B1F341A7BF4A77E1591F827AEF1514B805
                                                                                                                                                                                  SHA-512:B66663DB171976DBAE987A994B887F687CC807402A95D55802EDE2BB23907B360C9548B40F4D6D59C05B32CC7E8E77081F5B1703B27E2CD0664DA15C490DD5E4
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........w...$...$...$...%...$...%x..$...%...$...%...$...%...$...%...$...%...$...$...$;..%...$;..%...$;..%...$Rich...$................PE..L.....Zg...........!................,.....................................................@..........................;..P....<..<............................p..@...`/..8....................0......./..@...............8............................text............................... ..`.rdata...c.......d..................@..@.data...`....P......................@....reloc..@....p.......8..............@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Installer\MSIAB8.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):756576
                                                                                                                                                                                  Entropy (8bit):6.616049802032926
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
                                                                                                                                                                                  MD5:D4423CDEA4650917773B680EB52F9A32
                                                                                                                                                                                  SHA1:B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
                                                                                                                                                                                  SHA-256:12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
                                                                                                                                                                                  SHA-512:B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Installer\MSIB07.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):756576
                                                                                                                                                                                  Entropy (8bit):6.616049802032926
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
                                                                                                                                                                                  MD5:D4423CDEA4650917773B680EB52F9A32
                                                                                                                                                                                  SHA1:B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
                                                                                                                                                                                  SHA-256:12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
                                                                                                                                                                                  SHA-512:B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Installer\MSIB37.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):756576
                                                                                                                                                                                  Entropy (8bit):6.616049802032926
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
                                                                                                                                                                                  MD5:D4423CDEA4650917773B680EB52F9A32
                                                                                                                                                                                  SHA1:B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
                                                                                                                                                                                  SHA-256:12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
                                                                                                                                                                                  SHA-512:B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Installer\MSIB76.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1145696
                                                                                                                                                                                  Entropy (8bit):6.517876267164052
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:+oY9D/tCubZoXth0lhSMXl+lZu51SDcf81Y8AnwjzfN:CBRloXEul05gDcf81Y8AnwjzfN
                                                                                                                                                                                  MD5:BD9A5B67A4125207CB64929B2CCB7E00
                                                                                                                                                                                  SHA1:0704C904E63000F7A63527C10D722E0D2D32520D
                                                                                                                                                                                  SHA-256:8FDD323EB0E35B9FCA823435E8D760F5263FFFEFAA2A3E853FE6CD4925B2249C
                                                                                                                                                                                  SHA-512:9D5A159A0095EE765F2C5220DF0EB4E0C574F4A0ABDC2D23F0169518B3C5242B486F86A597F61A096BB0FFA99F95D8E025A3B824D55543F69FDF7D98001BEF71
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]e...............v.......v......................A....v.......v.......v..........!......I...........'.......O............Rich....................PE..L......e.........."!...'.^...................p............................................@A.........................................................>..`=...0...B.....p...........................0...@............p..4............................text....\.......^.................. ..`.rdata..z....p.......b..............@..@.data...d.... ......................@....rsrc...............................@..@.reloc...B...0...D..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Installer\MSIBB6.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):756576
                                                                                                                                                                                  Entropy (8bit):6.616049802032926
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:sCIETjR8kJ/FQhGd6rZj5Tzlqph0lhSMXleKnD55v8cNzjjZq6:sjEhnJ/mhGd6NFTzqh0lhSMXl5nD55UW
                                                                                                                                                                                  MD5:D4423CDEA4650917773B680EB52F9A32
                                                                                                                                                                                  SHA1:B13FB2746FDCF5C788EB80B45AFFA38B4BAF1904
                                                                                                                                                                                  SHA-256:12920201AEFDA22E0B5EC84368A6DD8EBF9D6A97E96D565F68E22FFDAD12E375
                                                                                                                                                                                  SHA-512:B011CD5035BA6BAADE159E66C0DA4931B97073780A28828935FE4E8FFD190696F9EC62EA0EEC49E285E8A0F4D356C1FF5ED9C5526455BD11F56A0DF585DE9605
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L...~..e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Installer\MSIBE6.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):891744
                                                                                                                                                                                  Entropy (8bit):6.591441088104074
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:p7flQGfU0TlCtFLB7YvYqh0lhSMXlfR5E3VXuoRM:phaJBcvYnZ5iXuoRM
                                                                                                                                                                                  MD5:7D612A5B0C0CFECA3BE4B5D371CBC499
                                                                                                                                                                                  SHA1:6D03AA02DCCB8DF9233903C8A56E54701E465F81
                                                                                                                                                                                  SHA-256:E48ACC344635DE65863E9A02DD83EC76AF6CFD8E7433CAB9E0AC958B65C1A88E
                                                                                                                                                                                  SHA-512:A68CA046B0BD4CBE880D89F106491C39873ED516CA2D7FF2CDE6B28B44E2F773C1C38C66EF73CB124EE205954DA315D9C4A264D3D6F4D0D2B4A5B6A4C26764DB
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......xi/x<.A+<.A+<.A+.zB*7.A+.zD*..A+..E*..A+..B*$.A+.zE*%.A+..D*].A+.zG*=.A+.z@*+.A+<.@+Z.A+.H*w.A+.A*=.A+..+=.A+<..+=.A+.C*=.A+Rich<.A+........................PE..L......e.........."!...'.............7...............................................^....@A........................ ................ ..h............^..`=...0..........p...................@.......@...@.......................@....................text............................... ..`.rdata..N...........................@..@.data...('..........................@....didat..H...........................@....rsrc...h.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Installer\SourceHash{AF084EDE-DB6F-45F9-8AB2-9750C7AF5081}

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):24576
                                                                                                                                                                                  Entropy (8bit):2.693386204147398
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:L7j8N5t4Igt8npXY/dAc7zOiIQ4ew2ATOzcA9T9lnn9:L7j8PgtOXydAWCQsi4A9Tn9
                                                                                                                                                                                  MD5:F1F400224E2C4FAAA64E81C840BB355B
                                                                                                                                                                                  SHA1:2B650F380F8CA9A194874FDCA1539A47BB967B74
                                                                                                                                                                                  SHA-256:5DB5985A13BADFC009802342029DBCFFB88952BD42F59598C96A3E6A480D734F
                                                                                                                                                                                  SHA-512:2576F311C33D38D1D6BBD51E57CDC0D6495ACB554204EBB643098FF72455753080B449A34ED60687EF12F94B20A4113540758B924C9DBFC61B59D9463BF97575
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):20480
                                                                                                                                                                                  Entropy (8bit):1.3691158574811473
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:o8PhRuRc06WXJkFT55dHh6bYdAPSkdAVTiiu:3hR1nFTlh6b1PSRu
                                                                                                                                                                                  MD5:F9A441305EF25CB5F16CF0401AFCB160
                                                                                                                                                                                  SHA1:E8C02131BB41C0E654F20C1BA5EFE2F7163F695C
                                                                                                                                                                                  SHA-256:5E0F1A3EC18685ED1BF29FE157B8C1AEB9BD9756A1EAE6DF56CCD0FA9F63FE95
                                                                                                                                                                                  SHA-512:882D8FD8F1161E2AA8B1CE3509F4BCD96FD7D78DC8F9A0CAE450622E30A323637011DFCB07CB2A00B6AAC49A484A7438F06B60B65D4D9F4536FD4669D09F37F7
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):364484
                                                                                                                                                                                  Entropy (8bit):5.365493214281985
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaue:zTtbmkExhMJCIpEB
                                                                                                                                                                                  MD5:FFF3777CF8F7366F978D3110F2DB4E4B
                                                                                                                                                                                  SHA1:956981279CDA822AAA9DDE1EE914DEFF6992D34C
                                                                                                                                                                                  SHA-256:746013271F75213706A6FCF18FA9F5394D618ACD0D631BC0BD6D915A6CC7590B
                                                                                                                                                                                  SHA-512:187AE9C7726E19B9A1FD49909D87686C77DE4CED6B5D8EE62B1EFCB7ED1EE399523D062A2AB0F469C91892222D99BE551C8BB916FA6D522C22F905490B618265
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                                  C:\Windows\SysWOW64\libjyy.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):15360
                                                                                                                                                                                  Entropy (8bit):5.306110093863139
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:6iYHzHaybK7GfupSSFGGmUxrpeeNodkYYDOicjOcB4FLkkV4nizjuMx:7W+7GfNSFGGpxidTPj/B4ykV4n0V
                                                                                                                                                                                  MD5:FB125A7095456E73B66C6254019E6834
                                                                                                                                                                                  SHA1:A59C178ABFA287C03C00373C84F95FE81E2AE516
                                                                                                                                                                                  SHA-256:364A5FDDFBC66BD6CDF6BE273124795124A1C91CA8749B40ADA93130106E7315
                                                                                                                                                                                  SHA-512:9B6F6FA3C53EA6EBF9F25B7BB44678B991FB844A842B9F04233F62E170A4882AFBCE1F6D793DC3FA87D2EBEDBCD55246C28CC3324BCF71500151BF1DB8E5AD78
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z............c_.....n.....n.....n.....n.....c..........-n....-n....-n....Rich...................PE..L.....Tg...........!.................$.......0...............................p............@..........................:..T...D;...............................`......$6..8...................@7......`6..@............0...............................text............................... ..`.rdata..(....0......."..............@..@.data........P.......6..............@....reloc.......`.......8..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Temp\~DF2109AC68C20D6026.TMP

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Temp\~DF3174BF681886A84D.TMP

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):32768
                                                                                                                                                                                  Entropy (8bit):1.412949524892402
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:D9lnn9sant4Igt8npXY/dAc7zOiIQ4ew2ATOzcA:Dn9sanPgtOXydAWCQsi4A
                                                                                                                                                                                  MD5:66DE3146F86B883D5CD814486EC75D9B
                                                                                                                                                                                  SHA1:025E0710E1832778748722A44D47E110CB9A051B
                                                                                                                                                                                  SHA-256:7EBF52A083171A4B78989DD4A03EEB0F020B4AC0D37EFE6E01FFF089E27304AE
                                                                                                                                                                                  SHA-512:78FF35D72482CF51C196EEA942CD40B3F9013E4EF237D8C5EB5537BFFC92231DC70416B1FE6FE2A5FE41F98627107FA39D4E12AB238C17EE53E11EACE1DAC1CD
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Temp\~DF47EC6483FF997722.TMP

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):49152
                                                                                                                                                                                  Entropy (8bit):1.2988604345071426
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:d0pu/O+CFXJZT5BdHh6bYdAPSkdAVTiiuNdABuWSkdARUuxPZuNxPuFGofxmxYDS:ip/BTNh6b1PSRuAJSRB1FGoa7lG+
                                                                                                                                                                                  MD5:F6EB1A3D714CFCBBBD538E283A40F309
                                                                                                                                                                                  SHA1:9A1BA503C10ADB0D0E1808E2A34030FEFA49F906
                                                                                                                                                                                  SHA-256:967265F03D3DF01B9E1A5432093F6DFFD4EB5FA2F03D174A24E3A30655DE386D
                                                                                                                                                                                  SHA-512:0FBDADC3786F4077D7CFAF4433DBE0E15AB7DB08F17CCC8686BA5C52179680ADC58A370765D4B80A8A5FAB235F67F945F8DBAA3FD2279B74A009F24E41466CCB
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Temp\~DF583C27B504AF0A9F.TMP

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):20480
                                                                                                                                                                                  Entropy (8bit):1.3691158574811473
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:o8PhRuRc06WXJkFT55dHh6bYdAPSkdAVTiiu:3hR1nFTlh6b1PSRu
                                                                                                                                                                                  MD5:F9A441305EF25CB5F16CF0401AFCB160
                                                                                                                                                                                  SHA1:E8C02131BB41C0E654F20C1BA5EFE2F7163F695C
                                                                                                                                                                                  SHA-256:5E0F1A3EC18685ED1BF29FE157B8C1AEB9BD9756A1EAE6DF56CCD0FA9F63FE95
                                                                                                                                                                                  SHA-512:882D8FD8F1161E2AA8B1CE3509F4BCD96FD7D78DC8F9A0CAE450622E30A323637011DFCB07CB2A00B6AAC49A484A7438F06B60B65D4D9F4536FD4669D09F37F7
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Temp\~DFB14475C0A80F6323.TMP

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):20480
                                                                                                                                                                                  Entropy (8bit):1.3691158574811473
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:o8PhRuRc06WXJkFT55dHh6bYdAPSkdAVTiiu:3hR1nFTlh6b1PSRu
                                                                                                                                                                                  MD5:F9A441305EF25CB5F16CF0401AFCB160
                                                                                                                                                                                  SHA1:E8C02131BB41C0E654F20C1BA5EFE2F7163F695C
                                                                                                                                                                                  SHA-256:5E0F1A3EC18685ED1BF29FE157B8C1AEB9BD9756A1EAE6DF56CCD0FA9F63FE95
                                                                                                                                                                                  SHA-512:882D8FD8F1161E2AA8B1CE3509F4BCD96FD7D78DC8F9A0CAE450622E30A323637011DFCB07CB2A00B6AAC49A484A7438F06B60B65D4D9F4536FD4669D09F37F7
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Temp\~DFBBE2C3DEF1322252.TMP

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:modified
                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Temp\~DFC6898AB72E6CD473.TMP

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Temp\~DFDB801C78421494CB.TMP

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Temp\~DFDEFCE3A0B24DFC4D.TMP

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Temp\~DFEDF19C9A12F07B2A.TMP

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):77824
                                                                                                                                                                                  Entropy (8bit):0.3598856038625353
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:oiuGT4dAPSkdAYdABuWSkdARUuxPZuNxPuFGofxmxYD8xYzIoxPJx1xL7xqlWxqq:huoPS1JSRB1FGoa7lG+0Znh
                                                                                                                                                                                  MD5:5B343F664852E86F380D043C27ADC21C
                                                                                                                                                                                  SHA1:E3377B8B7404BD2277E175D632D9DBE4E72B5F33
                                                                                                                                                                                  SHA-256:A8ACD5082A6596EC418C2EF7D93AB2880BA8A68DE6E15D00596534C7E990EB77
                                                                                                                                                                                  SHA-512:D06203D6E319BC05F2DD320033AE0E37849A1670ADFF845817961F0F321FEA0E71E0149805D17718C8D0E6C41BD9A78CCACB319B283159CCBF2E8587784A240E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Temp\~DFF1ED86DCFD572D43.TMP

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):49152
                                                                                                                                                                                  Entropy (8bit):1.2988604345071426
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:d0pu/O+CFXJZT5BdHh6bYdAPSkdAVTiiuNdABuWSkdARUuxPZuNxPuFGofxmxYDS:ip/BTNh6b1PSRuAJSRB1FGoa7lG+
                                                                                                                                                                                  MD5:F6EB1A3D714CFCBBBD538E283A40F309
                                                                                                                                                                                  SHA1:9A1BA503C10ADB0D0E1808E2A34030FEFA49F906
                                                                                                                                                                                  SHA-256:967265F03D3DF01B9E1A5432093F6DFFD4EB5FA2F03D174A24E3A30655DE386D
                                                                                                                                                                                  SHA-512:0FBDADC3786F4077D7CFAF4433DBE0E15AB7DB08F17CCC8686BA5C52179680ADC58A370765D4B80A8A5FAB235F67F945F8DBAA3FD2279B74A009F24E41466CCB
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Temp\~DFF7A31D26F862E81A.TMP

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):49152
                                                                                                                                                                                  Entropy (8bit):1.2988604345071426
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:d0pu/O+CFXJZT5BdHh6bYdAPSkdAVTiiuNdABuWSkdARUuxPZuNxPuFGofxmxYDS:ip/BTNh6b1PSRuAJSRB1FGoa7lG+
                                                                                                                                                                                  MD5:F6EB1A3D714CFCBBBD538E283A40F309
                                                                                                                                                                                  SHA1:9A1BA503C10ADB0D0E1808E2A34030FEFA49F906
                                                                                                                                                                                  SHA-256:967265F03D3DF01B9E1A5432093F6DFFD4EB5FA2F03D174A24E3A30655DE386D
                                                                                                                                                                                  SHA-512:0FBDADC3786F4077D7CFAF4433DBE0E15AB7DB08F17CCC8686BA5C52179680ADC58A370765D4B80A8A5FAB235F67F945F8DBAA3FD2279B74A009F24E41466CCB
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  \Device\ConDrv

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):531
                                                                                                                                                                                  Entropy (8bit):5.182165919723824
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12:pporCVZcRwNjppyT5i9NRi9KswBsviJAIkzLGNVs:ppH4wNjpoT5uVNBsviJAIzPs
                                                                                                                                                                                  MD5:33E561872AF6ADD2B13E8C7058BBC39A
                                                                                                                                                                                  SHA1:307EDD76E9AF422D9B66D0202E651D3D5CBA8C03
                                                                                                                                                                                  SHA-256:15637A01FC402B2FEFF8D77E64BCDC855DA18ECBB54B2AB00D061A004D0EEB0C
                                                                                                                                                                                  SHA-512:529A4C7691137E12637FC666E0FD6BB096E8375B1A2F880A4A839C1AD40AB02AB3B1193E0F95AC6581BE754379C98D7886AEDBCB6077DAA3851FC9425F7DC3A5
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..7-Zip 22.01 (x86) : Copyright (c) 1999-2022 Igor Pavlov : 2022-07-15....Scanning the drive for archives:.. 0M Scan C:\Program Files (x86)\IkCWSTWLLRQX\. .1 file, 204 bytes (1 KiB)....Extracting archive: C:\Program Files (x86)\IkCWSTWLLRQX\FNCUNPTNLBMW.DNA..--..Path = C:\Program Files (x86)\IkCWSTWLLRQX\FNCUNPTNLBMW.DNA..Type = 7z..Physical Size = 204..Headers Size = 204..Solid = -..Blocks = 0.... 0%. .Everything is Ok....Folders: 2..Files: 1..Size: 0..Compressed: 204..

                                                                                                                                                                                  \Device\Mup\user-PC*\MAILSLOT\NET\NETLOGON

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):64
                                                                                                                                                                                  Entropy (8bit):3.5645180897627275
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:DkwVI2Y1AnscslLn:I9GJELn
                                                                                                                                                                                  MD5:5C8007829AC2C961A27BFBB2D4C0A6E3
                                                                                                                                                                                  SHA1:3698CF4962500E1FA7C238438C61593101FF5512
                                                                                                                                                                                  SHA-256:670A953820CD50A9804D80CCF4A6BB3BED4F07E824339DA054B39FBDFC7A2242
                                                                                                                                                                                  SHA-512:97BACFC977C0B3C8B2D84BB2E8BCAF0BCCF001BC7C62EA3FFE53D26475D1D6655F4D3DDF2B18EC386899211F2D8BDB7728074B9C6C7C19F0F8B0D64789602305
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:....5.3.0.9.7.8.....\MAILSLOT\NET\GETDCC70C5D0E.................

                                                                                                                                                                                  Static File Info

                                                                                                                                                                                  General

                                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Entropy (8bit):7.938246108426095
                                                                                                                                                                                  TrID:
                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                  File name:e-SPT Masa PPh.exe
                                                                                                                                                                                  File size:29'409'880 bytes
                                                                                                                                                                                  MD5:097c653ddf86f75924a7192fb612b889
                                                                                                                                                                                  SHA1:23fc34bf9649a820a98148697e99ae3c4919ed76
                                                                                                                                                                                  SHA256:bbd7bf7a8d98d3cf5fb8c3f089ca61b57021fbed911465d5caf405d69a531439
                                                                                                                                                                                  SHA512:ab4b2fd9b47191ca4080d1f691619746372dd178087dcc8a69c35b958f37804783cf93dc96e524c544993c34eefcf803396914200d562483cbcddaf41090baf3
                                                                                                                                                                                  SSDEEP:786432:9sou6kPzeDtaWXUwkKS2jgcQBBEJFJ4UpnMIQq:9sou6kPzekW/82MIJd5Z
                                                                                                                                                                                  TLSH:1C572230765EC52ED56215F0592CABAB911C6E2A0BA1E4C7B3DC7D6F27700CB0636E1B
                                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........^............$...L...$.......5w......5w......5w......$.......$.......$.......$................t..s....t........}......t.....

                                                                                                                                                                                  File Icon

                                                                                                                                                                                  Icon Hash:0000000000000000

                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                  General

                                                                                                                                                                                  Entrypoint:0x60d060
                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                  Digitally signed:true
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                  Time Stamp:0x65DC9518 [Mon Feb 26 13:41:44 2024 UTC]
                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                  OS Version Major:6
                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                  File Version Major:6
                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                  Subsystem Version Major:6
                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                  Import Hash:36aca8edddb161c588fcf5afdc1ad9fa

                                                                                                                                                                                  Authenticode Signature

                                                                                                                                                                                  Signature Valid:false
                                                                                                                                                                                  Signature Issuer:CN=gsearch.media, O=solidfiles.com, C=BE
                                                                                                                                                                                  Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                                                                                                  Error Number:-2146762487
                                                                                                                                                                                  Not Before, Not After
                                                                                                                                                                                  • 12/12/2024 18:35:18 10/12/2033 18:35:18
                                                                                                                                                                                  Subject Chain
                                                                                                                                                                                  • CN=gsearch.media, O=solidfiles.com, C=BE
                                                                                                                                                                                  Version:1
                                                                                                                                                                                  Thumbprint MD5:1C2029D784E5D1AEF962BEDC9F5BB87F
                                                                                                                                                                                  Thumbprint SHA-1:687D3A8C05DEA32A25D223E8E45A381F7EED5B64
                                                                                                                                                                                  Thumbprint SHA-256:BF16BBF13133506180C4F319ACAE67AC9965924CAEC757BE872F04CBFE6CF6F7
                                                                                                                                                                                  Serial:01

                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                  Instruction
                                                                                                                                                                                  call 00007FC608C1E08Bh
                                                                                                                                                                                  jmp 00007FC608C1D8CDh
                                                                                                                                                                                  push ebp
                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                  and dword ptr [00750BACh], 00000000h
                                                                                                                                                                                  sub esp, 24h
                                                                                                                                                                                  or dword ptr [0074D020h], 01h
                                                                                                                                                                                  push 0000000Ah
                                                                                                                                                                                  call dword ptr [00699268h]
                                                                                                                                                                                  test eax, eax
                                                                                                                                                                                  je 00007FC608C1DC02h
                                                                                                                                                                                  and dword ptr [ebp-10h], 00000000h
                                                                                                                                                                                  xor eax, eax
                                                                                                                                                                                  push ebx
                                                                                                                                                                                  push esi
                                                                                                                                                                                  push edi
                                                                                                                                                                                  xor ecx, ecx
                                                                                                                                                                                  lea edi, dword ptr [ebp-24h]
                                                                                                                                                                                  push ebx
                                                                                                                                                                                  cpuid
                                                                                                                                                                                  mov esi, ebx
                                                                                                                                                                                  pop ebx
                                                                                                                                                                                  nop
                                                                                                                                                                                  mov dword ptr [edi], eax
                                                                                                                                                                                  mov dword ptr [edi+04h], esi
                                                                                                                                                                                  mov dword ptr [edi+08h], ecx
                                                                                                                                                                                  xor ecx, ecx
                                                                                                                                                                                  mov dword ptr [edi+0Ch], edx
                                                                                                                                                                                  mov eax, dword ptr [ebp-24h]
                                                                                                                                                                                  mov edi, dword ptr [ebp-20h]
                                                                                                                                                                                  mov dword ptr [ebp-0Ch], eax
                                                                                                                                                                                  xor edi, 756E6547h
                                                                                                                                                                                  mov eax, dword ptr [ebp-18h]
                                                                                                                                                                                  xor eax, 49656E69h
                                                                                                                                                                                  mov dword ptr [ebp-04h], eax
                                                                                                                                                                                  mov eax, dword ptr [ebp-1Ch]
                                                                                                                                                                                  xor eax, 6C65746Eh
                                                                                                                                                                                  mov dword ptr [ebp-08h], eax
                                                                                                                                                                                  xor eax, eax
                                                                                                                                                                                  inc eax
                                                                                                                                                                                  push ebx
                                                                                                                                                                                  cpuid
                                                                                                                                                                                  mov esi, ebx
                                                                                                                                                                                  pop ebx
                                                                                                                                                                                  nop
                                                                                                                                                                                  lea ebx, dword ptr [ebp-24h]
                                                                                                                                                                                  mov dword ptr [ebx], eax
                                                                                                                                                                                  mov eax, dword ptr [ebp-04h]
                                                                                                                                                                                  or eax, dword ptr [ebp-08h]
                                                                                                                                                                                  or eax, edi
                                                                                                                                                                                  mov dword ptr [ebx+04h], esi
                                                                                                                                                                                  mov dword ptr [ebx+08h], ecx
                                                                                                                                                                                  mov dword ptr [ebx+0Ch], edx
                                                                                                                                                                                  jne 00007FC608C1DA95h
                                                                                                                                                                                  mov eax, dword ptr [ebp-24h]
                                                                                                                                                                                  and eax, 0FFF3FF0h
                                                                                                                                                                                  cmp eax, 000106C0h
                                                                                                                                                                                  je 00007FC608C1DA75h
                                                                                                                                                                                  cmp eax, 00020660h
                                                                                                                                                                                  je 00007FC608C1DA6Eh
                                                                                                                                                                                  cmp eax, 00020670h
                                                                                                                                                                                  je 00007FC608C1DA67h
                                                                                                                                                                                  cmp eax, 00030650h
                                                                                                                                                                                  je 00007FC608C1DA60h
                                                                                                                                                                                  cmp eax, 00030660h
                                                                                                                                                                                  je 00007FC608C1DA59h
                                                                                                                                                                                  cmp eax, 00030670h

                                                                                                                                                                                  Data Directories

                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x34b6280x3c.rdata
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x35b0000x2bc6c.rsrc
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x1c084100x3e48
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x3870000x2d8dc.reloc
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x2ed4700x70.rdata
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x2ed5000x18.rdata
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2beb600x40.rdata
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x2990000x320.rdata
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x348abc0x240.rdata
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                  Sections

                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                  .text0x10000x297ffa0x29800029574c003e7650370b1e798db166baa5unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                  .rdata0x2990000xb38820xb3a00f523101c03398dae1aa0e7a390821e4aFalse0.32717765962073764data5.062684731919462IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                  .data0x34d0000xcb800x340089858263f7a9bdeb103a05738065c24dFalse0.2342247596153846data4.4608179073550644IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                  .didat0x35a0000x70c0x8004e727b159dc2a9374ea3e8e577a705cbFalse0.41064453125data4.529809413662669IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                  .rsrc0x35b0000x2bc6c0x2be00ef42afc6e27ad4ad3de111b8732b8a71False0.11824474715099716data5.165051371980061IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                  .reloc0x3870000x2d8dc0x2da007ced727d545c53e09b9ec0c023e2f6c6False0.47758989726027395data6.5647595604033IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                  Resources

                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                  RT_BITMAP0x35b9100x13eDevice independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colorsEnglishUnited States0.25471698113207547
                                                                                                                                                                                  RT_BITMAP0x35ba500x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.03017241379310345
                                                                                                                                                                                  RT_BITMAP0x35c2780x48a8Device independent bitmap graphic, 290 x 16 x 32, image size 0EnglishUnited States0.11881720430107527
                                                                                                                                                                                  RT_BITMAP0x360b200xa6aDevice independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/mEnglishUnited States0.21680420105026257
                                                                                                                                                                                  RT_BITMAP0x36158c0x152Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colorsEnglishUnited States0.5295857988165681
                                                                                                                                                                                  RT_BITMAP0x3616e00x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.4875478927203065
                                                                                                                                                                                  RT_ICON0x361f080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4264ChineseChina0.027204502814258912
                                                                                                                                                                                  RT_ICON0x362fb00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600ChineseChina0.08703319502074688
                                                                                                                                                                                  RT_ICON0x3655580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224ChineseChina0.16463414634146342
                                                                                                                                                                                  RT_ICON0x3666000x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400ChineseChina0.18565573770491803
                                                                                                                                                                                  RT_ICON0x366f880x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088ChineseChina0.3262411347517731
                                                                                                                                                                                  RT_DIALOG0x3673f00x98dataChineseChina0.75
                                                                                                                                                                                  RT_DIALOG0x3674880xc4dataChineseChina0.6938775510204082
                                                                                                                                                                                  RT_DIALOG0x36754c0x16cdataChineseChina0.5714285714285714
                                                                                                                                                                                  RT_DIALOG0x3676b80x104dataChineseChina0.6307692307692307
                                                                                                                                                                                  RT_DIALOG0x3677bc0x4cdataEnglishUnited States0.8289473684210527
                                                                                                                                                                                  RT_STRING0x3678080xf0dataChineseChina0.85
                                                                                                                                                                                  RT_STRING0x3678f80x124dataChineseChina0.6541095890410958
                                                                                                                                                                                  RT_STRING0x367a1c0x3edataChineseChina0.7580645161290323
                                                                                                                                                                                  RT_STRING0x367a5c0x78dataChineseChina0.44166666666666665
                                                                                                                                                                                  RT_STRING0x367ad40x194dataChineseChina0.7425742574257426
                                                                                                                                                                                  RT_STRING0x367c680x3eedataChineseChina0.510934393638171
                                                                                                                                                                                  RT_STRING0x3680580x3aedataChineseChina0.38110403397027603
                                                                                                                                                                                  RT_STRING0x3684080x78dataChineseChina0.85
                                                                                                                                                                                  RT_STRING0x3684800x1cedataChineseChina0.7748917748917749
                                                                                                                                                                                  RT_STRING0x3686500x11edataChineseChina0.6048951048951049
                                                                                                                                                                                  RT_STRING0x3687700x18adataEnglishUnited States0.5228426395939086
                                                                                                                                                                                  RT_STRING0x3688fc0x216Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.46254681647940077
                                                                                                                                                                                  RT_STRING0x368b140x624dataEnglishUnited States0.3575063613231552
                                                                                                                                                                                  RT_STRING0x3691380x660dataEnglishUnited States0.3474264705882353
                                                                                                                                                                                  RT_STRING0x3697980x396dataEnglishUnited States0.3867102396514161
                                                                                                                                                                                  RT_GROUP_ICON0x369b300x14dataChineseChina1.1
                                                                                                                                                                                  RT_VERSION0x369b440x118PDP-11 overlaid pure executable not strippedChineseChina0.6142857142857143
                                                                                                                                                                                  RT_HTML0x369c5c0x3835ASCII text, with very long lines (443), with CRLF line terminatorsEnglishUnited States0.08298005420807561
                                                                                                                                                                                  RT_HTML0x36d4940x1316ASCII text, with CRLF line terminatorsEnglishUnited States0.18399508800654932
                                                                                                                                                                                  RT_HTML0x36e7ac0x8c77HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.08081426068578103
                                                                                                                                                                                  RT_HTML0x3774240x6acdHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10679931238798873
                                                                                                                                                                                  RT_HTML0x37def40x6a2HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3486454652532391
                                                                                                                                                                                  RT_HTML0x37e5980x104aHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.2170263788968825
                                                                                                                                                                                  RT_HTML0x37f5e40x15b1HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.17612101566720692
                                                                                                                                                                                  RT_HTML0x380b980x205cexported SGML document, ASCII text, with very long lines (659), with CRLF line terminatorsEnglishUnited States0.13604538870111058
                                                                                                                                                                                  RT_HTML0x382bf40x368dHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10834228428213391
                                                                                                                                                                                  RT_HTML0x3862840x1d7ASCII text, with CRLF line terminatorsEnglishUnited States0.6008492569002123
                                                                                                                                                                                  RT_MANIFEST0x38645c0x80fXML 1.0 document, ASCII text, with CRLF, LF line terminatorsChineseChina0.40814348036839554

                                                                                                                                                                                  Imports

                                                                                                                                                                                  DLLImport
                                                                                                                                                                                  KERNEL32.dllWriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CreateEventExW, WaitForSingleObject, CreateProcessW, GetLastError, GetExitCodeProcess, SetEvent, RemoveDirectoryW, GetProcAddress, GetModuleHandleW, GetWindowsDirectoryW, CreateDirectoryW, GetTempPathW, GetTempFileNameW, MoveFileW, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, InitializeCriticalSection, lstrcpynW, CreateThread, LoadLibraryExW, GetCurrentProcess, Sleep, WideCharToMultiByte, GetDiskFreeSpaceExW, DecodePointer, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, GetFinalPathNameByHandleW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SetFileTime, SystemTimeToFileTime, MultiByteToWideChar, GetSystemInfo, WaitForMultipleObjects, GetVersionExW, CreateSemaphoreW, ReleaseSemaphore, GlobalMemoryStatus, GetModuleHandleA, GetProcessAffinityMask, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, LocalFree, LocalAlloc, SetUnhandledExceptionFilter, FileTimeToSystemTime, GetEnvironmentVariableW, GetSystemTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, FormatMessageW, GetEnvironmentStringsW, InitializeCriticalSectionEx, CloseHandle, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetSystemDefaultLangID, GetUserDefaultLangID, GetLocalTime, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, CreateNamedPipeW, ConnectNamedPipe, TerminateThread, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, WaitForSingleObjectEx, QueryPerformanceCounter, QueryPerformanceFrequency, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, EncodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, GetSystemTimeAsFileTime, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, ExitProcess, GetFileType, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW, LoadLibraryA, CreateFileW
                                                                                                                                                                                  imagehlp.dllSymGetModuleBase, SymFunctionTableAccess, SymGetLineFromAddr, SymSetSearchPath, SymCleanup, SymInitialize, SymSetOptions, StackWalk

                                                                                                                                                                                  Possible Origin

                                                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                  EnglishUnited States
                                                                                                                                                                                  ChineseChina

                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                  2025-01-08T09:15:13.512590+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.549962154.82.113.13963701TCP
                                                                                                                                                                                  2025-01-08T09:16:14.637182+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.549962154.82.113.13963701TCP
                                                                                                                                                                                  2025-01-08T09:17:15.793348+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.549962154.82.113.13963701TCP

                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Jan 8, 2025 09:15:10.469232082 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:10.474108934 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:10.474184990 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:13.181883097 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:13.187927961 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.187942028 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.187963009 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.187973022 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.187982082 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.187992096 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.187998056 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:13.188021898 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:13.188045979 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.188056946 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.188066006 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.188076973 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.188082933 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:13.188102961 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:13.188147068 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:13.193839073 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.193850994 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.193917036 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:13.193960905 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.193973064 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.194031000 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:13.194087029 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.194097996 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.194107056 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.194232941 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.194242954 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.194251060 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:13.194252014 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.194267035 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.194370985 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.198723078 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.198827028 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.198930979 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.199040890 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.199050903 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.512589931 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:13.517430067 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.926143885 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:13.980662107 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:14.201431990 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:14.246355057 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:15.440026045 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:15.444950104 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:15.444963932 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:15.444977999 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:15.444989920 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:15.445014954 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:15.445025921 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:15.445038080 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:15.445144892 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:15.445154905 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:15.445230007 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:15.445240974 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:15.445283890 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:15.445292950 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:15.445334911 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:15.445344925 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:15.449872971 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:16.574584007 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:16.580303907 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:16.885716915 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:16.933805943 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:18.299318075 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:18.304244995 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:18.304301023 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:18.304311991 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:18.304322958 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:18.304361105 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:18.304371119 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:18.304419994 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:18.304429054 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:18.304482937 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:18.304492950 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:18.304513931 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:18.304524899 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:18.304598093 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:18.304608107 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:19.684132099 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:19.689021111 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:19.994447947 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:20.044064999 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:21.296621084 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:21.301559925 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:21.301572084 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:21.301583052 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:21.301594973 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:21.301613092 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:21.301621914 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:21.301677942 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:21.301687956 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:21.301697969 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:21.301702023 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:21.301762104 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:21.301774025 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:21.301798105 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:21.301808119 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:22.742016077 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:22.746860027 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:23.052284002 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:23.105681896 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:24.138024092 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:24.144642115 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:24.144731998 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:24.144742012 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:24.144752026 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:24.144761086 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:24.144872904 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:24.144884109 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:24.144891977 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:24.145024061 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:24.145032883 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:24.145178080 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:24.145188093 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:24.145323992 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:24.145334959 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:25.777863026 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:25.782785892 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:26.088330984 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:26.136940956 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:26.642004967 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:26.646899939 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:26.646915913 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:26.646991968 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:26.647003889 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:26.647052050 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:26.647063017 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:26.647114992 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:26.647125959 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:26.647181034 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:26.647191048 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:26.647203922 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:26.647296906 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:26.647483110 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:26.647494078 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:28.824687958 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:28.829492092 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:29.148092985 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:29.199481010 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:29.580950022 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:29.585830927 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:29.585845947 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:29.585864067 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:29.585871935 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:29.585920095 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:29.585928917 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:29.585938931 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:29.586040020 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:29.586049080 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:29.586155891 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:29.586164951 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:29.586174011 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:29.586183071 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:29.586190939 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:31.871632099 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:31.876399994 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:32.187582016 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:32.230709076 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:32.613291979 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:32.618158102 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:32.618171930 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:32.618192911 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:32.618202925 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:32.618221998 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:32.618232012 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:32.618242025 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:32.618354082 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:32.618370056 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:32.618380070 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:32.618390083 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:32.618441105 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:32.618451118 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:32.618459940 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:34.918298006 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:34.923129082 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:35.228727102 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:35.277553082 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:35.650407076 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:35.655311108 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:35.655335903 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:35.655356884 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:35.655365944 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:35.655384064 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:35.655391932 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:35.655435085 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:35.655443907 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:35.655493975 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:35.655503035 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:35.655533075 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:35.655541897 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:35.655560017 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:35.655569077 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:37.978698969 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:37.983541012 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:38.289119959 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:38.340118885 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:38.674657106 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:38.679522038 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:38.679543018 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:38.679611921 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:38.679924011 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:38.679934025 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:38.679986000 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:38.679995060 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:38.680042028 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:38.680051088 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:38.680094957 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:38.680179119 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:38.680187941 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:38.680234909 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:38.680243015 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:41.011992931 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:41.016829014 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:41.322416067 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:41.371325970 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:41.746824026 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:41.752060890 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:41.752079964 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:41.752204895 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:41.752213955 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:41.752290010 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:41.752305984 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:41.752335072 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:41.752343893 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:41.752454042 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:41.752463102 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:41.752473116 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:41.752481937 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:41.752545118 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:41.752554893 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:44.058888912 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:44.063694954 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:44.369358063 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:44.418191910 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:44.772201061 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:44.777018070 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:44.777029037 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:44.777066946 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:44.777075052 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:44.777120113 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:44.777134895 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:44.777232885 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:44.777241945 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:44.777282000 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:44.777290106 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:44.777347088 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:44.777359009 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:44.777401924 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:44.777410030 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:47.107136965 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:47.111990929 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:47.417666912 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:47.465065002 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:47.829735994 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:47.834629059 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:47.834640026 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:47.834675074 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:47.834683895 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:47.834722996 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:47.834765911 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:47.834820032 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:47.834830999 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:47.834860086 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:47.834868908 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:47.834899902 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:47.834908962 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:47.834949017 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:47.834958076 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:50.152820110 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:50.157774925 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:50.463201046 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:50.511940956 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:50.857100010 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:50.862232924 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:50.862246037 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:50.862287045 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:50.862294912 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:50.862317085 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:50.862462997 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:50.862482071 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:50.862574100 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:50.862581968 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:50.862674952 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:50.867165089 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:50.867175102 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:50.867213011 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:50.867336988 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:53.199542999 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:53.204476118 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:53.510030985 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:53.558860064 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:53.925051928 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:53.930109024 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:53.930126905 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:53.930136919 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:53.930160999 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:53.930169106 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:53.930177927 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:53.930187941 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:53.930206060 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:53.930213928 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:53.930283070 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:53.934840918 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:53.934853077 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:53.934860945 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:53.934868097 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:56.246666908 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:56.558860064 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:56.974711895 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:56.974734068 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:57.279985905 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:57.324440002 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:57.702493906 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:57.707467079 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:57.707622051 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:57.712390900 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:57.712465048 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:57.712621927 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:57.712697983 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:57.717274904 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:57.717439890 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:57.717456102 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:57.717485905 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:57.717490911 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:57.717500925 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:57.717556000 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:57.722346067 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:57.722354889 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:57.722362995 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:57.722476959 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:57.722487926 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:57.722506046 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:57.722543955 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:59.293345928 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:59.298330069 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:59.603991985 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:15:59.652571917 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:15:59.998325109 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:00.003345966 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:00.003385067 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:00.003393888 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:00.003401041 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:00.003416061 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:00.003423929 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:00.003518105 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:00.003525972 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:00.003529072 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:00.003572941 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:00.008011103 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:00.008048058 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:00.008115053 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:00.008152008 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:02.340267897 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:02.345273018 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:02.650813103 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:02.699462891 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:03.482747078 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:03.487740993 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:03.487755060 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:03.487761974 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:03.487766027 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:03.487768888 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:03.487807035 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:03.487816095 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:03.487847090 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:03.487854958 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:03.487883091 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:03.492345095 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:03.492355108 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:03.492393970 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:03.492402077 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:05.387228012 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:05.392134905 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:05.697679996 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:05.746339083 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:06.077126026 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:06.084743023 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:06.084755898 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:06.084764004 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:06.084773064 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:06.084780931 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:06.084789038 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:06.084795952 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:06.084804058 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:06.084811926 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:06.084820032 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:06.089720011 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:06.089730024 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:06.089864969 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:06.089874029 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:08.433984995 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:08.439755917 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:08.745409012 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:08.793266058 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:09.144391060 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:09.149432898 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:09.149446011 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:09.149456978 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:09.149486065 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:09.149492979 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:09.149511099 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:09.149513960 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:09.149517059 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:09.149519920 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:09.149600983 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:09.154192924 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:09.154201984 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:09.154277086 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:09.154284954 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:11.480823040 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:11.486778021 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:11.792563915 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:11.840140104 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:12.203116894 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:12.208395004 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:12.208411932 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:12.208437920 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:12.208446026 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:12.208534002 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:12.208559036 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:12.208568096 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:12.208575010 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:12.208667040 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:12.208674908 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:12.213006020 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:12.213012934 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:12.213068008 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:12.213076115 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:14.637181997 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:14.642057896 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:14.947639942 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:14.996478081 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:15.340719938 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:15.345659018 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:15.345674038 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:15.345763922 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:15.345789909 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:15.345923901 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:15.345932961 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:15.345976114 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:15.345984936 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:15.346045971 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:15.346054077 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:15.350406885 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:15.350414991 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:15.350424051 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:15.350431919 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:17.683933020 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:17.688750982 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:17.994349957 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:18.043220043 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:18.386921883 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:18.391844034 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:18.391923904 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:18.391937971 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:18.391947031 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:18.391961098 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:18.391968966 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:18.392035961 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:18.392044067 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:18.392126083 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:18.392179966 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:18.396574020 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:18.396593094 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:18.396703005 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:18.396729946 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:20.747419119 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:20.752360106 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:21.057988882 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:21.105709076 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:21.794991016 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:21.800030947 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:21.800057888 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:21.800066948 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:21.800075054 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:21.800081968 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:21.800110102 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:21.800118923 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:21.800220966 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:21.800230026 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:21.800254107 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:21.804744959 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:21.804761887 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:21.804776907 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:21.804783106 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:23.911113024 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:23.916035891 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:24.221676111 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:24.261946917 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:24.621663094 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:24.626596928 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:24.626624107 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:24.626633883 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:24.626662970 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:24.626681089 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:24.626753092 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:24.626765966 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:24.626794100 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:24.626801968 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:24.626900911 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:24.631346941 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:24.631356001 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:24.631545067 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:24.631553888 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:26.949681044 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:26.954566956 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:27.260344028 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:27.308865070 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:27.650029898 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:27.655164957 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:27.655436993 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:27.655483007 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:27.655493021 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:27.655546904 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:27.656275034 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:27.656286001 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:27.656325102 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:27.656337023 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:27.656755924 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:27.660725117 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:27.660733938 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:27.660742044 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:27.665385962 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:30.003443003 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:30.010246992 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:30.315910101 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:30.371351004 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:30.718800068 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:30.723767996 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:30.723779917 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:30.723788023 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:30.723812103 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:30.723819017 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:30.723853111 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:30.723860979 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:30.723885059 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:30.723891973 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:30.723962069 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:30.728509903 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:30.728539944 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:30.728548050 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:30.728557110 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:33.043417931 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:33.048352957 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:33.354057074 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:33.402630091 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:33.735953093 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:33.741518021 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:33.741547108 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:33.741554976 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:33.741559029 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:33.741590977 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:33.741599083 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:33.741607904 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:33.741611004 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:33.741619110 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:33.741626024 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:33.745656013 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:33.745662928 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:33.745671034 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:33.745742083 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:36.090472937 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:36.095380068 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:36.400901079 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:36.449547052 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:36.794110060 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:36.799046040 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:36.799057961 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:36.799066067 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:36.799073935 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:36.799086094 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:36.799207926 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:36.799216986 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:36.799225092 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:36.799232960 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:36.799297094 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:36.803682089 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:36.803706884 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:36.803715944 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:36.803724051 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:39.148807049 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:39.153582096 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:39.459340096 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:39.511980057 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:39.882739067 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:39.887660980 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:39.887672901 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:39.887726068 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:39.887733936 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:39.887773037 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:39.887780905 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:39.887824059 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:39.887831926 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:39.887917042 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:39.887924910 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:39.892335892 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:39.892365932 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:39.892373085 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:39.892381907 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:42.184477091 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:42.189318895 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:42.494929075 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:42.543231964 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:42.889548063 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:42.894422054 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:42.894443035 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:42.894529104 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:42.894537926 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:42.894553900 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:42.894613028 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:42.894622087 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:42.894659042 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:42.894696951 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:42.894740105 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:42.899116993 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:42.899127007 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:42.899158955 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:42.899168015 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:45.230890989 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:45.235749960 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:45.541522980 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:45.590101004 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:45.926462889 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:45.931608915 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:45.931622028 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:45.931629896 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:45.931633949 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:45.931684017 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:45.931706905 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:45.931715012 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:45.931723118 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:45.931752920 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:45.931760073 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:45.936177015 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:45.936189890 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:45.936288118 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:45.936295986 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:48.277791023 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:48.282681942 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:48.588171005 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:48.636970997 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:48.976342916 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:48.981208086 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:48.981292009 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:48.981308937 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:48.981317043 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:48.981321096 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:48.981381893 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:48.981390953 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:48.981426954 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:48.981436014 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:48.981511116 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:48.985862970 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:48.985879898 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:48.985928059 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:48.985935926 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:51.324922085 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:51.330374956 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:51.636034966 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:51.683856010 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:52.004903078 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:52.009875059 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:52.009886980 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:52.009938955 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:52.009947062 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:52.009954929 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:52.009963036 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:52.009979010 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:52.009994030 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:52.010001898 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:52.010205984 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:52.014621973 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:52.014630079 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:52.014699936 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:52.014708042 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:54.371812105 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:54.376600027 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:54.682146072 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:54.730838060 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:55.080497026 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:55.085397005 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:55.085427046 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:55.085442066 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:55.085449934 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:55.085463047 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:55.085576057 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:55.085583925 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:55.085666895 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:55.085675955 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:55.085695982 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:55.090080023 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:55.090090036 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:55.090178013 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:55.090187073 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:57.496548891 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:57.501514912 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:57.815670013 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:57.855726004 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:58.192122936 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:16:58.197021008 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:58.197032928 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:58.197088957 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:58.197101116 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:58.197113037 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:58.197211981 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:58.197221041 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:58.197252989 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:58.197262049 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:58.197299004 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:58.201713085 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:58.201745033 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:58.201800108 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:16:58.201807976 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:00.543514013 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:00.548450947 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:00.854047060 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:00.902621031 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:01.288228035 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:01.293176889 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:01.293210983 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:01.293220043 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:01.293241978 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:01.293257952 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:01.293392897 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:01.293401957 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:01.293513060 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:01.293521881 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:01.293529034 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:01.297838926 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:01.297858953 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:01.297940016 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:01.297950029 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:03.605998993 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:03.610879898 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:03.916492939 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:03.965109110 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:04.304702044 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:04.309664965 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:04.309679985 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:04.309695959 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:04.309703112 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:04.309705973 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:04.309792995 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:04.309813023 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:04.309828043 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:04.309835911 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:04.309983015 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:04.314439058 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:04.314451933 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:04.314459085 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:04.314466953 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:06.653162003 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:06.657984018 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:06.963785887 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:07.012006998 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:07.335205078 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:07.340117931 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:07.340130091 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:07.340137005 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:07.340141058 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:07.340147972 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:07.340224981 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:07.340250015 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:07.340276957 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:07.340286016 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:07.340312958 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:07.344830990 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:07.344840050 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:07.344846964 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:07.344854116 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:09.699595928 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:09.704500914 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:10.049398899 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:10.090100050 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:10.484168053 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:10.489202976 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:10.489221096 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:10.489245892 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:10.489253998 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:10.489262104 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:10.489276886 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:10.489343882 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:10.489351988 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:10.489383936 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:10.489392042 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:10.493982077 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:10.493993044 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:10.493999958 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:10.494012117 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:12.746452093 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:12.751359940 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:13.057063103 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:13.105725050 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:13.464802027 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:13.469700098 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:13.469712973 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:13.469819069 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:13.469827890 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:13.469957113 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:13.469999075 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:13.470007896 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:13.470016003 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:13.470022917 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:13.470031023 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:13.474422932 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:13.474431992 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:13.474472046 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:13.474479914 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:15.793348074 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:15.798209906 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:16.104190111 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:16.152739048 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:16.493993998 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:16.498987913 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:16.499008894 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:16.499017954 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:16.499027014 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:16.499034882 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:16.499097109 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:16.499124050 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:16.499133110 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:16.499140978 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:16.499252081 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:16.503709078 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:16.503716946 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:16.503762960 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:16.503799915 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:18.840315104 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:18.845113039 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:19.152889013 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:19.199512005 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:19.559364080 CET4996263701192.168.2.5154.82.113.139
                                                                                                                                                                                  Jan 8, 2025 09:17:19.564320087 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:19.564332008 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:19.564340115 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:19.564347029 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:19.564354897 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:19.564555883 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:19.564572096 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:19.564584970 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:19.564591885 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:19.564699888 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:19.569044113 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:19.569097042 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:19.569104910 CET6370149962154.82.113.139192.168.2.5
                                                                                                                                                                                  Jan 8, 2025 09:17:19.569109917 CET6370149962154.82.113.139192.168.2.5

                                                                                                                                                                                  ICMP Packets

                                                                                                                                                                                  TimestampSource IPDest IPChecksumCodeType
                                                                                                                                                                                  Jan 8, 2025 09:15:11.481781006 CET192.168.2.5154.82.113.139b81cEcho
                                                                                                                                                                                  Jan 8, 2025 09:15:11.786773920 CET154.82.113.139192.168.2.5c01cEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:15:12.793508053 CET192.168.2.5154.82.113.1399717Echo
                                                                                                                                                                                  Jan 8, 2025 09:15:13.099490881 CET154.82.113.139192.168.2.59f17Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:15:14.107228994 CET192.168.2.5154.82.113.1397512Echo
                                                                                                                                                                                  Jan 8, 2025 09:15:14.413614988 CET154.82.113.139192.168.2.57d12Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:15:15.418486118 CET192.168.2.5154.82.113.139540dEcho
                                                                                                                                                                                  Jan 8, 2025 09:15:15.723457098 CET154.82.113.139192.168.2.55c0dEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:15:23.788742065 CET192.168.2.5154.82.113.139aeecEcho
                                                                                                                                                                                  Jan 8, 2025 09:15:24.093755960 CET154.82.113.139192.168.2.5b6ecEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:15:25.147696972 CET192.168.2.5154.82.113.1395ee7Echo
                                                                                                                                                                                  Jan 8, 2025 09:15:25.452565908 CET154.82.113.139192.168.2.566e7Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:15:26.465426922 CET192.168.2.5154.82.113.1392de2Echo
                                                                                                                                                                                  Jan 8, 2025 09:15:26.770416975 CET154.82.113.139192.168.2.535e2Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:15:27.780252934 CET192.168.2.5154.82.113.139bddEcho
                                                                                                                                                                                  Jan 8, 2025 09:15:28.085165024 CET154.82.113.139192.168.2.513ddEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:15:36.122060061 CET192.168.2.5154.82.113.13976bcEcho
                                                                                                                                                                                  Jan 8, 2025 09:15:36.426934958 CET154.82.113.139192.168.2.57ebcEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:15:37.433980942 CET192.168.2.5154.82.113.13955b7Echo
                                                                                                                                                                                  Jan 8, 2025 09:15:37.824158907 CET154.82.113.139192.168.2.55db7Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:15:38.871475935 CET192.168.2.5154.82.113.139b6b1Echo
                                                                                                                                                                                  Jan 8, 2025 09:15:39.176480055 CET154.82.113.139192.168.2.5beb1Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:15:40.184113026 CET192.168.2.5154.82.113.13995acEcho
                                                                                                                                                                                  Jan 8, 2025 09:15:40.489238024 CET154.82.113.139192.168.2.59dacEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:15:48.559390068 CET192.168.2.5154.82.113.139e18bEcho
                                                                                                                                                                                  Jan 8, 2025 09:15:48.864159107 CET154.82.113.139192.168.2.5e98bEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:15:49.871439934 CET192.168.2.5154.82.113.139bf86Echo
                                                                                                                                                                                  Jan 8, 2025 09:15:50.176264048 CET154.82.113.139192.168.2.5c786Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:15:51.186302900 CET192.168.2.5154.82.113.1399e81Echo
                                                                                                                                                                                  Jan 8, 2025 09:15:51.491452932 CET154.82.113.139192.168.2.5a681Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:15:52.496686935 CET192.168.2.5154.82.113.1397c7cEcho
                                                                                                                                                                                  Jan 8, 2025 09:15:52.801605940 CET154.82.113.139192.168.2.5847cEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:16:00.840956926 CET192.168.2.5154.82.113.139e85bEcho
                                                                                                                                                                                  Jan 8, 2025 09:16:01.146087885 CET154.82.113.139192.168.2.5f05bEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:16:02.152729988 CET192.168.2.5154.82.113.139c656Echo
                                                                                                                                                                                  Jan 8, 2025 09:16:02.457616091 CET154.82.113.139192.168.2.5ce56Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:16:03.465311050 CET192.168.2.5154.82.113.139a551Echo
                                                                                                                                                                                  Jan 8, 2025 09:16:03.770375967 CET154.82.113.139192.168.2.5ad51Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:16:04.777765036 CET192.168.2.5154.82.113.139834cEcho
                                                                                                                                                                                  Jan 8, 2025 09:16:05.082835913 CET154.82.113.139192.168.2.58b4cEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:16:13.122241020 CET192.168.2.5154.82.113.139ee2bEcho
                                                                                                                                                                                  Jan 8, 2025 09:16:13.427206993 CET154.82.113.139192.168.2.5f62bEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:16:14.434098959 CET192.168.2.5154.82.113.139cd26Echo
                                                                                                                                                                                  Jan 8, 2025 09:16:14.739164114 CET154.82.113.139192.168.2.5d526Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:16:15.746484995 CET192.168.2.5154.82.113.139ab21Echo
                                                                                                                                                                                  Jan 8, 2025 09:16:16.051493883 CET154.82.113.139192.168.2.5b321Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:16:17.058971882 CET192.168.2.5154.82.113.1397a1cEcho
                                                                                                                                                                                  Jan 8, 2025 09:16:17.363848925 CET154.82.113.139192.168.2.5821cEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:16:25.403117895 CET192.168.2.5154.82.113.139e5fbEcho
                                                                                                                                                                                  Jan 8, 2025 09:16:25.708105087 CET154.82.113.139192.168.2.5edfbEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:16:26.715472937 CET192.168.2.5154.82.113.139c3f6Echo
                                                                                                                                                                                  Jan 8, 2025 09:16:27.020312071 CET154.82.113.139192.168.2.5cbf6Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:16:28.027834892 CET192.168.2.5154.82.113.139a2f1Echo
                                                                                                                                                                                  Jan 8, 2025 09:16:28.334434032 CET154.82.113.139192.168.2.5aaf1Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:16:29.340225935 CET192.168.2.5154.82.113.13980ecEcho
                                                                                                                                                                                  Jan 8, 2025 09:16:29.645056009 CET154.82.113.139192.168.2.588ecEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:16:37.684614897 CET192.168.2.5154.82.113.139ebcbEcho
                                                                                                                                                                                  Jan 8, 2025 09:16:37.989629984 CET154.82.113.139192.168.2.5f3cbEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:16:38.999443054 CET192.168.2.5154.82.113.139cac6Echo
                                                                                                                                                                                  Jan 8, 2025 09:16:39.304794073 CET154.82.113.139192.168.2.5d2c6Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:16:40.308979034 CET192.168.2.5154.82.113.139a8c1Echo
                                                                                                                                                                                  Jan 8, 2025 09:16:40.614068985 CET154.82.113.139192.168.2.5b0c1Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:16:41.675589085 CET192.168.2.5154.82.113.13958bcEcho
                                                                                                                                                                                  Jan 8, 2025 09:16:41.980499983 CET154.82.113.139192.168.2.560bcEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:16:50.028279066 CET192.168.2.5154.82.113.139b49bEcho
                                                                                                                                                                                  Jan 8, 2025 09:16:50.333148956 CET154.82.113.139192.168.2.5bc9bEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:16:51.340226889 CET192.168.2.5154.82.113.1399296Echo
                                                                                                                                                                                  Jan 8, 2025 09:16:51.646259069 CET154.82.113.139192.168.2.59a96Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:16:52.652869940 CET192.168.2.5154.82.113.1397191Echo
                                                                                                                                                                                  Jan 8, 2025 09:16:52.957894087 CET154.82.113.139192.168.2.57991Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:16:53.965327024 CET192.168.2.5154.82.113.1394f8cEcho
                                                                                                                                                                                  Jan 8, 2025 09:16:54.270364046 CET154.82.113.139192.168.2.5578cEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:17:02.309346914 CET192.168.2.5154.82.113.139ba6bEcho
                                                                                                                                                                                  Jan 8, 2025 09:17:02.614414930 CET154.82.113.139192.168.2.5c26bEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:17:03.621494055 CET192.168.2.5154.82.113.1399966Echo
                                                                                                                                                                                  Jan 8, 2025 09:17:03.926305056 CET154.82.113.139192.168.2.5a166Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:17:04.949774027 CET192.168.2.5154.82.113.1396861Echo
                                                                                                                                                                                  Jan 8, 2025 09:17:05.254658937 CET154.82.113.139192.168.2.57061Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:17:06.262226105 CET192.168.2.5154.82.113.139465cEcho
                                                                                                                                                                                  Jan 8, 2025 09:17:06.567281961 CET154.82.113.139192.168.2.54e5cEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:17:14.606482029 CET192.168.2.5154.82.113.139b13bEcho
                                                                                                                                                                                  Jan 8, 2025 09:17:14.912038088 CET154.82.113.139192.168.2.5b93bEcho Reply
                                                                                                                                                                                  Jan 8, 2025 09:17:15.918518066 CET192.168.2.5154.82.113.1399036Echo
                                                                                                                                                                                  Jan 8, 2025 09:17:16.223479033 CET154.82.113.139192.168.2.59836Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:17:17.231059074 CET192.168.2.5154.82.113.1396e31Echo
                                                                                                                                                                                  Jan 8, 2025 09:17:17.536053896 CET154.82.113.139192.168.2.57631Echo Reply
                                                                                                                                                                                  Jan 8, 2025 09:17:18.543399096 CET192.168.2.5154.82.113.1394d2cEcho
                                                                                                                                                                                  Jan 8, 2025 09:17:18.848339081 CET154.82.113.139192.168.2.5552cEcho Reply

                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                  Jan 8, 2025 09:14:15.546535969 CET1.1.1.1192.168.2.50x63dfNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                  Jan 8, 2025 09:14:15.546535969 CET1.1.1.1192.168.2.50x63dfNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                                                                                                                                                  Statistics

                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                  Behavior

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  System Behavior

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                  Start time:03:14:12
                                                                                                                                                                                  Start date:08/01/2025
                                                                                                                                                                                  Path:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\e-SPT Masa PPh.exe"
                                                                                                                                                                                  Imagebase:0xef0000
                                                                                                                                                                                  File size:29'409'880 bytes
                                                                                                                                                                                  MD5 hash:097C653DDF86F75924A7192FB612B889
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:2
                                                                                                                                                                                  Start time:03:14:15
                                                                                                                                                                                  Start date:08/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                  Imagebase:0x7ff68c180000
                                                                                                                                                                                  File size:69'632 bytes
                                                                                                                                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:3
                                                                                                                                                                                  Start time:03:14:17
                                                                                                                                                                                  Start date:08/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 53BFAE2425B516854415A490E8C0A705 C
                                                                                                                                                                                  Imagebase:0xa50000
                                                                                                                                                                                  File size:59'904 bytes
                                                                                                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:4
                                                                                                                                                                                  Start time:03:14:24
                                                                                                                                                                                  Start date:08/01/2025
                                                                                                                                                                                  Path:C:\Users\user\Desktop\e-SPT Masa PPh.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\e-SPT Masa PPh.exe" /i "C:\Program Files (x86)\WindowsInstallerIC\7AF5081\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\IkCWSTWLLRQX" SECONDSEQUENCE="1" CLIENTPROCESSID="6196" AI_MORE_CMD_LINE=1
                                                                                                                                                                                  Imagebase:0xef0000
                                                                                                                                                                                  File size:29'409'880 bytes
                                                                                                                                                                                  MD5 hash:097C653DDF86F75924A7192FB612B889
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:5
                                                                                                                                                                                  Start time:03:14:25
                                                                                                                                                                                  Start date:08/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding FC2A87C99CB9700EDEC5D180B7A0E6E9
                                                                                                                                                                                  Imagebase:0xa50000
                                                                                                                                                                                  File size:59'904 bytes
                                                                                                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:7
                                                                                                                                                                                  Start time:03:14:45
                                                                                                                                                                                  Start date:08/01/2025
                                                                                                                                                                                  Path:C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\IkCWSTWLLRQX\fhjyy.exe"
                                                                                                                                                                                  Imagebase:0xbe0000
                                                                                                                                                                                  File size:175'328 bytes
                                                                                                                                                                                  MD5 hash:BE4ED0D3AA0B2573927A046620106B13
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:8
                                                                                                                                                                                  Start time:03:14:45
                                                                                                                                                                                  Start date:08/01/2025
                                                                                                                                                                                  Path:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\LJBPHRBSRLCI.FNG" -o"C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B" -pIWLHTVJXHINUWUFBWIU -aos -y
                                                                                                                                                                                  Imagebase:0xc50000
                                                                                                                                                                                  File size:710'888 bytes
                                                                                                                                                                                  MD5 hash:FAE7D0A530279838C8A5731B086A081B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000008.00000003.2393860781.0000000002FC6000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:9
                                                                                                                                                                                  Start time:03:14:45
                                                                                                                                                                                  Start date:08/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:10
                                                                                                                                                                                  Start time:03:14:50
                                                                                                                                                                                  Start date:08/01/2025
                                                                                                                                                                                  Path:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\KKVIOQVTEUTA.OKO" -o"C:\Program Files (x86)\IkCWSTWLLRQX" -pRFOLHRLVLKWUMQMLJJA -aos -y
                                                                                                                                                                                  Imagebase:0xc50000
                                                                                                                                                                                  File size:710'888 bytes
                                                                                                                                                                                  MD5 hash:FAE7D0A530279838C8A5731B086A081B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:11
                                                                                                                                                                                  Start time:03:14:50
                                                                                                                                                                                  Start date:08/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:12
                                                                                                                                                                                  Start time:03:14:51
                                                                                                                                                                                  Start date:08/01/2025
                                                                                                                                                                                  Path:C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\IkCWSTWLLRQX\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\IkCWSTWLLRQX\FNCUNPTNLBMW.DNA" -o"C:\Users\user\AppData\Roaming" -pAEXIKRSDXTBGHJSHHPK -aos -y
                                                                                                                                                                                  Imagebase:0xc50000
                                                                                                                                                                                  File size:710'888 bytes
                                                                                                                                                                                  MD5 hash:FAE7D0A530279838C8A5731B086A081B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:13
                                                                                                                                                                                  Start time:03:14:51
                                                                                                                                                                                  Start date:08/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:14
                                                                                                                                                                                  Start time:03:14:54
                                                                                                                                                                                  Start date:08/01/2025
                                                                                                                                                                                  Path:C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:691'760 bytes
                                                                                                                                                                                  MD5 hash:938C33C54819D6CE8D731B68D9C37E38
                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000E.00000000.2471325966.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe, Author: Joe Security
                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:17
                                                                                                                                                                                  Start time:03:14:55
                                                                                                                                                                                  Start date:08/01/2025
                                                                                                                                                                                  Path:C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\IkCWSTWLLRQX\yybob\Bor32-update-flase.exe"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:691'760 bytes
                                                                                                                                                                                  MD5 hash:938C33C54819D6CE8D731B68D9C37E38
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000011.00000002.2610324883.000000000301C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:19
                                                                                                                                                                                  Start time:03:15:08
                                                                                                                                                                                  Start date:08/01/2025
                                                                                                                                                                                  Path:C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\4FB3661214624E45939F5F2427BF1D9B\VGX\Haloonoroff.exe"
                                                                                                                                                                                  Imagebase:0x50000
                                                                                                                                                                                  File size:174'304 bytes
                                                                                                                                                                                  MD5 hash:0D318144BD23BA1A72CC06FE19CB3F0C
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  Disassembly

                                                                                                                                                                                  Reset < >

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:6.6%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                    Signature Coverage:22.1%
                                                                                                                                                                                    Total number of Nodes:2000
                                                                                                                                                                                    Total number of Limit Nodes:57
                                                                                                                                                                                    execution_graph 89140 1013300 89141 101334f 89140->89141 89146 10135ab 89140->89146 89173 f03960 89141->89173 89306 10fc65a 89146->89306 89147 1013657 89149 101365b 89313 efb010 89149->89313 89151 1013665 89152 1013384 89153 10133ba 89152->89153 89154 10133ac 89152->89154 89295 efae80 44 API calls 4 library calls 89153->89295 89280 efa840 89154->89280 89157 10133b8 89216 ef8eb0 89157->89216 89159 10133e9 CreateFileW 89160 101343b 89159->89160 89161 101341d CloseHandle 89159->89161 89220 f34950 67 API calls 89160->89220 89161->89146 89163 1013444 89221 1013670 89163->89221 89165 1013458 WriteFile 89170 1013486 89165->89170 89166 10134ea 89296 102da30 89166->89296 89167 10134dc CloseHandle 89167->89166 89170->89166 89170->89167 89171 1013519 ShellExecuteExW 89172 1013502 89171->89172 89172->89146 89174 f03a30 89173->89174 89175 f039c3 89173->89175 89392 f03380 89174->89392 89381 ef87d0 89175->89381 89177 f03a38 89317 ef7cf0 89177->89317 89180 f039f9 89391 f040f0 54 API calls _ValidateLocalCookies 89180->89391 89182 f03a52 89184 f03a72 89182->89184 89186 ef8eb0 42 API calls 89182->89186 89188 ef8eb0 42 API calls 89184->89188 89193 f03a8f 89184->89193 89185 f03a0f 89187 ef7cf0 43 API calls 89185->89187 89186->89184 89190 f03a18 89187->89190 89188->89193 89189 f03acc std::ios_base::_Ios_base_dtor 89328 f03b40 89189->89328 89190->89177 89193->89189 89195 f03b35 89193->89195 89194 ef8eb0 42 API calls 89196 f03b15 89194->89196 89450 110192f 89195->89450 89198 10fc65a _ValidateLocalCookies 5 API calls 89196->89198 89200 f03b2e 89198->89200 89201 efb3a0 89200->89201 89202 efb42c 89201->89202 89203 efb3d8 89201->89203 89206 10fcab5 3 API calls 89202->89206 89215 efb4b7 89202->89215 89204 10fcab5 3 API calls 89203->89204 89205 efb3e2 89204->89205 89205->89202 89207 efb3ee GetProcessHeap 89205->89207 89208 efb446 89206->89208 89583 10fca24 45 API calls 89207->89583 89208->89215 89585 10fca24 45 API calls 89208->89585 89211 efb41b 89584 10fca64 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 89211->89584 89212 efb4a6 89586 10fca64 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 89212->89586 89215->89149 89215->89152 89217 ef8efe std::ios_base::_Ios_base_dtor 89216->89217 89219 ef8edd 89216->89219 89217->89159 89218 110192f std::_Throw_Cpp_error 42 API calls 89218->89219 89219->89159 89219->89216 89219->89217 89219->89218 89220->89163 89222 efb3a0 52 API calls 89221->89222 89223 10136ab 89222->89223 89224 10136b5 89223->89224 89225 101373f 89223->89225 89231 10136f0 89224->89231 89232 101370d 89224->89232 89226 efb010 2 API calls 89225->89226 89227 1013749 GetModuleFileNameW 89226->89227 89228 efb3a0 52 API calls 89227->89228 89229 10137b0 89228->89229 89230 1013bb3 89229->89230 89237 10137ba 89229->89237 89233 efb010 2 API calls 89230->89233 89644 10152e0 76 API calls 89231->89644 89645 10152e0 76 API calls 89232->89645 89236 1013bbd 89233->89236 89641 1107e91 89236->89641 89241 10137f0 89237->89241 89242 10137e2 89237->89242 89238 1013708 89238->89165 89646 efae80 44 API calls 4 library calls 89241->89646 89245 efa840 53 API calls 89242->89245 89244 1013bff 89244->89165 89246 10137ee 89245->89246 89587 1015020 89246->89587 89249 1013837 89613 102e4a0 89249->89613 89252 1013847 GetModuleHandleW 89253 10138a7 89252->89253 89254 101386b 89252->89254 89256 10138c0 89253->89256 89261 10138be SetSearchPathMode 89253->89261 89255 10fcab5 3 API calls 89254->89255 89257 1013875 89255->89257 89258 1013909 89256->89258 89259 10fcab5 3 API calls 89256->89259 89257->89253 89260 1013881 GetProcAddress 89257->89260 89264 101396b 89258->89264 89268 10fcab5 3 API calls 89258->89268 89262 10138d7 89259->89262 89647 10fca64 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 89260->89647 89261->89256 89262->89258 89265 10138e3 GetProcAddress 89262->89265 89266 1013984 89264->89266 89272 1013982 SetDefaultDllDirectories 89264->89272 89648 10fca64 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 89265->89648 89277 1013b54 89266->89277 89616 fe82d0 GetSystemDirectoryW 89266->89616 89267 10138a4 89267->89253 89270 1013939 89268->89270 89270->89264 89274 1013945 GetProcAddress 89270->89274 89271 1013906 89271->89258 89272->89266 89649 10fca64 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 89274->89649 89276 1013968 89276->89264 89278 10fc65a _ValidateLocalCookies 5 API calls 89277->89278 89279 1013bab 89278->89279 89279->89165 90012 efa640 89280->90012 89283 efa856 FindResourceW 89284 efa8d2 89283->89284 89285 efa86d 89283->89285 89284->89157 90019 efa700 LoadResource LockResource SizeofResource 89285->90019 89287 efa877 89287->89284 89288 efa89e 89287->89288 90020 efae10 44 API calls 89287->90020 90021 1105f37 42 API calls 3 library calls 89288->90021 89291 efa8be 89291->89157 89292 efa8ae 89292->89291 89293 efb010 2 API calls 89292->89293 89294 efa8e4 89293->89294 89295->89157 89297 102da6f 89296->89297 89298 102da89 89297->89298 89300 102da7c 89297->89300 89299 efb3a0 52 API calls 89298->89299 89302 102da8e 89299->89302 89301 f07600 106 API calls 89300->89301 89303 10134f8 89301->89303 89302->89303 89304 efb010 2 API calls 89302->89304 89303->89171 89303->89172 89305 102dad6 89304->89305 89307 10fc663 IsProcessorFeaturePresent 89306->89307 89308 10fc662 89306->89308 89310 10fcc4b 89307->89310 89308->89147 90029 10fcc0e SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 89310->90029 89312 10fcd2e 89312->89147 89314 efb01e 89313->89314 89315 10fe281 std::_Throw_Cpp_error RaiseException 89314->89315 89316 efb02b RtlAllocateHeap 89315->89316 89316->89151 89318 ef7d17 89317->89318 89319 ef7d97 89318->89319 89323 ef7d22 89318->89323 89464 ef8d90 43 API calls std::_Throw_Cpp_error 89319->89464 89321 ef7d27 89321->89182 89323->89321 89455 ef8d30 89323->89455 89325 ef7d70 std::_Locinfo::_Locinfo_ctor 89325->89182 89329 f03bad 89328->89329 89330 f03baf GetTempFileNameW 89328->89330 89329->89330 89331 f03bf7 89330->89331 89351 f03bc4 std::ios_base::_Ios_base_dtor 89330->89351 89334 f03c22 89331->89334 89335 f03fe4 89331->89335 89332 10fc65a _ValidateLocalCookies 5 API calls 89333 f03afa 89332->89333 89333->89194 89337 ef87d0 43 API calls 89334->89337 89336 ef87d0 43 API calls 89335->89336 89338 f0400a 89336->89338 89339 f03c48 89337->89339 89340 ef7cf0 43 API calls 89338->89340 89341 ef7cf0 43 API calls 89339->89341 89342 f04035 89340->89342 89343 f03c73 89341->89343 89345 101f2f0 53 API calls 89342->89345 89476 101f2f0 89343->89476 89347 f04044 89345->89347 89349 101fba0 43 API calls 89347->89349 89350 f04056 89349->89350 89350->89351 89354 f040e8 89350->89354 89351->89332 89352 f03c98 std::ios_base::_Ios_base_dtor 89353 f040e3 89352->89353 89357 ef87d0 43 API calls 89352->89357 89355 110192f std::_Throw_Cpp_error 42 API calls 89353->89355 89356 110192f std::_Throw_Cpp_error 42 API calls 89354->89356 89355->89354 89358 f040ed 89356->89358 89359 f03d3c std::_Locinfo::_Locinfo_ctor 89357->89359 89513 101e280 43 API calls 89359->89513 89361 f03dd7 89514 101f010 89361->89514 89363 f03de9 89364 f03df3 89363->89364 89365 f03df5 MoveFileW 89363->89365 89364->89365 89366 ef8eb0 42 API calls 89365->89366 89367 f03e14 89366->89367 89368 f03f1a 89367->89368 89369 f03e1c 89367->89369 89368->89353 89370 f03faa std::ios_base::_Ios_base_dtor 89368->89370 89371 f03b40 54 API calls 89369->89371 89373 ef8eb0 42 API calls 89370->89373 89372 f03e39 DeleteFileW 89371->89372 89374 ef8eb0 42 API calls 89372->89374 89375 f03f15 89373->89375 89376 f03ea6 89374->89376 89375->89351 89377 f03ee0 std::ios_base::_Ios_base_dtor 89376->89377 89379 f040de 89376->89379 89378 ef8eb0 42 API calls 89377->89378 89378->89375 89380 110192f std::_Throw_Cpp_error 42 API calls 89379->89380 89380->89353 89382 ef886f 89381->89382 89386 ef87e5 89381->89386 89547 ef8d90 43 API calls std::_Throw_Cpp_error 89382->89547 89384 ef87eb std::_Locinfo::_Locinfo_ctor 89384->89180 89386->89384 89387 ef8d30 3 API calls 89386->89387 89389 ef8842 std::_Locinfo::_Locinfo_ctor 89387->89389 89389->89180 89391->89185 89393 f03426 89392->89393 89394 f033ee 89392->89394 89426 f03641 std::ios_base::_Ios_base_dtor 89393->89426 89548 102a0a0 89393->89548 89565 10fcab5 AcquireSRWLockExclusive 89394->89565 89397 ef7cf0 43 API calls 89400 f03674 89397->89400 89398 f033f8 89398->89393 89570 10fca24 45 API calls 89398->89570 89403 10fc65a _ValidateLocalCookies 5 API calls 89400->89403 89401 f03443 89405 f0349a 89401->89405 89408 10fcab5 3 API calls 89401->89408 89402 f0358e GetTempPathW 89414 f035a2 89402->89414 89406 f0369e 89403->89406 89409 f034be GetWindowsDirectoryW 89405->89409 89413 f034aa PathFileExistsW 89405->89413 89406->89177 89407 f03415 89571 10fca64 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 89407->89571 89412 f0345a 89408->89412 89573 110642d 42 API calls 2 library calls 89409->89573 89412->89405 89415 f03466 GetModuleHandleW GetProcAddress 89412->89415 89413->89414 89419 f034fa 89413->89419 89417 ef87d0 43 API calls 89414->89417 89414->89426 89572 10fca64 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 89415->89572 89420 f035f3 89417->89420 89574 102a4a0 13 API calls 89419->89574 89578 101f220 53 API calls _ValidateLocalCookies 89420->89578 89421 f03497 89421->89405 89423 f0360b 89423->89426 89428 f036a5 89423->89428 89425 f03523 89575 102a4a0 13 API calls 89425->89575 89426->89397 89429 110192f std::_Throw_Cpp_error 42 API calls 89428->89429 89431 f036aa 89429->89431 89430 f0353a 89576 102aa30 8 API calls 89430->89576 89434 f03380 102 API calls 89431->89434 89433 f03545 89435 f03549 CreateDirectoryW 89433->89435 89436 f0357d 89433->89436 89437 f036f4 89434->89437 89435->89436 89577 102a350 19 API calls __freea 89436->89577 89439 ef7cf0 43 API calls 89437->89439 89441 f0370b 89439->89441 89440 f0358c 89440->89414 89442 ef8eb0 42 API calls 89441->89442 89443 f0372c 89442->89443 89579 f03780 108 API calls 3 library calls 89443->89579 89445 f0373b 89446 ef8eb0 42 API calls 89445->89446 89447 f03753 89446->89447 89448 10fc65a _ValidateLocalCookies 5 API calls 89447->89448 89449 f0376d 89448->89449 89449->89177 89581 110186b 42 API calls 2 library calls 89450->89581 89452 110193e 89582 110194c 11 API calls std::locale::_Setgloballocale 89452->89582 89454 110194b 89461 ef8d10 std::_Facet_Register 89455->89461 89456 ef8d53 89458 ef8d5c 89456->89458 89465 10fc6a3 89456->89465 89457 ef8d4d 89459 10fc6a3 std::_Facet_Register 3 API calls 89457->89459 89458->89325 89459->89456 89461->89455 89461->89456 89461->89457 89472 10fe281 89461->89472 89466 10fc6a8 ___std_exception_copy 89465->89466 89467 ef8d75 89466->89467 89469 10fc6c4 std::_Facet_Register 89466->89469 89475 11119ca EnterCriticalSection LeaveCriticalSection std::_Facet_Register 89466->89475 89467->89325 89470 10fe281 std::_Throw_Cpp_error RaiseException 89469->89470 89471 10fd3f0 89470->89471 89473 10fe2c8 RaiseException 89472->89473 89474 10fe29b 89472->89474 89473->89461 89474->89473 89475->89466 89536 1020eb0 89476->89536 89478 101f36b 89479 101f376 89478->89479 89480 101f46e 89478->89480 89481 101f393 89479->89481 89482 101f5b2 89479->89482 89483 1020eb0 52 API calls 89480->89483 89486 ef87d0 43 API calls 89481->89486 89542 ef8700 43 API calls 89482->89542 89484 101f497 89483->89484 89490 101f4c7 89484->89490 89491 101f5bc 89484->89491 89505 101f458 std::ios_base::_Ios_base_dtor 89484->89505 89488 101f3b7 89486->89488 89487 101f5b7 89493 110192f std::_Throw_Cpp_error 42 API calls 89487->89493 89541 f28220 43 API calls 89488->89541 89496 ef87d0 43 API calls 89490->89496 89543 ef8700 43 API calls 89491->89543 89492 10fc65a _ValidateLocalCookies 5 API calls 89497 f03c82 89492->89497 89493->89491 89495 101f3cf 89499 101f3e6 89495->89499 89501 ef8eb0 42 API calls 89495->89501 89500 101f4eb 89496->89500 89506 101fba0 89497->89506 89498 101f5c1 89503 ef8eb0 42 API calls 89499->89503 89502 ef8eb0 42 API calls 89500->89502 89501->89499 89502->89505 89504 101f416 89503->89504 89504->89487 89504->89505 89505->89492 89512 101fc1c std::_Locinfo::_Locinfo_ctor 89506->89512 89507 101fe49 std::ios_base::_Ios_base_dtor 89507->89352 89508 110192f std::_Throw_Cpp_error 42 API calls 89509 101fe97 89508->89509 89545 ef8700 43 API calls 89509->89545 89511 101fe9c 89512->89507 89512->89508 89512->89509 89513->89361 89515 101f066 89514->89515 89522 101f073 89514->89522 89516 ef7cf0 43 API calls 89515->89516 89517 101f06e 89516->89517 89520 10fc65a _ValidateLocalCookies 5 API calls 89517->89520 89518 101f1e4 89519 ef7cf0 43 API calls 89518->89519 89519->89517 89525 101f213 89520->89525 89521 101f0b1 PathIsUNCW 89523 101f0c6 89521->89523 89524 101f19c 89521->89524 89522->89518 89522->89521 89527 1020eb0 52 API calls 89523->89527 89526 1020eb0 52 API calls 89524->89526 89525->89363 89528 101f1c1 89526->89528 89529 101f0eb 89527->89529 89528->89518 89530 101f1c8 89528->89530 89529->89518 89531 101f0f6 89529->89531 89532 ef7cf0 43 API calls 89530->89532 89533 ef7cf0 43 API calls 89531->89533 89534 101f0ff std::_Locinfo::_Locinfo_ctor 89532->89534 89533->89534 89546 efa1b0 43 API calls std::_Locinfo::_Locinfo_ctor 89534->89546 89537 1020ebd 89536->89537 89538 1020ed0 ___vcrt_InitializeCriticalSectionEx 89536->89538 89537->89538 89544 11080bb 52 API calls 2 library calls 89537->89544 89538->89478 89540 1020ee6 89540->89478 89541->89495 89542->89487 89543->89498 89544->89540 89545->89511 89546->89517 89549 102a0ed GetCurrentProcess OpenProcessToken 89548->89549 89551 102a116 GetTokenInformation 89549->89551 89552 102a109 GetLastError 89549->89552 89554 102a167 89551->89554 89555 102a137 GetLastError 89551->89555 89553 102a1c0 89552->89553 89558 102a1eb CloseHandle 89553->89558 89559 102a1f9 89553->89559 89556 102a1ba GetLastError 89554->89556 89557 102a16d AllocateAndInitializeSid 89554->89557 89555->89556 89560 102a142 89555->89560 89556->89553 89557->89553 89561 102a19e EqualSid FreeSid 89557->89561 89558->89559 89562 10fc65a _ValidateLocalCookies 5 API calls 89559->89562 89564 102a14d GetTokenInformation 89560->89564 89561->89553 89563 f0343b 89562->89563 89563->89401 89563->89402 89564->89554 89564->89556 89566 10fcac9 89565->89566 89567 10fcace ReleaseSRWLockExclusive 89566->89567 89580 10fcb04 SleepConditionVariableSRW 89566->89580 89567->89398 89570->89407 89571->89393 89572->89421 89573->89413 89574->89425 89575->89430 89576->89433 89577->89440 89578->89423 89579->89445 89580->89566 89581->89452 89582->89454 89583->89211 89584->89202 89585->89212 89586->89215 89588 1015051 89587->89588 89589 efb3a0 52 API calls 89588->89589 89594 101508a 89588->89594 89590 101506d 89589->89590 89591 1015123 89590->89591 89590->89594 89592 efb010 2 API calls 89591->89592 89601 101512d 89592->89601 89593 10150c4 89651 1015250 89593->89651 89594->89593 89596 10150b6 89594->89596 89598 efa840 53 API calls 89596->89598 89597 10150c2 89663 f14ad0 89597->89663 89598->89597 89600 10150e2 89600->89249 89602 101523f 89601->89602 89608 1015189 std::_Locinfo::_Locinfo_ctor 89601->89608 89609 10151b6 std::locale::_Setgloballocale 89601->89609 89747 efadb0 44 API calls 89602->89747 89604 10151cf 89744 1101a3f 14 API calls __dosmaperr 89604->89744 89605 1015244 89607 10151d4 89746 110191f 42 API calls ___std_exception_copy 89607->89746 89608->89249 89609->89604 89609->89608 89610 1015206 89609->89610 89610->89608 89745 1101a3f 14 API calls __dosmaperr 89610->89745 89921 102e4e0 89613->89921 89617 fe83e0 89616->89617 89618 fe8320 89616->89618 89619 10fc65a _ValidateLocalCookies 5 API calls 89617->89619 89618->89617 89620 efb3a0 52 API calls 89618->89620 89621 fe843d 89619->89621 89622 fe8330 89620->89622 89621->89266 89623 fe833a 89622->89623 89624 fe8445 89622->89624 89629 fe8362 89623->89629 89630 fe8370 89623->89630 89625 efb010 2 API calls 89624->89625 89626 fe844f 89625->89626 89627 10fc6a3 std::_Facet_Register 3 API calls 89626->89627 89628 fe85a2 89627->89628 89935 f114d0 89628->89935 89632 efa840 53 API calls 89629->89632 89934 efae80 44 API calls 4 library calls 89630->89934 89634 fe836e 89632->89634 89633 fe85ea GetSysColor 89633->89266 89636 f14ad0 123 API calls 89634->89636 89637 fe83a8 89636->89637 89638 f14ad0 123 API calls 89637->89638 89639 fe83ce 89638->89639 89639->89617 89640 fe83e4 LoadLibraryExW 89639->89640 89640->89617 89945 1107c79 89641->89945 89644->89238 89645->89238 89646->89246 89647->89267 89648->89271 89649->89276 89650 10192f0 22 API calls 2 library calls 89650->89244 89652 10152ba 89651->89652 89653 101525d MultiByteToWideChar 89651->89653 89749 efac00 89652->89749 89653->89652 89655 1015275 89653->89655 89657 1015290 MultiByteToWideChar 89655->89657 89748 efae10 44 API calls 89655->89748 89659 10152a7 89657->89659 89660 10152c9 89657->89660 89659->89597 89661 efb010 2 API calls 89660->89661 89662 10152d3 89661->89662 89665 f14af8 ___crtLCMapStringW 89663->89665 89672 f14b63 std::_Locinfo::_Locinfo_ctor 89663->89672 89664 efb010 2 API calls 89666 f14bb0 89664->89666 89665->89672 89673 f14b42 std::locale::_Setgloballocale 89665->89673 89754 efae10 44 API calls 89665->89754 89667 f14c2b 89666->89667 89669 f14c1e FindClose 89666->89669 89671 efac00 2 API calls 89667->89671 89669->89667 89670 f14b91 89670->89600 89675 f14c45 89671->89675 89672->89664 89672->89670 89673->89672 89755 1101a3f 14 API calls __dosmaperr 89673->89755 89677 efb3a0 52 API calls 89675->89677 89676 f14b7f 89756 110191f 42 API calls ___std_exception_copy 89676->89756 89682 f14c57 89677->89682 89679 f1509a 89680 efb010 2 API calls 89679->89680 89681 f150a4 89680->89681 89863 efaac0 89681->89863 89682->89679 89685 f14c8d 89682->89685 89688 f14c9b 89682->89688 89684 f150ef 89686 f15337 89684->89686 89690 f1535b 89684->89690 89691 f15125 89684->89691 89687 efa840 53 API calls 89685->89687 89686->89600 89692 f14c99 89687->89692 89688->89688 89757 efae80 44 API calls 4 library calls 89688->89757 89693 efb010 2 API calls 89690->89693 89694 f15142 89691->89694 89882 f155e0 89691->89882 89696 f14e72 FindFirstFileW 89692->89696 89697 f14ce5 PathIsUNCW 89692->89697 89736 f14f44 89692->89736 89695 f15365 89693->89695 89889 f15520 54 API calls 89694->89889 89703 f14e8a GetFullPathNameW 89696->89703 89696->89736 89699 f14deb 89697->89699 89700 f14cfa 89697->89700 89707 f07180 54 API calls 89699->89707 89758 f07180 89700->89758 89702 f1514d 89706 f14ad0 115 API calls 89702->89706 89704 f14ea3 89703->89704 89742 f15008 ___crtLCMapStringW 89703->89742 89708 f14ec8 GetFullPathNameW 89704->89708 89858 efae10 44 API calls 89704->89858 89710 f15161 89706->89710 89731 f14da9 89707->89731 89712 f14ede ___crtLCMapStringW 89708->89712 89709 efb010 2 API calls 89709->89679 89710->89686 89713 f151a3 PathIsUNCW 89710->89713 89716 f14f8a 89712->89716 89723 f14f0e 89712->89723 89712->89742 89714 f151b7 89713->89714 89715 f152af 89713->89715 89717 f07180 54 API calls 89714->89717 89718 f07180 54 API calls 89715->89718 89726 f14fa4 89716->89726 89859 efacd0 44 API calls 4 library calls 89716->89859 89732 f151bf 89717->89732 89743 f1526c 89718->89743 89719 f14d02 89719->89696 89777 f07600 89719->89777 89722 f14f3c SetLastError 89722->89736 89723->89722 89728 f14f33 FindClose 89723->89728 89724 f14d96 89834 f154a0 89724->89834 89725 f14fd0 89733 f15010 89725->89733 89734 f14fe6 89725->89734 89726->89725 89860 efacd0 44 API calls 4 library calls 89726->89860 89728->89722 89731->89696 89843 f15370 89731->89843 89732->89686 89735 f07600 106 API calls 89732->89735 89733->89742 89862 efacd0 44 API calls 4 library calls 89733->89862 89734->89736 89734->89742 89861 efacd0 44 API calls 4 library calls 89734->89861 89737 f1525a 89735->89737 89736->89600 89739 f154a0 44 API calls 89737->89739 89738 f15370 44 API calls 89738->89686 89739->89743 89742->89709 89742->89736 89743->89686 89743->89738 89744->89607 89745->89607 89746->89608 89747->89605 89748->89657 89750 efac38 89749->89750 89751 efac47 89749->89751 89750->89751 89752 efb010 2 API calls 89750->89752 89751->89597 89753 efacbc 89752->89753 89754->89673 89755->89676 89756->89672 89757->89692 89759 f071c3 89758->89759 89761 f071f7 89758->89761 89760 efaac0 44 API calls 89759->89760 89762 f071cb 89760->89762 89763 efb3a0 52 API calls 89761->89763 89771 f07218 89761->89771 89762->89719 89763->89771 89764 f0730a 89766 efb010 2 API calls 89764->89766 89765 f072fb 89767 efb010 2 API calls 89765->89767 89768 f07314 89766->89768 89769 f07305 89767->89769 89892 efadb0 44 API calls 89769->89892 89771->89764 89771->89765 89771->89769 89773 f0728e std::locale::_Setgloballocale 89771->89773 89772 f072aa std::_Locinfo::_Locinfo_ctor 89772->89719 89773->89772 89890 1101a3f 14 API calls __dosmaperr 89773->89890 89775 f072cc 89891 110191f 42 API calls ___std_exception_copy 89775->89891 89778 f077c5 89777->89778 89779 f0765a 89777->89779 89780 efb010 2 API calls 89778->89780 89782 f076ac 89779->89782 89784 f0767c 89779->89784 89781 f077cf 89780->89781 89895 efadb0 44 API calls 89781->89895 89785 efb3a0 52 API calls 89782->89785 89788 f076d1 89782->89788 89787 efaac0 44 API calls 89784->89787 89785->89788 89786 f077d4 89789 efb010 2 API calls 89786->89789 89790 f07684 89787->89790 89788->89781 89788->89786 89791 f077de 89788->89791 89805 f07706 89788->89805 89789->89791 89790->89724 89792 efb010 2 API calls 89791->89792 89793 f077e8 89792->89793 89794 f0782d 89793->89794 89806 f078be ___std_exception_copy __Getcoll 89793->89806 89795 f07885 GetWindowLongW 89794->89795 89797 f07834 89794->89797 89798 f07892 NtdllDefWindowProc_W 89795->89798 89796 f07870 NtdllDefWindowProc_W 89799 f07b06 89796->89799 89797->89796 89801 f07848 GetWindowLongW 89797->89801 89798->89799 89800 10fc65a _ValidateLocalCookies 5 API calls 89799->89800 89803 f07b2e 89800->89803 89801->89796 89804 f07858 GetWindowLongW SetWindowLongW 89801->89804 89803->89724 89804->89796 89805->89791 89818 f07758 std::locale::_Setgloballocale 89805->89818 89807 f07acf 89806->89807 89808 f07938 SetWindowTextW 89806->89808 89807->89799 89812 11064bb __freea 14 API calls 89807->89812 89809 f07954 89808->89809 89810 f0795a 89808->89810 89809->89810 89813 f079e2 89810->89813 89814 f0796c GlobalAlloc 89810->89814 89811 f07774 std::_Locinfo::_Locinfo_ctor 89811->89724 89812->89799 89813->89807 89898 f07dd0 84 API calls 7 library calls 89813->89898 89814->89813 89816 f0797c GlobalLock 89814->89816 89822 f0798f std::locale::_Setgloballocale 89816->89822 89818->89811 89893 1101a3f 14 API calls __dosmaperr 89818->89893 89819 f07796 89894 110191f 42 API calls ___std_exception_copy 89819->89894 89820 f07a15 89823 f07ab3 89820->89823 89828 f07a3c SetWindowLongW 89820->89828 89827 f07994 std::_Locinfo::_Locinfo_ctor 89822->89827 89896 1101a3f 14 API calls __dosmaperr 89822->89896 89823->89807 89825 f079b2 89897 110191f 42 API calls ___std_exception_copy 89825->89897 89829 f079c8 GlobalUnlock 89827->89829 89830 f07a53 89828->89830 89829->89813 89831 f07a99 NtdllDefWindowProc_W 89830->89831 89899 11064bb 89830->89899 89831->89799 89835 f154b6 89834->89835 89836 f1550f 89834->89836 89837 f154fc 89835->89837 89839 f154c6 89835->89839 89836->89731 89909 efae80 44 API calls 4 library calls 89837->89909 89841 efaac0 44 API calls 89839->89841 89840 f15507 89840->89731 89842 f154cc 89841->89842 89842->89731 89844 f153a1 89843->89844 89857 f15477 89843->89857 89845 f153e4 89844->89845 89854 f15451 std::_Locinfo::_Locinfo_ctor 89844->89854 89844->89857 89910 efae10 44 API calls 89844->89910 89851 f15418 std::_Locinfo::_Locinfo_ctor 89845->89851 89911 1101a3f 14 API calls __dosmaperr 89845->89911 89846 efb010 2 API calls 89848 f15499 89846->89848 89850 f1540d 89912 110191f 42 API calls ___std_exception_copy 89850->89912 89851->89854 89913 1101a3f 14 API calls __dosmaperr 89851->89913 89854->89846 89854->89857 89855 f15446 89914 110191f 42 API calls ___std_exception_copy 89855->89914 89857->89696 89858->89708 89859->89726 89860->89725 89861->89742 89862->89742 89864 efaad4 89863->89864 89865 efaae7 89864->89865 89866 efab93 89864->89866 89871 efab11 std::locale::_Setgloballocale 89864->89871 89865->89684 89919 efadb0 44 API calls 89866->89919 89868 efab98 89870 efaac0 44 API calls 89868->89870 89869 efab37 89915 1101a3f 14 API calls __dosmaperr 89869->89915 89874 efabd6 89870->89874 89871->89869 89875 efab56 std::_Locinfo::_Locinfo_ctor 89871->89875 89878 efab78 89871->89878 89873 efab3c 89916 110191f 42 API calls ___std_exception_copy 89873->89916 89874->89684 89875->89684 89877 efab47 89877->89684 89878->89875 89917 1101a3f 14 API calls __dosmaperr 89878->89917 89880 efab81 89918 110191f 42 API calls ___std_exception_copy 89880->89918 89883 f155f1 89882->89883 89884 f15608 89882->89884 89883->89884 89920 efae10 44 API calls 89883->89920 89885 efb010 2 API calls 89884->89885 89888 f1561a 89884->89888 89886 f15635 89885->89886 89888->89694 89889->89702 89890->89775 89891->89772 89892->89764 89893->89819 89894->89811 89895->89786 89896->89825 89897->89827 89898->89820 89902 1114746 89899->89902 89903 1114751 RtlFreeHeap 89902->89903 89904 f07a96 89902->89904 89903->89904 89905 1114766 GetLastError 89903->89905 89904->89831 89906 1114773 __dosmaperr 89905->89906 89908 1101a3f 14 API calls __dosmaperr 89906->89908 89908->89904 89909->89840 89910->89845 89911->89850 89912->89851 89913->89855 89914->89854 89915->89873 89916->89877 89917->89880 89918->89875 89919->89868 89920->89884 89922 102e51c 89921->89922 89926 102e524 89921->89926 89923 10fc65a _ValidateLocalCookies 5 API calls 89922->89923 89925 101383f 89923->89925 89924 102e613 89927 efb010 2 API calls 89924->89927 89925->89236 89925->89252 89926->89922 89926->89924 89928 102e544 std::locale::_Setgloballocale 89926->89928 89929 102e61d 89927->89929 89928->89922 89930 102e574 FindFirstFileW 89928->89930 89931 102e5a3 89930->89931 89932 102e5c0 GetLastError 89930->89932 89931->89922 89933 102e5dd FindClose 89931->89933 89932->89931 89933->89922 89934->89634 89936 f114ed 89935->89936 89943 f11567 std::ios_base::_Ios_base_dtor 89935->89943 89937 f115ad 89936->89937 89938 f11504 89936->89938 89939 f1152b 89936->89939 89938->89937 89941 10fc6a3 std::_Facet_Register 3 API calls 89938->89941 89940 10fc6a3 std::_Facet_Register 3 API calls 89939->89940 89942 f11515 89939->89942 89940->89942 89941->89942 89942->89943 89944 110192f std::_Throw_Cpp_error 42 API calls 89942->89944 89943->89633 89944->89937 89946 1107ca6 89945->89946 89947 1107cb8 89945->89947 89972 1107d41 GetModuleHandleW 89946->89972 89957 1107b22 89947->89957 89951 1107cab 89951->89947 89973 1107da6 GetModuleHandleExW 89951->89973 89952 1013bc7 FreeLibrary 89952->89650 89958 1107b2e std::_Locinfo::_Locinfo_ctor 89957->89958 89979 110ffe1 EnterCriticalSection 89958->89979 89960 1107b38 89980 1107b8e 89960->89980 89962 1107b45 89984 1107b63 89962->89984 89965 1107d10 90006 1107d84 89965->90006 89968 1107d2e 89970 1107da6 std::locale::_Setgloballocale 3 API calls 89968->89970 89969 1107d1e GetCurrentProcess TerminateProcess 89969->89968 89971 1107d36 ExitProcess 89970->89971 89972->89951 89974 1107de5 GetProcAddress 89973->89974 89975 1107e06 89973->89975 89974->89975 89978 1107df9 89974->89978 89976 1107cb7 89975->89976 89977 1107e0c FreeLibrary 89975->89977 89976->89947 89977->89976 89978->89975 89979->89960 89981 1107b9a std::_Locinfo::_Locinfo_ctor 89980->89981 89982 1107c01 std::locale::_Setgloballocale 89981->89982 89987 1112452 89981->89987 89982->89962 90005 1110031 LeaveCriticalSection 89984->90005 89986 1107b51 89986->89952 89986->89965 89988 111245e __EH_prolog3 89987->89988 89991 11121aa 89988->89991 89990 1112485 std::locale::_Setgloballocale 89990->89982 89992 11121b6 std::_Locinfo::_Locinfo_ctor 89991->89992 89999 110ffe1 EnterCriticalSection 89992->89999 89994 11121c4 90000 1112362 89994->90000 89998 11121e2 89998->89990 89999->89994 90001 11121d1 90000->90001 90002 1112381 90000->90002 90004 11121f9 LeaveCriticalSection std::_Lockit::~_Lockit 90001->90004 90002->90001 90003 1114746 ___free_lconv_mon 14 API calls 90002->90003 90003->90001 90004->89998 90005->89986 90011 11166ba 6 API calls std::locale::_Setgloballocale 90006->90011 90008 1107d89 90009 1107d1a 90008->90009 90010 1107d8e GetPEB 90008->90010 90009->89968 90009->89969 90010->90009 90011->90008 90022 10fbeb9 EnterCriticalSection 90012->90022 90014 efa690 FindResourceExW 90017 efa677 90014->90017 90016 10fbeb9 6 API calls 90016->90017 90017->90014 90017->90016 90018 efa6c5 90017->90018 90027 efa700 LoadResource LockResource SizeofResource 90017->90027 90018->89283 90018->89284 90019->89287 90020->89288 90021->89292 90023 10fbed2 90022->90023 90025 10fbedb LeaveCriticalSection 90022->90025 90023->90025 90028 10fbe96 RtlAllocateHeap EnterCriticalSection LeaveCriticalSection RaiseException 90023->90028 90025->90017 90027->90017 90028->90025 90029->89312 90030 1022040 90031 102208b 90030->90031 90032 1022078 90030->90032 90038 100ff30 55 API calls 4 library calls 90031->90038 90036 10fc65a _ValidateLocalCookies 5 API calls 90032->90036 90034 1022095 90035 ef8eb0 42 API calls 90034->90035 90035->90032 90037 10220da 90036->90037 90038->90034 90039 1038d80 90048 1038840 90039->90048 90041 1038dc1 GetFileVersionInfoSizeW 90042 1038dda 90041->90042 90043 1038e3e GetLastError 90041->90043 90045 1038df1 GetFileVersionInfoW 90042->90045 90047 1038dea 90042->90047 90043->90047 90044 1038e50 DeleteFileW 90046 1038e57 90044->90046 90045->90043 90045->90047 90047->90044 90047->90046 90090 1033820 90048->90090 90051 1038b4d 90054 10fc65a _ValidateLocalCookies 5 API calls 90051->90054 90052 103888c SHGetFolderPathW 90053 10388aa 90052->90053 90053->90051 90056 f03380 108 API calls 90053->90056 90055 1038ba0 90054->90055 90055->90041 90057 1038922 90056->90057 90058 101f010 54 API calls 90057->90058 90059 1038937 90058->90059 90060 efb3a0 52 API calls 90059->90060 90061 103894a 90060->90061 90062 1038ba6 90061->90062 90069 1038958 90061->90069 90063 efb010 2 API calls 90062->90063 90064 1038bb0 90063->90064 90065 efb010 2 API calls 90064->90065 90066 1038bba 90065->90066 90067 1038bf3 90066->90067 90068 1038beb DeleteFileW 90066->90068 90067->90041 90068->90067 90070 1038997 90069->90070 90071 1038986 90069->90071 90105 efae80 44 API calls 4 library calls 90070->90105 90072 efa840 53 API calls 90071->90072 90074 1038995 90072->90074 90075 ef8eb0 42 API calls 90074->90075 90076 10389cf 90075->90076 90077 ef8eb0 42 API calls 90076->90077 90078 10389de 90077->90078 90078->90064 90079 1038a12 std::locale::_Setgloballocale 90078->90079 90081 10389fe 90078->90081 90080 1038a2b GetTempFileNameW 90079->90080 90083 1038a49 90080->90083 90081->90079 90082 f155e0 44 API calls 90081->90082 90082->90079 90097 1033960 90083->90097 90086 1038ad8 Wow64DisableWow64FsRedirection 90087 1038afc CopyFileW 90086->90087 90088 1038b18 90087->90088 90088->90051 90089 1038b2d Wow64RevertWow64FsRedirection 90088->90089 90089->90051 90091 1033960 27 API calls 90090->90091 90092 1033849 90091->90092 90093 10fcab5 3 API calls 90092->90093 90094 1033905 90092->90094 90095 1033870 std::locale::_Setgloballocale 90093->90095 90094->90051 90094->90052 90095->90094 90106 10fca64 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 90095->90106 90098 1033997 90097->90098 90104 10339db 90097->90104 90099 10fcab5 3 API calls 90098->90099 90100 10339a1 90099->90100 90100->90104 90107 1033a00 90100->90107 90104->90086 90104->90087 90105->90074 90106->90094 90108 1033a58 RegOpenKeyExW 90107->90108 90110 1033a86 RegQueryValueExW RegQueryValueExW 90108->90110 90111 1033d5e 90108->90111 90112 1033b4b RegQueryValueExW 90110->90112 90113 1033aeb RegQueryValueExW 90110->90113 90114 1033d8a 90111->90114 90115 1033d79 RegCloseKey 90111->90115 90118 1033b92 90112->90118 90113->90112 90116 1033b23 90113->90116 90117 10fc65a _ValidateLocalCookies 5 API calls 90114->90117 90115->90114 90116->90112 90116->90116 90119 10339ca 90117->90119 90120 1033bd8 RegQueryValueExW 90118->90120 90135 10fca64 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 90119->90135 90121 1033c09 90120->90121 90122 1033c2e RegQueryValueExW 90120->90122 90121->90122 90123 1033c5f 90122->90123 90124 1033d16 90123->90124 90127 10fcab5 3 API calls 90123->90127 90125 1033d52 90124->90125 90126 1033d20 GetCurrentProcess 90124->90126 90136 1033db0 90125->90136 90129 1033d40 IsWow64Process 90126->90129 90128 1033cd9 90127->90128 90128->90124 90131 1033ce5 GetModuleHandleW GetProcAddress 90128->90131 90129->90125 90133 1033d46 90129->90133 90147 10fca64 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 90131->90147 90133->90125 90134 1033d13 90134->90124 90135->90104 90137 1033e0a RegOpenKeyExW 90136->90137 90139 1033e38 RegQueryValueExW 90137->90139 90146 1033eec 90137->90146 90140 1033eb7 RegQueryValueExW 90139->90140 90145 1033e69 90139->90145 90140->90146 90141 10340ce 90143 10fc65a _ValidateLocalCookies 5 API calls 90141->90143 90142 10340bd RegCloseKey 90142->90141 90144 10340e6 90143->90144 90144->90111 90145->90140 90146->90141 90146->90142 90147->90134 90148 10521a0 90149 10521ac 90148->90149 90151 10521b3 90148->90151 90150 1052360 90152 efb010 2 API calls 90150->90152 90151->90150 90154 1052201 90151->90154 90155 1052230 90151->90155 90153 105236a 90152->90153 90205 10525e0 14 API calls __freea 90153->90205 90157 105221f 90154->90157 90158 1052209 90154->90158 90163 105221d 90155->90163 90203 110f09e 15 API calls 2 library calls 90155->90203 90162 11064bb __freea 14 API calls 90157->90162 90158->90163 90169 1052326 90158->90169 90159 1052397 90161 1052259 WideCharToMultiByte 90164 10522fc 90161->90164 90165 105227e GetLastError 90161->90165 90162->90163 90163->90161 90166 105233a 90163->90166 90167 1052300 90164->90167 90186 1052a00 GetLastError 90164->90186 90165->90164 90168 1052289 WideCharToMultiByte 90165->90168 90170 efb010 2 API calls 90166->90170 90171 1052330 90168->90171 90172 10522af 90168->90172 90173 efb010 2 API calls 90169->90173 90170->90164 90174 efb010 2 API calls 90171->90174 90175 10522b5 90172->90175 90176 1052302 90172->90176 90173->90171 90174->90166 90179 10522bd 90175->90179 90180 10522cf 90175->90180 90178 10522cd 90176->90178 90204 110f09e 15 API calls 2 library calls 90176->90204 90182 1052356 90178->90182 90184 10522dd WideCharToMultiByte 90178->90184 90179->90166 90179->90178 90181 11064bb __freea 14 API calls 90180->90181 90181->90178 90185 efb010 2 API calls 90182->90185 90184->90164 90185->90150 90187 1052a0a 90186->90187 90188 efb010 2 API calls 90187->90188 90189 1052a18 90188->90189 90190 1052adb 90189->90190 90191 1052a3e 90189->90191 90192 1052a7a 90189->90192 90190->90182 90206 10324c0 90191->90206 90193 1052ab1 90192->90193 90194 1052a81 90192->90194 90193->90190 90198 1052ab8 DestroyWindow 90193->90198 90194->90190 90197 1052a8c EnableWindow 90194->90197 90196 1052a51 90211 1052c70 6 API calls 90196->90211 90197->90182 90198->90182 90205->90159 90233 1031a80 LoadLibraryW 90206->90233 90209 1031a80 4 API calls 90210 10324f0 SendMessageW SendMessageW 90209->90210 90210->90196 90212 1052cf4 90211->90212 90213 1052cfb SetWindowPos 90211->90213 90212->90213 90214 10fc65a _ValidateLocalCookies 5 API calls 90213->90214 90215 1052a5b 90214->90215 90216 f76f20 GetWindowLongW 90215->90216 90217 f76f82 GetWindow 90216->90217 90218 f76f79 GetParent 90216->90218 90219 f76f8b GetWindowRect 90217->90219 90218->90219 90220 f76f9f 90219->90220 90221 f77009 GetParent GetClientRect GetClientRect MapWindowPoints 90219->90221 90222 f76fa3 GetWindowLongW 90220->90222 90223 f76fb8 MonitorFromWindow 90220->90223 90226 f76fea SetWindowPos 90221->90226 90222->90223 90227 f76fc8 GetMonitorInfoW 90223->90227 90229 f77002 90223->90229 90226->90229 90228 f76fde 90227->90228 90227->90229 90228->90226 90230 f76ff5 GetWindowRect 90228->90230 90231 10fc65a _ValidateLocalCookies 5 API calls 90229->90231 90230->90226 90232 f770d2 90231->90232 90232->90182 90234 1031aec 90233->90234 90235 1031ada GetProcAddress 90233->90235 90236 1031b3e LoadImageW 90234->90236 90237 1031b0b 90234->90237 90235->90234 90236->90237 90238 1031b76 90237->90238 90239 1031b68 FreeLibrary 90237->90239 90238->90209 90239->90238 90240 10f9389 90241 10f936e 90240->90241 90241->90240 90243 10f97ad 90241->90243 90269 10f950b 90243->90269 90245 10f97bd 90246 10f981a 90245->90246 90255 10f983e 90245->90255 90247 10f974b DloadReleaseSectionWriteAccess 8 API calls 90246->90247 90248 10f9825 RaiseException 90247->90248 90249 10f9a13 90248->90249 90249->90241 90250 10f98b6 LoadLibraryExA 90251 10f98c9 GetLastError 90250->90251 90252 10f9917 90250->90252 90257 10f98dc 90251->90257 90258 10f98f2 90251->90258 90253 10f9929 90252->90253 90256 10f9922 FreeLibrary 90252->90256 90254 10f9987 GetProcAddress 90253->90254 90264 10f99e5 90253->90264 90260 10f9997 GetLastError 90254->90260 90254->90264 90255->90250 90255->90252 90255->90253 90255->90264 90256->90253 90257->90252 90257->90258 90259 10f974b DloadReleaseSectionWriteAccess 8 API calls 90258->90259 90261 10f98fd RaiseException 90259->90261 90262 10f99aa 90260->90262 90261->90249 90262->90264 90265 10f974b DloadReleaseSectionWriteAccess 8 API calls 90262->90265 90280 10f974b 90264->90280 90266 10f99cb RaiseException 90265->90266 90267 10f950b DloadAcquireSectionWriteAccess 8 API calls 90266->90267 90268 10f99e2 90267->90268 90268->90264 90270 10f953d 90269->90270 90271 10f9517 90269->90271 90270->90245 90288 10f95b4 90271->90288 90273 10f951c 90274 10f9538 90273->90274 90293 10f96dd 90273->90293 90298 10f953e GetModuleHandleW GetProcAddress GetProcAddress 90274->90298 90277 10f9786 90278 10f97a2 90277->90278 90279 10f979e ReleaseSRWLockExclusive 90277->90279 90278->90245 90279->90245 90281 10f977f 90280->90281 90282 10f975d 90280->90282 90281->90249 90283 10f95b4 DloadReleaseSectionWriteAccess 4 API calls 90282->90283 90284 10f9762 90283->90284 90285 10f977a 90284->90285 90286 10f96dd DloadProtectSection 3 API calls 90284->90286 90301 10f9781 GetModuleHandleW GetProcAddress GetProcAddress ReleaseSRWLockExclusive DloadReleaseSectionWriteAccess 90285->90301 90286->90285 90299 10f953e GetModuleHandleW GetProcAddress GetProcAddress 90288->90299 90290 10f95b9 90291 10f95d1 AcquireSRWLockExclusive 90290->90291 90292 10f95d5 90290->90292 90291->90273 90292->90273 90296 10f96f2 DloadProtectSection 90293->90296 90294 10f96f8 90294->90274 90295 10f972d VirtualProtect 90295->90294 90296->90294 90296->90295 90300 10f95f3 VirtualQuery GetSystemInfo 90296->90300 90298->90277 90299->90290 90300->90295 90301->90281 90305 11124b9 90308 1112205 90305->90308 90309 1112211 std::_Locinfo::_Locinfo_ctor 90308->90309 90316 110ffe1 EnterCriticalSection 90309->90316 90311 111221f 90317 1112260 90311->90317 90313 111222c 90327 1112254 LeaveCriticalSection std::_Lockit::~_Lockit 90313->90327 90315 111223d 90316->90311 90318 111227b 90317->90318 90320 11122ee std::_Lockit::_Lockit 90317->90320 90319 11122ce 90318->90319 90318->90320 90328 11064e1 90318->90328 90319->90320 90322 11064e1 45 API calls 90319->90322 90320->90313 90324 11122e4 90322->90324 90323 11122c4 90325 1114746 ___free_lconv_mon 14 API calls 90323->90325 90326 1114746 ___free_lconv_mon 14 API calls 90324->90326 90325->90319 90326->90320 90327->90315 90329 1106509 90328->90329 90330 11064ee 90328->90330 90331 1106518 90329->90331 90350 11166eb 43 API calls 2 library calls 90329->90350 90330->90329 90332 11064fa 90330->90332 90337 111671e 90331->90337 90349 1101a3f 14 API calls __dosmaperr 90332->90349 90336 11064ff std::locale::_Setgloballocale 90336->90323 90338 1116736 90337->90338 90339 111672b 90337->90339 90341 111673e 90338->90341 90347 1116747 __Getcoll 90338->90347 90351 1114780 90339->90351 90342 1114746 ___free_lconv_mon 14 API calls 90341->90342 90345 1116733 90342->90345 90343 1116771 RtlReAllocateHeap 90343->90345 90343->90347 90344 111674c 90358 1101a3f 14 API calls __dosmaperr 90344->90358 90345->90336 90347->90343 90347->90344 90359 11119ca EnterCriticalSection LeaveCriticalSection std::_Facet_Register 90347->90359 90349->90336 90350->90331 90352 11147be 90351->90352 90356 111478e __Getcoll 90351->90356 90361 1101a3f 14 API calls __dosmaperr 90352->90361 90353 11147a9 RtlAllocateHeap 90355 11147bc 90353->90355 90353->90356 90355->90345 90356->90352 90356->90353 90360 11119ca EnterCriticalSection LeaveCriticalSection std::_Facet_Register 90356->90360 90358->90345 90359->90347 90360->90356 90361->90355 90362 10f9346 90363 10f92e5 90362->90363 90364 10f97ad ___delayLoadHelper2@8 17 API calls 90363->90364 90364->90363 90365 fc66b0 IsWindow 90366 fc670d 90365->90366 90367 fc6704 DestroyWindow 90365->90367 90368 ef8eb0 42 API calls 90366->90368 90367->90366 90369 fc6723 90368->90369 90384 f31100 43 API calls 2 library calls 90369->90384 90371 fc673c 90372 ef8eb0 42 API calls 90371->90372 90373 fc6748 90372->90373 90374 ef8eb0 42 API calls 90373->90374 90375 fc6754 90374->90375 90376 ef8eb0 42 API calls 90375->90376 90377 fc6760 90376->90377 90378 ef8eb0 42 API calls 90377->90378 90379 fc676b 90378->90379 90385 f71640 54 API calls 90379->90385 90381 fc6777 90382 fc67a3 90381->90382 90386 10fc235 10 API calls 90381->90386 90384->90371 90385->90381 90386->90382 90387 6c5c1cb0 90388 6c5c1cd9 RtlFreeHeap 90387->90388 90389 6c5c1ce5 90387->90389 90388->90389 90390 6c5ee870 90391 6c5ee8ae 90390->90391 90392 6c5ee87b 90390->90392 90402 6c5ee9ca 90391->90402 90394 6c5ee8a0 90392->90394 90395 6c5ee880 90392->90395 90427 6c5ee8c3 16 API calls 4 library calls 90394->90427 90397 6c5ee896 90395->90397 90398 6c5ee885 90395->90398 90426 6c5ee301 23 API calls 90397->90426 90401 6c5ee88a 90398->90401 90425 6c5ee320 21 API calls 90398->90425 90403 6c5ee9d6 ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 90402->90403 90404 6c5eea07 90403->90404 90405 6c5eea72 90403->90405 90417 6c5ee9df 90403->90417 90428 6c5ee361 90404->90428 90437 6c5eeda5 IsProcessorFeaturePresent 90405->90437 90408 6c5eea0c 90441 6c5eefb9 15 API calls ___std_type_info_destroy_list 90408->90441 90410 6c5eea79 ___scrt_is_nonwritable_in_current_image 90411 6c5eeaaf dllmain_raw 90410->90411 90420 6c5eeaaa __DllMainCRTStartup@12 90410->90420 90422 6c5eea95 90410->90422 90413 6c5eeac9 dllmain_crt_dispatch 90411->90413 90411->90422 90412 6c5eea11 __RTC_Initialize __DllMainCRTStartup@12 90442 6c5ee502 79 API calls ___scrt_uninitialize_crt 90412->90442 90413->90420 90413->90422 90415 6c5eea30 90443 6c5eea6c 12 API calls __DllMainCRTStartup@12 90415->90443 90417->90401 90418 6c5eeb1b 90419 6c5eeb24 dllmain_crt_dispatch 90418->90419 90418->90422 90421 6c5eeb37 dllmain_raw 90419->90421 90419->90422 90420->90418 90423 6c5ee9ca __DllMainCRTStartup@12 85 API calls 90420->90423 90421->90422 90422->90401 90424 6c5eeb10 dllmain_raw 90423->90424 90424->90418 90425->90401 90426->90401 90427->90401 90429 6c5ee366 ___scrt_release_startup_lock 90428->90429 90430 6c5ee36a 90429->90430 90433 6c5ee376 __DllMainCRTStartup@12 90429->90433 90457 6c5fc303 90430->90457 90432 6c5ee374 90432->90408 90434 6c5ee383 90433->90434 90444 6c5fb950 90433->90444 90434->90408 90438 6c5eedbb codecvt _Fputc 90437->90438 90439 6c5eee66 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 90438->90439 90440 6c5eeeaa _Fputc 90439->90440 90440->90410 90441->90412 90442->90415 90443->90417 90445 6c5fb98f 90444->90445 90446 6c5fb97d 90444->90446 90461 6c5fb818 90445->90461 90469 6c5fba18 GetModuleHandleW 90446->90469 90450 6c5fb982 90450->90445 90470 6c5fba7d GetModuleHandleExW GetProcAddress FreeLibrary 90450->90470 90451 6c5fb9cc 90451->90408 90452 6c5fb9d9 90471 6c5fb9e7 13 API calls std::locale::_Setgloballocale 90452->90471 90456 6c5fb98e 90456->90445 90458 6c5fc30f __EH_prolog3 90457->90458 90478 6c5fc03c 90458->90478 90460 6c5fc336 codecvt 90460->90432 90462 6c5fb824 ___scrt_is_nonwritable_in_current_image 90461->90462 90472 6c5f99f1 EnterCriticalSection 90462->90472 90464 6c5fb82e 90473 6c5fb865 90464->90473 90466 6c5fb83b 90477 6c5fb859 LeaveCriticalSection std::_Lockit::~_Lockit 90466->90477 90468 6c5fb847 90468->90451 90468->90452 90469->90450 90470->90456 90472->90464 90474 6c5fb871 ___scrt_is_nonwritable_in_current_image 90473->90474 90475 6c5fb8d8 std::locale::_Setgloballocale 90474->90475 90476 6c5fc303 __DllMainCRTStartup@12 14 API calls 90474->90476 90475->90466 90476->90475 90477->90468 90479 6c5fc048 ___scrt_is_nonwritable_in_current_image 90478->90479 90486 6c5f99f1 EnterCriticalSection 90479->90486 90481 6c5fc056 90487 6c5fc213 90481->90487 90485 6c5fc074 90485->90460 90486->90481 90488 6c5fc063 90487->90488 90489 6c5fc232 90487->90489 90491 6c5fc08b LeaveCriticalSection std::_Lockit::~_Lockit 90488->90491 90489->90488 90492 6c5fe3be 14 API calls 2 library calls 90489->90492 90491->90485 90492->90488 90493 6c5e3790 90494 6c5e37d2 90493->90494 90500 6c5e3873 90493->90500 90501 6c5ee1ee AcquireSRWLockExclusive ReleaseSRWLockExclusive SleepConditionVariableSRW 90494->90501 90496 6c5e37dc codecvt 90496->90500 90502 6c5e3890 90496->90502 90501->90496 90503 6c5e38ea RegOpenKeyExW 90502->90503 90505 6c5e3b8c 90503->90505 90506 6c5e3912 RegQueryValueExW RegQueryValueExW 90503->90506 90509 6c5e3baf 90505->90509 90510 6c5e3ba1 RegCloseKey 90505->90510 90507 6c5e3959 RegQueryValueExW 90506->90507 90508 6c5e39b6 RegQueryValueExW 90506->90508 90507->90508 90512 6c5e3991 90507->90512 90513 6c5e39ee 90508->90513 90544 6c5edefb 90509->90544 90510->90509 90512->90508 90515 6c5e3a2d RegQueryValueExW 90513->90515 90514 6c5e3862 90530 6c5ee19d AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 90514->90530 90516 6c5e3a6d RegQueryValueExW 90515->90516 90517 6c5e3a52 90515->90517 90518 6c5e3a95 90516->90518 90517->90516 90519 6c5e3b4d 90518->90519 90542 6c5ee1ee AcquireSRWLockExclusive ReleaseSRWLockExclusive SleepConditionVariableSRW 90518->90542 90520 6c5e3b57 GetCurrentProcess 90519->90520 90521 6c5e3b80 90519->90521 90524 6c5e3b71 IsWow64Process 90520->90524 90531 6c5e3bd0 90521->90531 90523 6c5e3b10 90523->90519 90526 6c5e3b1c GetModuleHandleW GetProcAddress 90523->90526 90524->90521 90527 6c5e3b77 90524->90527 90543 6c5ee19d AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 90526->90543 90527->90521 90529 6c5e3b4a 90529->90519 90530->90500 90532 6c5e3c2c RegOpenKeyExW 90531->90532 90534 6c5e3c54 RegQueryValueExW 90532->90534 90535 6c5e3cf3 90532->90535 90538 6c5e3cca RegQueryValueExW 90534->90538 90541 6c5e3c7c 90534->90541 90536 6c5e3eb7 RegCloseKey 90535->90536 90537 6c5e3ec5 90535->90537 90536->90537 90539 6c5edefb _ValidateLocalCookies 5 API calls 90537->90539 90538->90535 90540 6c5e3ee0 90539->90540 90540->90505 90541->90538 90542->90523 90543->90529 90545 6c5edf04 IsProcessorFeaturePresent 90544->90545 90546 6c5edf03 90544->90546 90548 6c5edfb2 90545->90548 90546->90514 90551 6c5edf73 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 90548->90551 90550 6c5ee095 90550->90514 90551->90550 90552 6c5eebb0 90553 6c5eebbe 90552->90553 90554 6c5eebb9 90552->90554 90558 6c5eea7a 90553->90558 90569 6c5eef62 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 90554->90569 90559 6c5eea86 ___scrt_is_nonwritable_in_current_image 90558->90559 90560 6c5eeaaf dllmain_raw 90559->90560 90564 6c5eeaaa __DllMainCRTStartup@12 90559->90564 90566 6c5eea95 90559->90566 90561 6c5eeac9 dllmain_crt_dispatch 90560->90561 90560->90566 90561->90564 90561->90566 90562 6c5eeb1b 90563 6c5eeb24 dllmain_crt_dispatch 90562->90563 90562->90566 90565 6c5eeb37 dllmain_raw 90563->90565 90563->90566 90564->90562 90567 6c5ee9ca __DllMainCRTStartup@12 90 API calls 90564->90567 90565->90566 90568 6c5eeb10 dllmain_raw 90567->90568 90568->90562 90569->90553 90570 efb240 90571 efb292 90570->90571 90572 efb24c 90570->90572 90572->90571 90573 efb010 2 API calls 90572->90573 90573->90571 90574 1011110 90575 1011147 90574->90575 90581 1011187 90574->90581 90576 10fcab5 3 API calls 90575->90576 90577 1011151 90576->90577 90577->90581 90582 10fca24 45 API calls 90577->90582 90579 1011173 90583 10fca64 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 90579->90583 90582->90579 90583->90581 90584 f0ba61 90585 f0baee 90584->90585 90593 10f8ca0 90585->90593 90594 10f8caa 90593->90594 90595 10f97ad ___delayLoadHelper2@8 17 API calls 90594->90595 90596 10f8cb7 90595->90596 90600 f1f580 90667 f1fd50 90600->90667 90604 f1f5da 90605 ef87d0 43 API calls 90604->90605 90606 f1f5fe 90605->90606 90607 ef7cf0 43 API calls 90606->90607 90608 f1f617 90607->90608 90609 ef8eb0 42 API calls 90608->90609 90610 f1f65a 90609->90610 90611 f1f691 std::ios_base::_Ios_base_dtor 90610->90611 90614 f1fa60 90610->90614 90612 ef87d0 43 API calls 90611->90612 90613 f1f6cb 90612->90613 90615 ef7cf0 43 API calls 90613->90615 90616 110192f std::_Throw_Cpp_error 42 API calls 90614->90616 90621 f1f6e4 90615->90621 90617 f1fa65 90616->90617 90618 110192f std::_Throw_Cpp_error 42 API calls 90617->90618 90619 f1fa6a 90618->90619 90620 110192f std::_Throw_Cpp_error 42 API calls 90619->90620 90622 f1fa6f 90620->90622 90626 ef8eb0 42 API calls 90621->90626 90623 efb010 2 API calls 90622->90623 90624 f1fa79 90623->90624 90625 110192f std::_Throw_Cpp_error 42 API calls 90624->90625 90627 f1fa7e 90625->90627 90628 f1f72a 90626->90628 90763 108be90 90627->90763 90628->90617 90630 f1f761 std::ios_base::_Ios_base_dtor 90628->90630 90768 103f940 218 API calls 90630->90768 90632 ef87d0 43 API calls 90633 f1fb3d 90632->90633 90769 108cb10 66 API calls 90633->90769 90636 f1fd0d 90780 108c130 43 API calls std::ios_base::_Ios_base_dtor 90636->90780 90637 f1fd3d 90639 110192f std::_Throw_Cpp_error 42 API calls 90637->90639 90646 f1fd42 90639->90646 90643 f1fd1c 90645 10fc65a _ValidateLocalCookies 5 API calls 90643->90645 90649 f1fd39 90645->90649 90647 ef86a0 43 API calls 90662 f1fb59 std::ios_base::_Ios_base_dtor 90647->90662 90652 ef87d0 43 API calls 90652->90662 90660 ef7cf0 43 API calls 90660->90662 90662->90636 90662->90637 90662->90647 90662->90652 90662->90660 90770 108bdb0 90662->90770 90778 ef96b0 43 API calls 90662->90778 90779 ef81c0 42 API calls 2 library calls 90662->90779 90668 f1fd87 90667->90668 90676 f1f5b7 90667->90676 90669 10fcab5 3 API calls 90668->90669 90670 f1fd91 90669->90670 90670->90676 90781 103f3a0 54 API calls __freea 90670->90781 90672 f1fda9 90782 10fca24 45 API calls 90672->90782 90674 f1fdb3 90783 10fca64 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 90674->90783 90677 f1fde0 90676->90677 90678 ef87d0 43 API calls 90677->90678 90679 f1fe43 std::ios_base::_Ios_base_dtor 90678->90679 90680 ef87d0 43 API calls 90679->90680 90681 f20872 90679->90681 90687 f1fedb std::ios_base::_Ios_base_dtor 90680->90687 90682 110192f std::_Throw_Cpp_error 42 API calls 90681->90682 90683 f2089f 90682->90683 90684 ef8eb0 42 API calls 90683->90684 90685 f208d5 90684->90685 90685->90604 90686 ef87d0 43 API calls 90689 f1ff70 std::ios_base::_Ios_base_dtor 90686->90689 90687->90686 90688 ef87d0 43 API calls 90690 f20005 std::ios_base::_Ios_base_dtor 90688->90690 90689->90688 90691 ef87d0 43 API calls 90690->90691 90692 f2009a std::ios_base::_Ios_base_dtor 90691->90692 90693 ef87d0 43 API calls 90692->90693 90695 f2012f std::ios_base::_Ios_base_dtor 90693->90695 90694 ef87d0 43 API calls 90697 f201c1 90694->90697 90695->90694 90696 ef8eb0 42 API calls 90699 f20226 std::ios_base::_Ios_base_dtor 90696->90699 90697->90696 90698 ef87d0 43 API calls 90700 f202a6 90698->90700 90699->90698 90701 ef8eb0 42 API calls 90700->90701 90702 f20310 std::ios_base::_Ios_base_dtor 90701->90702 90703 ef87d0 43 API calls 90702->90703 90704 f20390 90703->90704 90705 ef8eb0 42 API calls 90704->90705 90706 f203f5 std::ios_base::_Ios_base_dtor 90705->90706 90707 efb3a0 52 API calls 90706->90707 90710 f20460 90707->90710 90708 f20868 90709 efb010 2 API calls 90708->90709 90709->90681 90710->90708 90711 f2049c 90710->90711 90712 f204ad 90710->90712 90714 efa840 53 API calls 90711->90714 90712->90712 90784 efae80 44 API calls 4 library calls 90712->90784 90715 f204ab 90714->90715 90716 f154a0 44 API calls 90715->90716 90717 f204eb 90716->90717 90718 efb3a0 52 API calls 90717->90718 90719 f20532 90718->90719 90719->90708 90720 f2056e 90719->90720 90722 f2057f 90719->90722 90721 efa840 53 API calls 90720->90721 90724 f2057d 90721->90724 90722->90722 90785 efae80 44 API calls 4 library calls 90722->90785 90725 f154a0 44 API calls 90724->90725 90726 f205bd 90725->90726 90786 f1ed50 54 API calls 90726->90786 90728 f20616 90787 efae80 44 API calls 4 library calls 90728->90787 90730 f2065c 90788 efae80 44 API calls 4 library calls 90730->90788 90732 f2069c 90733 efb3a0 52 API calls 90732->90733 90734 f206b5 90733->90734 90734->90708 90735 f206c3 90734->90735 90736 f206f1 90735->90736 90738 f20702 90735->90738 90737 efa840 53 API calls 90736->90737 90740 f20700 90737->90740 90738->90738 90789 efae80 44 API calls 4 library calls 90738->90789 90790 1029a60 44 API calls _ValidateLocalCookies 90740->90790 90742 f20749 90791 efae80 44 API calls 4 library calls 90742->90791 90744 f207c0 90792 1044150 44 API calls 3 library calls 90744->90792 90746 f207d5 90747 f154a0 44 API calls 90746->90747 90748 f207e4 90747->90748 90749 ef8eb0 42 API calls 90748->90749 90750 f207ff 90749->90750 90751 ef8eb0 42 API calls 90750->90751 90752 f2080e 90751->90752 90753 ef8eb0 42 API calls 90752->90753 90754 f2081d 90753->90754 90755 ef8eb0 42 API calls 90754->90755 90756 f2082c 90755->90756 90757 ef8eb0 42 API calls 90756->90757 90758 f2083b 90757->90758 90759 ef8eb0 42 API calls 90758->90759 90760 f2084d 90759->90760 90761 10fc65a _ValidateLocalCookies 5 API calls 90760->90761 90762 f20864 90761->90762 90762->90604 90764 10fc6a3 std::_Facet_Register 3 API calls 90763->90764 90765 108bf50 90764->90765 90793 108c220 90765->90793 90769->90662 90771 108bdf0 90770->90771 90774 108be28 90770->90774 90772 10fcab5 3 API calls 90771->90772 90773 108bdfa 90772->90773 90773->90774 90815 10fca24 45 API calls 90773->90815 90774->90662 90776 108be17 90816 10fca64 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 90776->90816 90778->90662 90779->90662 90780->90643 90781->90672 90782->90674 90783->90676 90784->90715 90785->90724 90786->90728 90787->90730 90788->90732 90789->90740 90790->90742 90791->90744 90792->90746 90802 efb710 90793->90802 90795 ef8eb0 42 API calls 90797 108c23b 90795->90797 90796 108c253 90798 108c274 90796->90798 90812 108f730 42 API calls std::ios_base::_Ios_base_dtor 90796->90812 90797->90795 90797->90796 90801 f1fb12 90798->90801 90813 ef9b30 42 API calls 2 library calls 90798->90813 90801->90632 90805 efb75f 90802->90805 90807 efb722 std::_Locinfo::_Locinfo_ctor 90802->90807 90803 efb81c 90814 ef8d90 43 API calls std::_Throw_Cpp_error 90803->90814 90805->90803 90808 ef8d30 3 API calls 90805->90808 90807->90797 90810 efb7ad std::_Locinfo::_Locinfo_ctor 90808->90810 90809 efb7ff std::ios_base::_Ios_base_dtor 90809->90797 90810->90809 90811 110192f std::_Throw_Cpp_error 42 API calls 90810->90811 90811->90803 90812->90798 90813->90798 90815->90776 90816->90774 90817 102d330 90861 1022620 43 API calls 90817->90861 90819 102d36f 90862 f28220 43 API calls 90819->90862 90821 102d387 90863 efa360 90821->90863 90824 ef8eb0 42 API calls 90825 102d3af 90824->90825 90827 102d618 90825->90827 90832 102d3e9 std::ios_base::_Ios_base_dtor std::locale::_Setgloballocale 90825->90832 90826 102d472 90828 102d499 90826->90828 90829 102d47f 90826->90829 90830 110192f std::_Throw_Cpp_error 42 API calls 90827->90830 90867 1036710 90828->90867 90905 1037ff0 80 API calls 3 library calls 90829->90905 90833 102d61d 90830->90833 90832->90826 90899 f0b6a0 53 API calls 90832->90899 90837 110192f std::_Throw_Cpp_error 42 API calls 90833->90837 90834 102d4aa 90838 ef87d0 43 API calls 90834->90838 90841 102d622 90837->90841 90842 102d4e1 90838->90842 90839 102d443 90900 ef86a0 90839->90900 90840 102d496 90840->90828 90843 ef87d0 43 API calls 90841->90843 90906 1022620 43 API calls 90842->90906 90845 102d689 90843->90845 90908 10fe15c 90845->90908 90846 102d4f5 90907 1034520 59 API calls 4 library calls 90846->90907 90850 102d69c 90924 1037ff0 80 API calls 3 library calls 90850->90924 90852 102d5af std::ios_base::_Ios_base_dtor 90855 ef8eb0 42 API calls 90852->90855 90853 102d6ab 90854 102d515 std::ios_base::_Ios_base_dtor 90854->90833 90854->90852 90856 102d5e5 90855->90856 90857 ef8eb0 42 API calls 90856->90857 90858 102d5f7 90857->90858 90859 10fc65a _ValidateLocalCookies 5 API calls 90858->90859 90860 102d612 90859->90860 90861->90819 90862->90821 90864 efa3a0 90863->90864 90864->90864 90865 ef86a0 43 API calls 90864->90865 90866 efa3ba 90865->90866 90866->90824 90868 ef8d30 3 API calls 90867->90868 90869 10367c0 std::locale::_Setgloballocale 90868->90869 90870 10367f1 LoadStringW 90869->90870 90871 1036824 90870->90871 90878 10368d6 std::locale::_Setgloballocale 90870->90878 90872 ef87d0 43 API calls 90871->90872 90874 1036845 90872->90874 90873 103692b LoadStringW 90875 1036942 90873->90875 90873->90878 90877 ef8eb0 42 API calls 90874->90877 90886 1036857 std::ios_base::_Ios_base_dtor 90874->90886 90879 ef87d0 43 API calls 90875->90879 90877->90886 90878->90873 90925 1036b20 44 API calls 2 library calls 90878->90925 90880 1036963 90879->90880 90882 ef8eb0 42 API calls 90880->90882 90880->90886 90881 1036a5e 90883 110192f std::_Throw_Cpp_error 42 API calls 90881->90883 90882->90886 90887 1036a63 90883->90887 90884 1036a1f std::ios_base::_Ios_base_dtor 90885 10fc65a _ValidateLocalCookies 5 API calls 90884->90885 90888 1036a57 90885->90888 90886->90881 90886->90884 90889 1036b0e 90887->90889 90890 1036af1 SysAllocStringLen 90887->90890 90891 1036aa9 90887->90891 90888->90834 90892 efb010 2 API calls 90889->90892 90893 1036aae CLSIDFromString SysFreeString 90890->90893 90894 1036b04 90890->90894 90891->90893 90895 1036b18 90892->90895 90896 10fc65a _ValidateLocalCookies 5 API calls 90893->90896 90897 efb010 2 API calls 90894->90897 90898 1036aed 90896->90898 90897->90889 90898->90834 90899->90839 90901 ef86e9 90900->90901 90902 ef86b4 std::_Locinfo::_Locinfo_ctor 90900->90902 90926 ef8560 90901->90926 90902->90826 90904 ef86fa 90904->90826 90905->90840 90906->90846 90907->90854 90939 10fe16a 24 API calls 4 library calls 90908->90939 90910 10fe161 90911 10fe169 90910->90911 90940 1115a88 EnterCriticalSection LeaveCriticalSection std::locale::_Setgloballocale 90910->90940 90911->90850 90913 1106132 90914 110613e 90913->90914 90941 1115acd 42 API calls 8 library calls 90913->90941 90916 1106147 IsProcessorFeaturePresent 90914->90916 90917 1106166 90914->90917 90919 1106153 90916->90919 90943 1107e55 23 API calls std::locale::_Setgloballocale 90917->90943 90942 1101723 8 API calls 2 library calls 90919->90942 90920 1106170 90944 1115cc0 GetStringTypeW std::locale::_Setgloballocale 90920->90944 90923 1106183 90923->90850 90924->90853 90925->90878 90927 ef8583 90926->90927 90928 ef8692 90926->90928 90930 ef8d30 3 API calls 90927->90930 90938 ef8d90 43 API calls std::_Throw_Cpp_error 90928->90938 90937 ef85c4 std::_Locinfo::_Locinfo_ctor 90930->90937 90931 110192f std::_Throw_Cpp_error 42 API calls 90932 ef869c 90931->90932 90933 ef8560 43 API calls 90932->90933 90935 ef86b4 std::_Locinfo::_Locinfo_ctor 90932->90935 90934 ef86fa 90933->90934 90934->90904 90935->90904 90936 ef8649 std::ios_base::_Ios_base_dtor std::_Locinfo::_Locinfo_ctor 90936->90904 90937->90931 90937->90936 90939->90910 90940->90913 90941->90914 90942->90917 90943->90920 90944->90923 90945 f323c0 90946 f03960 108 API calls 90945->90946 90947 f32409 90946->90947 90948 f3242e 90947->90948 90950 efb710 43 API calls 90947->90950 90949 ef8eb0 42 API calls 90948->90949 90951 f3243d 90949->90951 90950->90948 90952 ef87d0 43 API calls 90951->90952 90953 f32461 90952->90953 91007 108c860 90953->91007 90956 f32556 90957 110192f std::_Throw_Cpp_error 42 API calls 90956->90957 90959 f3255b 90957->90959 90958 f324ae std::ios_base::_Ios_base_dtor 90960 f324e3 LoadLibraryExW 90958->90960 90961 f32520 90958->90961 90963 efb3a0 52 API calls 90959->90963 90960->90961 90964 f324f4 GetProcAddress GetProcAddress GetProcAddress 90960->90964 90962 f32539 90961->90962 91011 6c5cb500 90961->91011 90965 10fc65a _ValidateLocalCookies 5 API calls 90962->90965 90966 f3259a 90963->90966 90964->90961 90967 f32550 90965->90967 90968 f326ce 90966->90968 90973 f325a4 90966->90973 90969 efb010 2 API calls 90968->90969 90970 f326d8 90969->90970 90971 efb3a0 52 API calls 90970->90971 90978 f32715 90971->90978 90972 f32844 90974 efb010 2 API calls 90972->90974 90973->90973 90975 f14ad0 123 API calls 90973->90975 90976 f3284e 90974->90976 90977 f325f9 90975->90977 90979 f14ad0 123 API calls 90977->90979 90978->90972 90980 efb3a0 52 API calls 90978->90980 90981 f32608 90979->90981 90989 f32748 90980->90989 90982 f14ad0 123 API calls 90981->90982 90983 f32617 90982->90983 90984 f3263b 90983->90984 90985 f14ad0 123 API calls 90983->90985 90988 ef87d0 43 API calls 90984->90988 90986 f3262c 90985->90986 90987 f14ad0 123 API calls 90986->90987 90987->90984 90990 f32678 90988->90990 90989->90972 90991 efb3a0 52 API calls 90989->90991 90992 f32778 90991->90992 90992->90972 90993 efb3a0 52 API calls 90992->90993 90994 f327af 90993->90994 90994->90972 90995 f327b9 90994->90995 90996 f154a0 44 API calls 90995->90996 90997 f327e2 90996->90997 90998 f154a0 44 API calls 90997->90998 90999 f327ed 90998->90999 91000 f154a0 44 API calls 90999->91000 91001 f327f8 91000->91001 91002 f154a0 44 API calls 91001->91002 91003 f32815 91002->91003 91252 f347d0 44 API calls 91003->91252 91005 f32821 91008 108c8a1 91007->91008 91009 f32474 91008->91009 91253 108c960 91008->91253 91009->90956 91009->90958 91012 6c5cb531 91011->91012 91485 6c5c1050 91012->91485 91014 6c5cb558 91495 6c5c21b0 91014->91495 91016 6c5cb570 91017 6c5cb5a7 error_info_injector 91016->91017 91020 6c5cb7bb 91016->91020 91058 6c5cb770 91017->91058 91515 6c5ccc80 91017->91515 91019 6c5c1170 44 API calls 91022 6c5cb79c 91019->91022 91657 6c5f31bf 91020->91657 91021 6c5cb5d5 91025 6c5edefb _ValidateLocalCookies 5 API calls 91022->91025 91027 6c5cb7b5 91025->91027 91027->90962 91058->91019 91252->91005 91254 108c9ad 91253->91254 91255 108c9af CreateFileW 91253->91255 91254->91255 91256 108c9d0 91255->91256 91277 f14a40 91256->91277 91258 108ca0c std::locale::_Setgloballocale 91259 108ca5a WriteFile 91258->91259 91260 108ca77 91258->91260 91259->91258 91259->91260 91261 108caa7 std::ios_base::_Ios_base_dtor 91260->91261 91264 108cafd 91260->91264 91262 108cae9 91261->91262 91263 108cadb CloseHandle 91261->91263 91262->91009 91263->91262 91265 110192f std::_Throw_Cpp_error 42 API calls 91264->91265 91266 108cb02 91265->91266 91267 108c220 43 API calls 91266->91267 91268 108cb1f 91267->91268 91269 108cb3b 91268->91269 91272 efb710 43 API calls 91268->91272 91291 108cbe0 91269->91291 91272->91269 91278 f14a50 91277->91278 91279 f14ab3 91277->91279 91281 f14a86 91278->91281 91282 f14a58 91278->91282 91367 ef81b0 43 API calls std::_Throw_Cpp_error 91279->91367 91283 f14aa2 91281->91283 91284 10fc6a3 std::_Facet_Register 3 API calls 91281->91284 91285 10fc6a3 std::_Facet_Register 3 API calls 91282->91285 91287 f14a65 91282->91287 91283->91258 91286 f14a90 91284->91286 91285->91287 91286->91258 91288 110192f std::_Throw_Cpp_error 42 API calls 91287->91288 91289 f14a6e 91287->91289 91290 f14ac2 91288->91290 91289->91258 91292 108cc50 91291->91292 91293 108d04e 91291->91293 91294 ef87d0 43 API calls 91292->91294 91295 10fc65a _ValidateLocalCookies 5 API calls 91293->91295 91296 108cc6c 91294->91296 91297 108cb4b 91295->91297 91298 108ce45 91296->91298 91319 108cc7b std::ios_base::_Ios_base_dtor 91296->91319 91330 108d080 91297->91330 91300 ef86a0 43 API calls 91298->91300 91299 108cd8f 91368 efa2c0 91299->91368 91300->91299 91303 ef87d0 43 API calls 91303->91319 91304 efa360 43 API calls 91305 108cdb9 91304->91305 91307 ef86a0 43 API calls 91305->91307 91309 108cdd5 91307->91309 91308 efa360 43 API calls 91308->91319 91310 ef8eb0 42 API calls 91309->91310 91311 108cde1 91310->91311 91312 ef8eb0 42 API calls 91311->91312 91314 108cded 91312->91314 91313 ef86a0 43 API calls 91313->91319 91315 ef86a0 43 API calls 91314->91315 91328 108ce1e std::ios_base::_Ios_base_dtor 91314->91328 91316 108ce00 91315->91316 91320 ef86a0 43 API calls 91316->91320 91317 ef8eb0 42 API calls 91317->91319 91318 108cff1 91323 ef8eb0 42 API calls 91318->91323 91319->91299 91319->91303 91319->91308 91319->91313 91319->91317 91321 108d071 91319->91321 91376 f28220 43 API calls 91319->91376 91320->91328 91322 110192f std::_Throw_Cpp_error 42 API calls 91321->91322 91324 108d076 91322->91324 91323->91293 91325 ef87d0 43 API calls 91325->91328 91327 ef86a0 43 API calls 91327->91328 91328->91318 91328->91321 91328->91325 91328->91327 91329 ef8eb0 42 API calls 91328->91329 91377 f28220 43 API calls 91328->91377 91329->91328 91331 108d0b5 91330->91331 91336 108d0bc 91330->91336 91332 10fc65a _ValidateLocalCookies 5 API calls 91331->91332 91333 108cb52 91332->91333 91340 108d2b0 91333->91340 91334 108d1c7 91334->91331 91384 1106bab 52 API calls 91334->91384 91385 10908f0 44 API calls std::_Locinfo::_Locinfo_ctor 91334->91385 91336->91334 91337 ef87d0 43 API calls 91336->91337 91383 f31ad0 43 API calls 91336->91383 91337->91336 91341 108dba9 91340->91341 91351 108d313 std::ios_base::_Ios_base_dtor std::_Locinfo::_Locinfo_ctor std::locale::_Setgloballocale 91340->91351 91342 10fc65a _ValidateLocalCookies 5 API calls 91341->91342 91343 108cb5d 91342->91343 91343->91009 91348 ef87d0 43 API calls 91348->91351 91351->91341 91351->91348 91352 f279c0 44 API calls 91351->91352 91354 108dbe1 91351->91354 91355 efb710 43 API calls 91351->91355 91360 108bdb0 51 API calls 91351->91360 91361 f14a40 43 API calls 91351->91361 91362 efa360 43 API calls 91351->91362 91364 ef86a0 43 API calls 91351->91364 91365 ef8eb0 42 API calls 91351->91365 91366 108c960 66 API calls 91351->91366 91386 f279e0 91351->91386 91391 1090c60 91351->91391 91423 10229c0 43 API calls _ValidateLocalCookies 91351->91423 91424 f011e0 43 API calls 91351->91424 91425 10286f0 43 API calls 5 library calls 91351->91425 91426 1032330 43 API calls 5 library calls 91351->91426 91427 1090a30 43 API calls 3 library calls 91351->91427 91428 1092720 91351->91428 91435 f043a0 42 API calls 2 library calls 91351->91435 91436 f28ab0 42 API calls std::ios_base::_Ios_base_dtor 91351->91436 91352->91351 91356 110192f std::_Throw_Cpp_error 42 API calls 91354->91356 91355->91351 91357 108dbe6 91356->91357 91360->91351 91361->91351 91362->91351 91364->91351 91365->91351 91366->91351 91369 efa300 91368->91369 91369->91369 91370 efa359 91369->91370 91371 efa320 91369->91371 91382 ef8d90 43 API calls std::_Throw_Cpp_error 91370->91382 91378 ef84b0 91371->91378 91375 efa337 91375->91304 91376->91319 91377->91328 91379 ef850e std::_Locinfo::_Locinfo_ctor 91378->91379 91380 ef84e0 91378->91380 91379->91375 91381 ef8d30 3 API calls 91380->91381 91381->91379 91383->91336 91384->91334 91385->91334 91387 10fc6a3 std::_Facet_Register 3 API calls 91386->91387 91388 f27a24 91387->91388 91389 f114d0 43 API calls 91388->91389 91390 f27a6f 91389->91390 91390->91351 91392 1090e53 91391->91392 91393 1090caa 91391->91393 91441 ef81b0 43 API calls std::_Throw_Cpp_error 91392->91441 91393->91392 91397 1090d1d 91393->91397 91398 1090cf6 91393->91398 91395 1090df7 91396 110192f std::_Throw_Cpp_error 42 API calls 91395->91396 91421 1090e1c std::ios_base::_Ios_base_dtor 91395->91421 91399 1090e62 91396->91399 91401 10fc6a3 std::_Facet_Register 3 API calls 91397->91401 91406 1090d07 91397->91406 91398->91392 91400 1090d01 91398->91400 91442 108f730 42 API calls std::ios_base::_Ios_base_dtor 91399->91442 91403 10fc6a3 std::_Facet_Register 3 API calls 91400->91403 91401->91406 91403->91406 91404 1092720 44 API calls 91407 1090d5e 91404->91407 91405 1090e6e 91443 f27d50 42 API calls 2 library calls 91405->91443 91406->91395 91406->91404 91409 1090dbd 91407->91409 91410 1090d70 91407->91410 91438 10916f0 43 API calls std::_Facet_Register 91409->91438 91415 1090da3 91410->91415 91417 1092720 44 API calls 91410->91417 91411 1090e7c 91412 10fe281 std::_Throw_Cpp_error RaiseException 91411->91412 91422 1090e85 91412->91422 91414 1090dc8 91439 10916f0 43 API calls std::_Facet_Register 91414->91439 91437 108f730 42 API calls std::ios_base::_Ios_base_dtor 91415->91437 91417->91410 91419 1090db2 91419->91421 91440 108f730 42 API calls std::ios_base::_Ios_base_dtor 91419->91440 91421->91351 91422->91351 91423->91351 91424->91351 91425->91351 91426->91351 91427->91351 91429 10fc6a3 std::_Facet_Register 3 API calls 91428->91429 91430 109276b 91429->91430 91431 f114d0 43 API calls 91430->91431 91432 10927b6 91431->91432 91444 1093200 91432->91444 91435->91351 91436->91351 91437->91419 91438->91414 91439->91419 91440->91395 91442->91405 91443->91411 91445 10927c3 91444->91445 91446 1093214 91444->91446 91445->91351 91446->91445 91448 10037f0 91446->91448 91449 1003828 91448->91449 91450 100385f 91449->91450 91451 1003889 91449->91451 91452 10039db 91449->91452 91450->91446 91454 10fc6a3 std::_Facet_Register 3 API calls 91451->91454 91484 10f9ca7 43 API calls 2 library calls 91452->91484 91455 10038ab 91454->91455 91456 ef7cf0 43 API calls 91455->91456 91458 10038c3 91456->91458 91460 ef7cf0 43 API calls 91458->91460 91462 10038d6 91460->91462 91481 100395b 91462->91481 91482 f04f00 20 API calls __floor_pentium4 91462->91482 91477 100392d 91483 f28cd0 43 API calls std::_Throw_Cpp_error 91477->91483 91481->91446 91482->91477 91483->91481 91486 6c5c10e8 91485->91486 91489 6c5c1065 91485->91489 91667 6c5c0ba0 91486->91667 91488 6c5c106a codecvt 91488->91014 91489->91488 91666 6c5c0ff0 46 API calls 2 library calls 91489->91666 91493 6c5c10bd codecvt 91493->91014 91496 6c5c2214 #74 91495->91496 91497 6c5c2212 91495->91497 91498 6c5c222e 91496->91498 91502 6c5c226a 91496->91502 91497->91496 91671 6c5c2550 46 API calls codecvt 91498->91671 91500 6c5c2248 #74 91500->91502 91503 6c5c1050 46 API calls 91502->91503 91504 6c5c229d error_info_injector 91502->91504 91503->91504 91505 6c5c244b 91504->91505 91509 6c5c240e error_info_injector 91504->91509 91508 6c5f31bf 44 API calls 91505->91508 91506 6c5edefb _ValidateLocalCookies 5 API calls 91507 6c5c2447 91506->91507 91507->91016 91510 6c5c2450 91508->91510 91509->91506 91672 6c5c27c0 44 API calls error_info_injector 91510->91672 91512 6c5c2498 91673 6c5c3310 44 API calls error_info_injector 91512->91673 91514 6c5c24a7 error_info_injector 91514->91016 91516 6c5c62b0 2 API calls 91515->91516 91517 6c5cccd6 91516->91517 91518 6c5c1050 46 API calls 91517->91518 91519 6c5ccd0f 91518->91519 91520 6c5c62b0 2 API calls 91519->91520 91521 6c5ccd31 91520->91521 91522 6c5c1050 46 API calls 91521->91522 91523 6c5ccd6a 91522->91523 91524 6c5c62b0 2 API calls 91523->91524 91525 6c5ccd8c 91524->91525 91674 6c5f75e4 91525->91674 91527 6c5ccd99 91684 6c5cfbb0 91527->91684 91533 6c5cce03 91534 6c5c1170 44 API calls 91533->91534 91537 6c5ccea1 error_info_injector 91533->91537 91534->91537 91535 6c5ccf59 error_info_injector 91539 6c5edefb _ValidateLocalCookies 5 API calls 91535->91539 91536 6c5ccfb2 91538 6c5f31bf 44 API calls 91536->91538 91537->91535 91537->91536 91540 6c5ccfb7 91538->91540 91541 6c5ccfae 91539->91541 91542 6c5ccc80 121 API calls 91540->91542 91541->91021 91543 6c5ccfef 91542->91543 92894 6c5f30fb 44 API calls _Fputc 91657->92894 91659 6c5f31ce 92895 6c5f31dc IsProcessorFeaturePresent GetCurrentProcess TerminateProcess 91659->92895 91661 6c5f31db 91666->91493 91670 6c5ec66a 46 API calls 2 library calls 91667->91670 91671->91500 91672->91512 91673->91514 91675 6c5f7615 91674->91675 91676 6c5f75f2 91674->91676 91700 6c5f762d 45 API calls 3 library calls 91675->91700 91676->91675 91678 6c5f75f8 91676->91678 91698 6c5f7181 14 API calls __dosmaperr 91678->91698 91680 6c5f7628 91680->91527 91681 6c5f75fd 91699 6c5f31af 44 API calls _Ungetc 91681->91699 91683 6c5f7608 91683->91527 91685 6c5edf43 std::_Facet_Register 16 API calls 91684->91685 91686 6c5cfbef 91685->91686 91701 6c5d0a20 91686->91701 91688 6c5ccdae 91689 6c5edf43 91688->91689 91691 6c5edf48 91689->91691 91692 6c5ccdec 91691->91692 91694 6c5edf64 std::_Facet_Register 91691->91694 92451 6c5f781b 91691->92451 92460 6c5fb629 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 91691->92460 91697 6c5cb160 83 API calls 91692->91697 91695 6c5f0495 _com_raise_error RaiseException 91694->91695 91696 6c5eed94 91695->91696 91697->91533 91698->91681 91699->91683 91700->91680 91739 6c5c0040 91701->91739 91703 6c5d0a6e 91704 6c5c0040 46 API calls 91703->91704 91705 6c5d0a7e 91704->91705 91748 6c5bf650 91705->91748 91707 6c5d0b84 error_info_injector 91710 6c5edf43 std::_Facet_Register 16 API calls 91707->91710 91708 6c5d0ce9 91711 6c5f31bf 44 API calls 91708->91711 91709 6c5d0afb error_info_injector 91709->91707 91709->91708 91712 6c5d0be3 91710->91712 91713 6c5d0cee 91711->91713 91765 6c5cac10 CoCreateGuid 91712->91765 91715 6c5f31bf 44 API calls 91713->91715 91723 6c5d0cf3 91715->91723 91717 6c5c1050 46 API calls 91718 6c5d0c34 91717->91718 91773 6c5d5490 91718->91773 91720 6c5c1170 44 API calls 91721 6c5d0dac 91720->91721 91809 6c5d2d20 44 API calls error_info_injector 91721->91809 91723->91720 91726 6c5d0dbe 91728 6c5c1170 44 API calls 91726->91728 91730 6c5d0dda 91728->91730 91733 6c5c1170 44 API calls 91730->91733 91735 6c5d0de6 91733->91735 91737 6c5c1170 44 API calls 91735->91737 91738 6c5d0df4 error_info_injector 91737->91738 91738->91688 91740 6c5c0067 91739->91740 91741 6c5c00e2 91740->91741 91745 6c5c0071 91740->91745 91742 6c5c0ba0 46 API calls 91741->91742 91744 6c5c00e7 91742->91744 91743 6c5c0076 91743->91703 91745->91743 91810 6c5c0ff0 46 API calls 2 library calls 91745->91810 91747 6c5c00bb codecvt 91747->91703 91811 6c5bf980 91748->91811 91750 6c5bf695 91825 6c5bfb20 SHGetFolderPathW GetVolumeInformationW 91750->91825 91754 6c5bf6ba 91755 6c5c1170 44 API calls 91754->91755 91756 6c5bf6c6 91755->91756 91840 6c5bfc50 91756->91840 91759 6c5bf6e4 91761 6c5c1170 44 API calls 91759->91761 91760 6c5c1170 44 API calls 91760->91759 91762 6c5bf713 91761->91762 91763 6c5edefb _ValidateLocalCookies 5 API calls 91762->91763 91764 6c5bf72c 91763->91764 91764->91709 91766 6c5cac7d codecvt 91765->91766 91910 6c5e04d0 91766->91910 91768 6c5cacc2 91769 6c5c1050 46 API calls 91768->91769 91770 6c5cacfb 91769->91770 91771 6c5edefb _ValidateLocalCookies 5 API calls 91770->91771 91772 6c5cad21 91771->91772 91772->91717 91916 6c5d5150 91773->91916 91809->91726 91810->91747 91857 6c5bf8d0 91811->91857 91814 6c5bf9db 91816 6c5c1050 46 API calls 91814->91816 91815 6c5bfa3d 91817 6c5bfa56 91815->91817 91820 6c5bfaac 91815->91820 91819 6c5bf9fd 91816->91819 91818 6c5c1050 46 API calls 91817->91818 91818->91819 91822 6c5bfa36 error_info_injector 91819->91822 91823 6c5f31bf 44 API calls 91819->91823 91864 6c5bf730 48 API calls 2 library calls 91820->91864 91822->91750 91824 6c5bfb1e 91823->91824 91826 6c5bfbc8 91825->91826 91827 6c5bfbac 91825->91827 91867 6c5c0260 91826->91867 91829 6c5c1050 46 API calls 91827->91829 91831 6c5bfbc6 91829->91831 91832 6c5edefb _ValidateLocalCookies 5 API calls 91831->91832 91834 6c5bf6ab 91832->91834 91833 6c5c1050 46 API calls 91833->91831 91835 6c5c0170 91834->91835 91836 6c5c0182 91835->91836 91839 6c5c0190 codecvt 91836->91839 91896 6c5c0300 46 API calls 2 library calls 91836->91896 91838 6c5c01d6 91838->91754 91839->91754 91841 6c5bfca4 91840->91841 91897 6c5d5be0 91841->91897 91843 6c5bfcb5 91901 6c5d7b50 91843->91901 91845 6c5c0260 46 API calls 91847 6c5bfcff error_info_injector 91845->91847 91846 6c5c1050 46 API calls 91846->91847 91847->91845 91847->91846 91848 6c5c0170 46 API calls 91847->91848 91849 6c5bfe31 91847->91849 91850 6c5bfea7 91847->91850 91848->91847 91905 6c5c0b10 91849->91905 91853 6c5f31bf 44 API calls 91850->91853 91852 6c5bfe8a 91854 6c5edefb _ValidateLocalCookies 5 API calls 91852->91854 91855 6c5bfeac 91853->91855 91856 6c5bf6d0 91854->91856 91856->91759 91856->91760 91858 6c5bf8f7 91857->91858 91862 6c5bf8ef codecvt 91857->91862 91859 6c5bf930 GetAdaptersInfo 91858->91859 91858->91862 91865 6c5c0430 46 API calls 3 library calls 91858->91865 91860 6c5bf96e 91859->91860 91859->91862 91860->91814 91860->91815 91862->91859 91866 6c5c0430 46 API calls 3 library calls 91862->91866 91864->91819 91865->91862 91866->91862 91868 6c5c0298 _swprintf 91867->91868 91871 6c5f70a3 91868->91871 91872 6c5f70b7 _Fputc 91871->91872 91877 6c5f3729 91872->91877 91878 6c5f3758 91877->91878 91879 6c5f3735 91877->91879 91884 6c5f377f 91878->91884 91892 6c5f3384 46 API calls 3 library calls 91878->91892 91891 6c5f3132 44 API calls 3 library calls 91879->91891 91883 6c5f3750 91885 6c5f2eeb 91883->91885 91884->91883 91893 6c5f3132 44 API calls 3 library calls 91884->91893 91886 6c5f2ef7 91885->91886 91887 6c5f2f0e 91886->91887 91894 6c5f2f96 44 API calls 4 library calls 91886->91894 91889 6c5bfbdf 91887->91889 91895 6c5f2f96 44 API calls 4 library calls 91887->91895 91889->91833 91891->91883 91892->91884 91893->91883 91894->91887 91895->91889 91896->91838 91899 6c5d5c7e 91897->91899 91898 6c5d5cd2 91898->91843 91899->91898 91909 6c5d6450 46 API calls 3 library calls 91899->91909 91902 6c5d7bb4 codecvt 91901->91902 91903 6c5edefb _ValidateLocalCookies 5 API calls 91902->91903 91904 6c5d7c51 91903->91904 91904->91847 91906 6c5c0b3d 91905->91906 91907 6c5c0b58 error_info_injector 91905->91907 91906->91905 91906->91907 91908 6c5f31bf 44 API calls 91906->91908 91907->91852 91908->91906 91909->91899 91911 6c5e053c 91910->91911 91912 6c5e04d8 _swprintf 91910->91912 91911->91768 91912->91911 91915 6c5f7062 46 API calls _Fputc 91912->91915 91914 6c5e050a 91914->91768 91915->91914 92077 6c5e5750 SHGetSpecialFolderPathW 91916->92077 91919 6c5d51d2 91921 6c5c1050 46 API calls 91919->91921 91922 6c5d5209 91921->91922 91923 6c5c0040 46 API calls 91922->91923 92078 6c5e57ac 92077->92078 92079 6c5e580d 92077->92079 92081 6c5c1fd0 53 API calls 92078->92081 92080 6c5c1fd0 53 API calls 92079->92080 92083 6c5e5812 92080->92083 92082 6c5e57b1 92081->92082 92084 6c5e5861 92082->92084 92085 6c5e57bb 92082->92085 92083->92084 92090 6c5e580b 92083->92090 92086 6c5c1c40 2 API calls 92084->92086 92088 6c5c61f0 55 API calls 92085->92088 92087 6c5e586b 92086->92087 92092 6c5e57e3 92088->92092 92089 6c5edefb _ValidateLocalCookies 5 API calls 92091 6c5d51b7 92089->92091 92090->92089 92091->91919 92181 6c5c1900 46 API calls 3 library calls 92091->92181 92092->92090 92183 6c5c1ab0 46 API calls 3 library calls 92092->92183 92181->91919 92183->92090 92452 6c5fe3f8 92451->92452 92453 6c5fe436 92452->92453 92455 6c5fe421 HeapAlloc 92452->92455 92458 6c5fe40a __dosmaperr 92452->92458 92462 6c5f7181 14 API calls __dosmaperr 92453->92462 92456 6c5fe434 92455->92456 92455->92458 92457 6c5fe43b 92456->92457 92457->91691 92458->92453 92458->92455 92461 6c5fb629 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 92458->92461 92460->91691 92461->92458 92462->92457 92894->91659 92895->91661 92896 1115d29 92900 1115d42 __Getcoll 92896->92900 92897 1115d61 RtlAllocateHeap 92898 1115d76 92897->92898 92897->92900 92901 1101a3f 14 API calls __dosmaperr 92898->92901 92900->92897 92900->92898 92901->92898 92902 1099690 92921 1099cb0 92902->92921 92904 10996d6 WaitForSingleObject 92905 10996eb std::ios_base::_Ios_base_dtor 92904->92905 92906 10996f2 ResetEvent 92904->92906 92907 10fc6a3 std::_Facet_Register 3 API calls 92906->92907 92908 1099700 92907->92908 92909 ef7cf0 43 API calls 92908->92909 92910 1099723 92909->92910 92911 ef7cf0 43 API calls 92910->92911 92913 1099732 std::ios_base::_Ios_base_dtor 92911->92913 92912 10998d6 92916 110192f std::_Throw_Cpp_error 42 API calls 92912->92916 92913->92912 92918 109983f std::ios_base::_Ios_base_dtor 92913->92918 92914 10fc6a3 std::_Facet_Register 3 API calls 92915 109987b CreateThread 92914->92915 92915->92905 92946 f322f0 92915->92946 92917 10998db 92916->92917 92944 109f9a0 43 API calls 3 library calls 92917->92944 92918->92914 92920 10998f1 92922 ef87d0 43 API calls 92921->92922 92923 1099d14 92922->92923 92924 ef86a0 43 API calls 92923->92924 92925 1099d30 92924->92925 92926 ef86a0 43 API calls 92925->92926 92927 1099d3f 92926->92927 92945 10a3430 44 API calls 92927->92945 92929 1099d4a OpenEventW 92930 1099d6a CreateEventW 92929->92930 92931 1099d83 92929->92931 92930->92931 92932 ef8eb0 42 API calls 92931->92932 92934 1099d8f 92932->92934 92933 1099dc2 std::ios_base::_Ios_base_dtor 92935 10fc65a _ValidateLocalCookies 5 API calls 92933->92935 92934->92933 92936 1099e01 92934->92936 92937 1099df8 92935->92937 92938 110192f std::_Throw_Cpp_error 42 API calls 92936->92938 92937->92904 92939 1099e06 92938->92939 92940 ef8eb0 42 API calls 92939->92940 92943 1099e5b std::ios_base::_Ios_base_dtor 92939->92943 92941 1099e4c 92940->92941 92942 ef8eb0 42 API calls 92941->92942 92942->92943 92943->92904 92944->92920 92945->92929 92947 f32303 std::ios_base::_Ios_base_dtor 92946->92947 92952 10fe11b 92947->92952 92950 f3232b 92951 f32319 SetUnhandledExceptionFilter 92951->92950 92953 10fe15c __set_se_translator 53 API calls 92952->92953 92954 10fe124 92953->92954 92955 10fe15c __set_se_translator 53 API calls 92954->92955 92956 f3230d 92955->92956 92956->92950 92956->92951 92957 10f94b5 92958 10f9466 92957->92958 92958->92957 92959 10f97ad ___delayLoadHelper2@8 17 API calls 92958->92959 92959->92958

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 01044A60 Relevance: 49.8, APIs: 11, Strings: 17, Instructions: 819libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?,SystemFolder,0000000C), ref: 01044CA0
                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 01044D8A
                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsFolder,0000000D), ref: 01044EAF
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsVolume,0000000D), ref: 01044FB6
                                                                                                                                                                                      • Part of subcall function 00EFA840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00F15436,00000000,*.*,?,?,?,?), ref: 00EFA863
                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,WindowsVolume,0000000D), ref: 010450F1
                                                                                                                                                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,?,WindowsVolume,0000000D), ref: 010451D2
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(shfolder.dll), ref: 01045262
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 010452A2
                                                                                                                                                                                      • Part of subcall function 01038C90: LoadLibraryW.KERNEL32(Shlwapi.dll,-00000001,00000000,?,?,?,?,?,?,?,?,0104537B,?), ref: 01038CAF
                                                                                                                                                                                      • Part of subcall function 01038C90: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 01038CC5
                                                                                                                                                                                      • Part of subcall function 01038C90: FreeLibrary.KERNEL32(00000000), ref: 01038D08
                                                                                                                                                                                    • GetEnvironmentVariableW.KERNEL32(APPDATA,?,00000104), ref: 010454C0
                                                                                                                                                                                    • SHGetPathFromIDListW.SHELL32(?,?), ref: 01045539
                                                                                                                                                                                    • SHGetMalloc.SHELL32(00000000), ref: 01045552
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DirectoryLibrary$AddressFolderLoadPathProcWindows$EnvironmentFileFindFreeFromHeapListLocationMallocModuleNameProcessResourceSpecialSystemVariable
                                                                                                                                                                                    • String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFiles64Folder$ProgramFilesFolder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$Shell32.dll$Shlwapi.dll$System32Folder$SystemFolder$TempFolder$WindowsFolder$WindowsVolume$shfolder.dll
                                                                                                                                                                                    • API String ID: 2967964373-2261365735
                                                                                                                                                                                    • Opcode ID: 0e10ec7f337c723cd213ffb0205dcb18f36499a0fc1fad7ff55b78a4278c80cd
                                                                                                                                                                                    • Instruction ID: 62df0f3f40ab6d2d51e31f95d2cb0265677286516db548c9cad8f496438e859d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e10ec7f337c723cd213ffb0205dcb18f36499a0fc1fad7ff55b78a4278c80cd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0B6209B46002198BEB64DF28CC94BBE77B2FF94314F5442F8D556DB291EB329A45CB80
                                                                                                                                                                                    Function 6C5CB500 Relevance: 47.2, APIs: 6, Strings: 20, Instructions: 1658COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • #47.MSI(?,AiEmbeddedDirectCall,6C64E00C,00000000), ref: 6C5CBB32
                                                                                                                                                                                    • #47.MSI(?,AiEmbeddedDirectCall,6C64E00C,00000000), ref: 6C5CC042
                                                                                                                                                                                    • #47.MSI(?,AiEmbeddedDirectCall,6C64E00C,00000000), ref: 6C5CBD92
                                                                                                                                                                                      • Part of subcall function 6C5C63E0: #171.MSI(00000000,?,6C64E00C,?), ref: 6C5C6416
                                                                                                                                                                                      • Part of subcall function 6C5C63E0: #171.MSI(00000000,?,00000000,?,?,081BB198), ref: 6C5C6456
                                                                                                                                                                                    • #47.MSI(?,AiEmbeddedDirectCall,6C64E00C,00000000,?,?,081BB198), ref: 6C5CC4C2
                                                                                                                                                                                    • #47.MSI(?,AiEmbeddedDirectCall,6C64E00C,00000000,?,081BB198), ref: 6C5CC831
                                                                                                                                                                                    • #47.MSI(?,AiEmbeddedDirectCall,6C64E00C,00000000), ref: 6C5CC214
                                                                                                                                                                                      • Part of subcall function 6C5C1330: #17.MSI(00000002,?,00000000,?,00000000), ref: 6C5C13F3
                                                                                                                                                                                      • Part of subcall function 6C5C1330: #125.MSI(00000000,00000000,[1],?,00000000), ref: 6C5C140A
                                                                                                                                                                                      • Part of subcall function 6C5C1330: #125.MSI(00000000,00000001,00000000,?,00000000), ref: 6C5C1417
                                                                                                                                                                                      • Part of subcall function 6C5C1330: #103.MSI(?,04000000,00000000,?,00000000), ref: 6C5C1429
                                                                                                                                                                                      • Part of subcall function 6C5C1330: #8.MSI(00000000,?,00000000), ref: 6C5C1438
                                                                                                                                                                                      • Part of subcall function 6C5C1FD0: GetProcessHeap.KERNEL32 ref: 6C5C202C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2485893999.000000006C581000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C580000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2485873494.000000006C580000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486013698.000000006C672000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486038035.000000006C681000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6c580000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: #125#171$#103HeapProcess
                                                                                                                                                                                    • String ID: -> $4gl$Action ended$AiEmbeddedDirectCall$Crash >> $Error: $Exception >> $Info 1720$LIMITUI$Lifecycle: $LogonUser$Track screen: [$W$Warning: $end$fatal error$success$user abort$xxel$*
                                                                                                                                                                                    • API String ID: 3629383927-1530147290
                                                                                                                                                                                    • Opcode ID: 60b19f9cb3937f33f967a484ba22414d3eb7ae225e3dec30598d9be280943e95
                                                                                                                                                                                    • Instruction ID: c5d3ff3592872b4ef66104dfc0f4a187e92bb6cb73e893363176ce1f259e941c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 60b19f9cb3937f33f967a484ba22414d3eb7ae225e3dec30598d9be280943e95
                                                                                                                                                                                    • Instruction Fuzzy Hash: FEE2B274E01248DBDF05DFA8C8547EEBBB1AF85318F24814DE811AB780DB74AE45CB96
                                                                                                                                                                                    Function 01048AE0 Relevance: 36.4, APIs: 15, Strings: 5, Instructions: 1352libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000001,0116D266,00000000,00000000,0116D266,00000000,?,?,0116D266,000000FF), ref: 01048C70
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HeapLibraryLoadProcess
                                                                                                                                                                                    • String ID: ====== Starting logging of "$" ====$Advinst_$Command line to pass to MSI:$Full command line:
                                                                                                                                                                                    • API String ID: 3872204244-3828228616
                                                                                                                                                                                    • Opcode ID: 6b6fcaf812612b6fce81c3a5920d0003fac50e8bdf1ff62ed71bd52cc7b25334
                                                                                                                                                                                    • Instruction ID: 5e208f584d6a76948cae53585404a20efe74f01804ab30e13e349fe773b7c682
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6b6fcaf812612b6fce81c3a5920d0003fac50e8bdf1ff62ed71bd52cc7b25334
                                                                                                                                                                                    • Instruction Fuzzy Hash: CEB2B371A002098BDB14DFA8C8947EEBBB5FF48314F1481BDE956AB3C1DB74A905CB91
                                                                                                                                                                                    Function 010732B0 Relevance: 30.2, APIs: 14, Strings: 3, Instructions: 493registryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1579 10732b0-1073333 GetUserNameW 1580 1073335-107333e GetLastError 1579->1580 1581 1073383-10733c1 GetEnvironmentVariableW 1579->1581 1580->1581 1584 1073340-1073348 1580->1584 1582 10733c3-10733cb 1581->1582 1583 1073408-1073448 call ef7cf0 call ef86a0 * 2 1581->1583 1587 10733e3-10733eb call f011e0 1582->1587 1588 10733cd-10733e1 1582->1588 1599 107347c-1073499 1583->1599 1600 107344a-107345c 1583->1600 1585 1073360-1073368 call f011e0 1584->1585 1586 107334a-107335e 1584->1586 1590 107336d-107337d GetUserNameW 1585->1590 1586->1590 1592 10733f0-1073402 GetEnvironmentVariableW 1587->1592 1588->1592 1590->1581 1592->1583 1603 107349b-10734ad 1599->1603 1604 10734c9-10734f9 call 10fc65a 1599->1604 1601 1073472-1073479 call 10fc668 1600->1601 1602 107345e-107346c 1600->1602 1601->1599 1602->1601 1605 10734fa-1073581 call 110192f call 10739a0 call 102bb50 call ef8eb0 1602->1605 1607 10734bf-10734c6 call 10fc668 1603->1607 1608 10734af-10734bd 1603->1608 1622 1073583-10735a4 call 1017370 1605->1622 1623 10735ac-10735b2 1605->1623 1607->1604 1608->1605 1608->1607 1627 10735a9 1622->1627 1625 10735b6-10735e5 RegDeleteValueW call ef8eb0 * 2 1623->1625 1626 10735b4 1623->1626 1632 10735e7-10735ee RegCloseKey 1625->1632 1633 10735f5-1073668 call ef87d0 call 102bb50 1625->1633 1626->1625 1627->1623 1632->1633 1638 107369c-10736b3 1633->1638 1639 107366a-107367c 1633->1639 1642 10736b5-10736d6 call 1017370 1638->1642 1643 10736db-1073740 call 1073b50 call 102bb50 RegQueryInfoKeyW 1638->1643 1640 1073692-1073699 call 10fc668 1639->1640 1641 107367e-107368c 1639->1641 1640->1638 1641->1640 1645 1073992 call 110192f 1641->1645 1642->1643 1655 1073742-107376c call ef8eb0 * 2 1643->1655 1656 107378b-10737b5 call ef8eb0 * 2 1643->1656 1652 1073997-107399f call 110192f 1645->1652 1668 107377f-1073789 1655->1668 1669 107376e-1073775 RegCloseKey 1655->1669 1666 10737b7-10737be RegCloseKey 1656->1666 1667 10737c8-10737d6 1656->1667 1666->1667 1670 10737da-10737de RegDeleteKeyW 1667->1670 1671 10737d8 1667->1671 1672 10737e4-1073817 call ef8eb0 * 3 1668->1672 1669->1668 1670->1672 1671->1670 1679 1073827-107387b call ef87d0 call 102bb50 1672->1679 1680 1073819-1073820 RegCloseKey 1672->1680 1685 10738af-10738cb 1679->1685 1686 107387d-107388f 1679->1686 1680->1679 1689 10738cd-1073902 call 1017370 1685->1689 1690 1073908-107390c 1685->1690 1687 10738a5-10738ac call 10fc668 1686->1687 1688 1073891-107389f 1686->1688 1687->1685 1688->1652 1688->1687 1689->1690 1693 1073910-107392e RegDeleteValueW call ef8eb0 1690->1693 1694 107390e 1690->1694 1698 1073933-1073951 call ef8eb0 1693->1698 1694->1693 1701 1073964-1073991 call 10fc65a 1698->1701 1702 1073953-107395a RegCloseKey 1698->1702 1702->1701
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetUserNameW.ADVAPI32(?,?), ref: 0107332B
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 01073335
                                                                                                                                                                                    • GetUserNameW.ADVAPI32(?,?), ref: 0107337D
                                                                                                                                                                                    • GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 010733B7
                                                                                                                                                                                    • GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,-00000001,00000000), ref: 01073402
                                                                                                                                                                                    • RegDeleteValueW.KERNEL32(?,?,00000000,80000001,00000001,00000000,2F45994F), ref: 010735B8
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000,2F45994F), ref: 010735E8
                                                                                                                                                                                    • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,2F45994F,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0107372D
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 0107376F
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 010737B8
                                                                                                                                                                                    • RegDeleteKeyW.ADVAPI32(?,00000000), ref: 010737DE
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 0107381A
                                                                                                                                                                                    • RegDeleteValueW.KERNEL32(?,?,?,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000), ref: 01073912
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000), ref: 01073954
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Close$Delete$EnvironmentNameUserValueVariable$ErrorInfoLastQuery
                                                                                                                                                                                    • String ID: Software$Software\Microsoft\Windows\CurrentVersion\RunOnce$UserDomain
                                                                                                                                                                                    • API String ID: 1615433478-4079418357
                                                                                                                                                                                    • Opcode ID: f5fa71868066db112cf86ace058953e6de87faf3c3d9325e60a522479bcdb51e
                                                                                                                                                                                    • Instruction ID: 1f68ad59b6e73d49075e26a68ccbbee244ef56d8b9309fcb8fbf2ac973d4b6ea
                                                                                                                                                                                    • Opcode Fuzzy Hash: f5fa71868066db112cf86ace058953e6de87faf3c3d9325e60a522479bcdb51e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 13226B70D00249DBEF24DFA8C959BEEBBB4FF14304F208159E555B7280DB746A88DB91
                                                                                                                                                                                    Function 00F14AD0 Relevance: 20.0, APIs: 8, Strings: 3, Instructions: 725fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00F14C1F
                                                                                                                                                                                    • PathIsUNCW.SHLWAPI(00000000,*.*,00000000), ref: 00F14CE6
                                                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,*.*,00000000), ref: 00F14E79
                                                                                                                                                                                    • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F14E93
                                                                                                                                                                                    • GetFullPathNameW.KERNEL32(00000000,00000000,?,00000000), ref: 00F14ED0
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00F14F34
                                                                                                                                                                                    • SetLastError.KERNEL32(0000007B), ref: 00F14F3E
                                                                                                                                                                                    • PathIsUNCW.SHLWAPI(?,?,2F45994F,*.*,?), ref: 00F151A4
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Path$Find$CloseFullName$ErrorFileFirstLast
                                                                                                                                                                                    • String ID: *.*$\\?\$\\?\UNC\
                                                                                                                                                                                    • API String ID: 2310598285-1700010636
                                                                                                                                                                                    • Opcode ID: 5849806f16f7bedbf516414b61fbce4eb4a8c562ce7149685cb0be5ef98eb830
                                                                                                                                                                                    • Instruction ID: 9d49d794cab73822df471d132d0c858ac530aa203ab8fd41c41191f5ac3c0918
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5849806f16f7bedbf516414b61fbce4eb4a8c562ce7149685cb0be5ef98eb830
                                                                                                                                                                                    • Instruction Fuzzy Hash: F742F271A00605CFCB14DF68C848BAEB7B5FF84724F144168E916AB3D1DB76AD81EB90
                                                                                                                                                                                    Function 6C5DF260 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 431fileCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 2733 6c5df260-6c5df2ba call 6c5ee749 2736 6c5df2bc-6c5df2bf 2733->2736 2737 6c5df2ce-6c5df2d6 2733->2737 2736->2737 2738 6c5df2c1-6c5df2c8 FindClose 2736->2738 2739 6c5df2dd-6c5df2fc call 6c5c1830 call 6c5c1fd0 2737->2739 2740 6c5df2d8-6c5df2da 2737->2740 2738->2737 2745 6c5df799-6c5df7a3 call 6c5c1c40 2739->2745 2746 6c5df302-6c5df32c call 6c5c61f0 2739->2746 2740->2739 2753 6c5df32e-6c5df330 2746->2753 2754 6c5df359-6c5df36f 2746->2754 2757 6c5df336-6c5df33b 2753->2757 2758 6c5df332-6c5df334 2753->2758 2755 6c5df375-6c5df37b 2754->2755 2756 6c5df643 2754->2756 2759 6c5df571-6c5df583 FindFirstFileW 2755->2759 2760 6c5df381-6c5df38d PathIsUNCW 2755->2760 2761 6c5df645-6c5df65d 2756->2761 2762 6c5df340-6c5df349 2757->2762 2763 6c5df34f-6c5df354 call 6c5c1ab0 2758->2763 2759->2756 2770 6c5df589-6c5df59c GetFullPathNameW 2759->2770 2768 6c5df4e6-6c5df4fc call 6c5dfb10 2760->2768 2769 6c5df393-6c5df3a9 call 6c5dfb10 2760->2769 2764 6c5df65f-6c5df66f 2761->2764 2765 6c5df673-6c5df686 2761->2765 2762->2762 2766 6c5df34b-6c5df34d 2762->2766 2763->2754 2764->2765 2766->2763 2785 6c5df500-6c5df506 2768->2785 2784 6c5df3b0-6c5df3b6 2769->2784 2773 6c5df78f-6c5df794 call 6c5c1c40 2770->2773 2774 6c5df5a2-6c5df5bd 2770->2774 2773->2745 2775 6c5df5bf-6c5df5c2 call 6c5c1a40 2774->2775 2776 6c5df5c7-6c5df5db GetFullPathNameW 2774->2776 2775->2776 2782 6c5df5dd-6c5df5ed call 6c5f72b6 2776->2782 2783 6c5df5f3-6c5df5f8 2776->2783 2782->2773 2782->2783 2783->2773 2787 6c5df5fe-6c5df60b 2783->2787 2788 6c5df3b8-6c5df3bb 2784->2788 2789 6c5df3db-6c5df3e0 2784->2789 2790 6c5df508-6c5df50b 2785->2790 2791 6c5df52b-6c5df530 2785->2791 2796 6c5df60d-6c5df62b call 6c5ee749 2787->2796 2797 6c5df689-6c5df693 2787->2797 2798 6c5df3bd-6c5df3c5 2788->2798 2799 6c5df3d2-6c5df3d9 2788->2799 2800 6c5df3e3-6c5df3f7 2789->2800 2792 6c5df50d-6c5df515 2790->2792 2793 6c5df522-6c5df529 2790->2793 2795 6c5df533-6c5df547 2791->2795 2792->2791 2801 6c5df517-6c5df520 2792->2801 2793->2795 2804 6c5df55d-6c5df561 2795->2804 2805 6c5df549-6c5df559 2795->2805 2819 6c5df62d-6c5df630 2796->2819 2820 6c5df63b-6c5df63d SetLastError 2796->2820 2806 6c5df695-6c5df69e call 6c5c1900 2797->2806 2807 6c5df6a3-6c5df6bf call 6c5ef92e 2797->2807 2798->2789 2809 6c5df3c7-6c5df3d0 2798->2809 2799->2800 2802 6c5df40d-6c5df411 2800->2802 2803 6c5df3f9-6c5df409 2800->2803 2801->2785 2801->2793 2802->2759 2810 6c5df417-6c5df44e call 6c5dfde0 2802->2810 2803->2802 2804->2759 2813 6c5df563 2804->2813 2805->2804 2806->2807 2823 6c5df6cf-6c5df6e3 call 6c5ef92e 2807->2823 2824 6c5df6c1-6c5df6ca call 6c5c1900 2807->2824 2809->2784 2809->2799 2827 6c5df450-6c5df457 2810->2827 2828 6c5df4a3-6c5df4c6 2810->2828 2818 6c5df568-6c5df56c call 6c5dfcb0 2813->2818 2818->2759 2819->2820 2826 6c5df632-6c5df639 FindClose 2819->2826 2820->2756 2836 6c5df70f-6c5df711 2823->2836 2837 6c5df6e5-6c5df6e7 2823->2837 2824->2823 2826->2820 2833 6c5df459-6c5df45d 2827->2833 2834 6c5df497-6c5df49e call 6c5c1ab0 2827->2834 2831 6c5df4dc-6c5df4e1 2828->2831 2832 6c5df4c8-6c5df4d8 2828->2832 2831->2818 2832->2831 2833->2834 2839 6c5df45f-6c5df474 call 6c5c1610 2833->2839 2834->2828 2842 6c5df733-6c5df737 2836->2842 2843 6c5df713-6c5df71d 2836->2843 2840 6c5df6ed-6c5df6f7 2837->2840 2841 6c5df77b-6c5df78a 2837->2841 2856 6c5df48f-6c5df495 2839->2856 2857 6c5df476-6c5df48c 2839->2857 2846 6c5df6f9-6c5df702 call 6c5c1900 2840->2846 2847 6c5df707-6c5df70d 2840->2847 2841->2761 2850 6c5df73e 2842->2850 2851 6c5df739-6c5df73c 2842->2851 2848 6c5df72d 2843->2848 2849 6c5df71f-6c5df728 call 6c5c1900 2843->2849 2846->2847 2847->2842 2848->2842 2849->2848 2855 6c5df741-6c5df749 2850->2855 2851->2855 2858 6c5df74f-6c5df75f call 6c5f72b6 2855->2858 2859 6c5df74b-6c5df74d 2855->2859 2856->2828 2857->2856 2858->2773 2861 6c5df761-6c5df76a 2858->2861 2859->2861 2861->2773 2864 6c5df76c-6c5df777 2861->2864 2864->2841
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 6C5DF2C2
                                                                                                                                                                                    • PathIsUNCW.SHLWAPI(?,*.*), ref: 6C5DF382
                                                                                                                                                                                    • FindFirstFileW.KERNEL32(?,00000001,*.*), ref: 6C5DF578
                                                                                                                                                                                    • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 6C5DF592
                                                                                                                                                                                    • GetFullPathNameW.KERNEL32(?,00000000,?,00000000), ref: 6C5DF5CF
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 6C5DF633
                                                                                                                                                                                    • SetLastError.KERNEL32(0000007B), ref: 6C5DF63D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2485893999.000000006C581000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C580000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2485873494.000000006C580000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486013698.000000006C672000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486038035.000000006C681000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6c580000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FindPath$CloseFullName$ErrorFileFirstLast
                                                                                                                                                                                    • String ID: *.*$\\?\$\\?\UNC\$*
                                                                                                                                                                                    • API String ID: 539638818-1050997631
                                                                                                                                                                                    • Opcode ID: 5d99c00d775e171e990b493f99f3e27cda0bc455d8bf8e4421e7971d23dcf20b
                                                                                                                                                                                    • Instruction ID: 4d493814e56f679f382301ec65114bf658c711ed1609a7bcaed7fb6b76e4dc03
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5d99c00d775e171e990b493f99f3e27cda0bc455d8bf8e4421e7971d23dcf20b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2CF1C430A01606DFDF04DF68CC88BAEB7B1FF45328F194268E8159B791DB35A945CB98
                                                                                                                                                                                    Function 0102A0A0 Relevance: 16.6, APIs: 11, Instructions: 119memoryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 3152 102a0a0-102a107 GetCurrentProcess OpenProcessToken 3155 102a116-102a135 GetTokenInformation 3152->3155 3156 102a109-102a111 GetLastError 3152->3156 3158 102a167-102a16b 3155->3158 3159 102a137-102a140 GetLastError 3155->3159 3157 102a1d6-102a1e9 3156->3157 3162 102a1eb-102a1f2 CloseHandle 3157->3162 3163 102a1f9-102a215 call 10fc65a 3157->3163 3160 102a1ba GetLastError 3158->3160 3161 102a16d-102a19c AllocateAndInitializeSid 3158->3161 3159->3160 3164 102a142-102a165 call 102a220 GetTokenInformation 3159->3164 3165 102a1c0 3160->3165 3161->3165 3166 102a19e-102a1b8 EqualSid FreeSid 3161->3166 3162->3163 3164->3158 3164->3160 3169 102a1c2-102a1cf call 10fcc00 3165->3169 3166->3169 3169->3157
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 0102A0F2
                                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 0102A0FF
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0102A109
                                                                                                                                                                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 0102A12D
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0102A137
                                                                                                                                                                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000), ref: 0102A15D
                                                                                                                                                                                    • AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0102A194
                                                                                                                                                                                    • EqualSid.ADVAPI32(00000000,?), ref: 0102A1A3
                                                                                                                                                                                    • FreeSid.ADVAPI32(?), ref: 0102A1B2
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0102A1EC
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Token$ErrorInformationLastProcess$AllocateCloseCurrentEqualFreeHandleInitializeOpen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 695978879-0
                                                                                                                                                                                    • Opcode ID: 12960edd9e50e6f9b779fa95d99f95c26bde53aa79d952bb8434f549b5386061
                                                                                                                                                                                    • Instruction ID: 851756da9b959290898761842ecfc6390b648c4c95ceb5d897af02be6a32d421
                                                                                                                                                                                    • Opcode Fuzzy Hash: 12960edd9e50e6f9b779fa95d99f95c26bde53aa79d952bb8434f549b5386061
                                                                                                                                                                                    • Instruction Fuzzy Hash: 69415E71A4021DDFEF249FA4D949BEEBBB8FF08758F108059E512B3280DB795904CBA0
                                                                                                                                                                                    Function 6C5D12D0 Relevance: 13.0, Strings: 10, Instructions: 467COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2485893999.000000006C581000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C580000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2485873494.000000006C580000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486013698.000000006C672000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486038035.000000006C681000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6c580000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: .session$Application ID$Application Version$Client ID$Current Session$Hit $Protocol Version$Session ID$*$*
                                                                                                                                                                                    • API String ID: 0-3349231271
                                                                                                                                                                                    • Opcode ID: f561a9f34b57a25eb45bbd17f60059796b21a3867ae58764dac0a841d1285ceb
                                                                                                                                                                                    • Instruction ID: 65aead9e9eae0bf0d5947f872b7caa73b5b3fa8a8fa0eee9daf5112656fa0367
                                                                                                                                                                                    • Opcode Fuzzy Hash: f561a9f34b57a25eb45bbd17f60059796b21a3867ae58764dac0a841d1285ceb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0612BD70D00298DFDB24CFA8CC54BEEB7B4AF45318F108699D41677A80D774AE88CBA5
                                                                                                                                                                                    Function 6C5E4E20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileW.KERNEL32(00000001,00000001,?,E0ED2AEC,00000001), ref: 6C5E4EB8
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 6C5E4EF0
                                                                                                                                                                                      • Part of subcall function 6C5C1C40: HeapAlloc.KERNEL32(00000000,00000000,80004005,E0ED2AEC,00000000,6C60C7D0,000000FF,?,?,6C67046C,80004005,?,6C5E586B,80004005,?,6C6223A7), ref: 6C5C1C8A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2485893999.000000006C581000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C580000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2485873494.000000006C580000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486013698.000000006C672000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486038035.000000006C681000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6c580000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Find$AllocCloseFileFirstHeap
                                                                                                                                                                                    • String ID: *
                                                                                                                                                                                    • API String ID: 2507753907-2049891948
                                                                                                                                                                                    • Opcode ID: debbf775a17ecd04a3c5d4ce2ace4cc47ff15a6ff2196592c60f21d6a82f0c97
                                                                                                                                                                                    • Instruction ID: 59166876c3601a83e800b9b1aa82742983bbb4071a9d333ec2eacb776c794615
                                                                                                                                                                                    • Opcode Fuzzy Hash: debbf775a17ecd04a3c5d4ce2ace4cc47ff15a6ff2196592c60f21d6a82f0c97
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3A31E071909214DADF24CFA4CC89B9AB7B4EF4A728F10879DE935A3BC0D7345944CB85
                                                                                                                                                                                    Function 01036710 Relevance: 7.8, APIs: 5, Instructions: 328memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadStringW.USER32(?,?,?,00000100), ref: 01036813
                                                                                                                                                                                    • LoadStringW.USER32(?,?,?,00000001), ref: 01036933
                                                                                                                                                                                    • CLSIDFromString.COMBASE(00000000,?), ref: 01036ABA
                                                                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 01036ACE
                                                                                                                                                                                    • SysAllocStringLen.OLEAUT32(?,?), ref: 01036AF5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: String$Load$AllocFreeFrom
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 687443712-0
                                                                                                                                                                                    • Opcode ID: b006d968409844d83b9f0df7d64debf688dadbaf8c2c4ba576d9d1475df51d38
                                                                                                                                                                                    • Instruction ID: 9570ec0ae6d20999ff6f18038f81609b8e9c51727b575b416e247f5bf585129a
                                                                                                                                                                                    • Opcode Fuzzy Hash: b006d968409844d83b9f0df7d64debf688dadbaf8c2c4ba576d9d1475df51d38
                                                                                                                                                                                    • Instruction Fuzzy Hash: C4C18071D0024DAFDB14CFA8C945BEEBBF9FF88304F14821AE555AB280E7756A45CB90
                                                                                                                                                                                    Function 01065A70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 01065B4A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DiskFreeSpace
                                                                                                                                                                                    • String ID: \$\$\
                                                                                                                                                                                    • API String ID: 1705453755-3791832595
                                                                                                                                                                                    • Opcode ID: ca5fba78a045b62ba5ece3ff8d0ebeb6b07e2561bf7bca715c71a73330cf8ada
                                                                                                                                                                                    • Instruction ID: cb982141cd03490be3b3aba5d93d61132994262cab6ee7a9a40704de4493f63f
                                                                                                                                                                                    • Opcode Fuzzy Hash: ca5fba78a045b62ba5ece3ff8d0ebeb6b07e2561bf7bca715c71a73330cf8ada
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7141F832E0431586CB70DF288841ABBB7F8FF88294F155A5EE9D897140F77099858BC6
                                                                                                                                                                                    Function 00F1F580 Relevance: 6.8, Strings: 5, Instructions: 569COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: AI_EXIST_INSTANCES$AI_EXIST_NEW_INSTANCES$MultipleInstances$MultipleInstancesProps$PropertyValue
                                                                                                                                                                                    • API String ID: 0-2308371840
                                                                                                                                                                                    • Opcode ID: 6852af2c76e9ecb1763c17082d4e812326ca87084c9ef4e845363a91973dfc32
                                                                                                                                                                                    • Instruction ID: 48e695e8991484f76e96c6a9587c73ea6cf925a20d6ee95f50a90664b3baa1e9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6852af2c76e9ecb1763c17082d4e812326ca87084c9ef4e845363a91973dfc32
                                                                                                                                                                                    • Instruction Fuzzy Hash: F232F470D0024D9FDF08DFA4C999BEEBBB1AF48314F24815DE505B7290DB786A88DB90
                                                                                                                                                                                    Function 01059F30 Relevance: 6.6, APIs: 4, Instructions: 644fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,00000000,00000000,?,?), ref: 0105A36F
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0105A3B3
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?), ref: 0105A6B1
                                                                                                                                                                                      • Part of subcall function 0107B160: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,2F45994F,?,?,?,?,?,?,01157F3D), ref: 0107B1C4
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?), ref: 0105A87B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Close$FileFindHandle$CreateFirstHeapProcess
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1937692618-0
                                                                                                                                                                                    • Opcode ID: 67a7a5202d2fc1e067b6ac22e4e3e567df671026f49b4d079b66031ea3524edd
                                                                                                                                                                                    • Instruction ID: fd0692962c059b248c1f28d07097712d212c8f21de2405ae7e3d15c4c34399c1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 67a7a5202d2fc1e067b6ac22e4e3e567df671026f49b4d079b66031ea3524edd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1F527A30E00A58CFDB64CB68CD587AEBBB1AF49315F1482D9D859A7381DB74AE85CF40
                                                                                                                                                                                    Function 010FC189 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,00000008,00000000,0105C8C1,?,?,?), ref: 010FC18E
                                                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?), ref: 010FC195
                                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?), ref: 010FC1DB
                                                                                                                                                                                    • HeapFree.KERNEL32(00000000,?,?,?), ref: 010FC1E2
                                                                                                                                                                                      • Part of subcall function 010FC027: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,010FC1D1,?,?,?,?), ref: 010FC04B
                                                                                                                                                                                      • Part of subcall function 010FC027: HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 010FC052
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Heap$Process$Alloc$Free
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1864747095-0
                                                                                                                                                                                    • Opcode ID: fc54387efb0b82fd29f91f66d92d010ba5b8432b87028d5fbd22e1b5aaf5a264
                                                                                                                                                                                    • Instruction ID: bcd8c22391d053036b1a8cf59a4867b275141ddfd734833dfdff9d848d44193f
                                                                                                                                                                                    • Opcode Fuzzy Hash: fc54387efb0b82fd29f91f66d92d010ba5b8432b87028d5fbd22e1b5aaf5a264
                                                                                                                                                                                    • Instruction Fuzzy Hash: D5F0F673644A1A87F779267C7D0ADAE3958ABC2661701802CFA82C6544CE20C4428760
                                                                                                                                                                                    Function 00FE82D0 Relevance: 4.7, APIs: 3, Instructions: 234libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00FE8312
                                                                                                                                                                                    • GetSysColor.USER32(00000011), ref: 00FE8644
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                      • Part of subcall function 00EFA840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00F15436,00000000,*.*,?,?,?,?), ref: 00EFA863
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000000,0115D9BD,000000FF), ref: 00FE83E9
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ColorDirectoryFindHeapLibraryLoadProcessResourceSystem
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 346497123-0
                                                                                                                                                                                    • Opcode ID: 1adf9fed7e7887900d9be72b1cb065610775ea8be875cd069eaa2727ffb3b983
                                                                                                                                                                                    • Instruction ID: 570ff485f32c2288ec53a7c46a66d0fc4914ec441e27681a79d7870ec2440c56
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1adf9fed7e7887900d9be72b1cb065610775ea8be875cd069eaa2727ffb3b983
                                                                                                                                                                                    • Instruction Fuzzy Hash: 67A1ADB050064AEFE714CF65C858BAABBF0FF04318F14825DD9199B780D7BAA619CF90
                                                                                                                                                                                    Function 0102E4E0 Relevance: 4.6, APIs: 3, Instructions: 92fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 0102E57F
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0102E5DE
                                                                                                                                                                                      • Part of subcall function 00EFB010: RtlAllocateHeap.NTDLL(?,00000000,?,2F45994F,00000000,011239F0,000000FF,?,?,0123843C,?,?,01074927,80004005,2F45994F,?), ref: 00EFB05A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Find$AllocateCloseFileFirstHeap
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1673784098-0
                                                                                                                                                                                    • Opcode ID: 789f833b1c856dafc5bf7457b4435430199c7bdcddc9b50193f3f60438954803
                                                                                                                                                                                    • Instruction ID: 82ad8a0c8db690c488646fe17dd4874bd2c099a05f9c8ac4b531ed1fe665d752
                                                                                                                                                                                    • Opcode Fuzzy Hash: 789f833b1c856dafc5bf7457b4435430199c7bdcddc9b50193f3f60438954803
                                                                                                                                                                                    • Instruction Fuzzy Hash: DA31C0709442389BDB38DF18C848BAAB7F4EF88314F208199D95AA7780F7315944CB81
                                                                                                                                                                                    Function 0108D2B0 Relevance: 3.1, Strings: 2, Instructions: 604COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: Name${Binary Data}
                                                                                                                                                                                    • API String ID: 0-874704490
                                                                                                                                                                                    • Opcode ID: ac077218707c9cbc99145c4d765b81f47223424658c0a86e2ffa575d4d63bf03
                                                                                                                                                                                    • Instruction ID: 69639ae4f3bd493bf6d1c358ef68ead933e2488670b1423b178be3b0541f7788
                                                                                                                                                                                    • Opcode Fuzzy Hash: ac077218707c9cbc99145c4d765b81f47223424658c0a86e2ffa575d4d63bf03
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6C426C70D04259DFDB24DFA8C945BEDBBB5BF58300F1086D9E58AA7280DB74AA84CF50
                                                                                                                                                                                    Function 01074930 Relevance: 3.1, APIs: 2, Instructions: 92filepipeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,00000000,2F45994F,?,?,00000000), ref: 010749BB
                                                                                                                                                                                    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,00000000,2F45994F,?,?,00000000), ref: 010749E1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Create$FileNamedPipe
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1328467360-0
                                                                                                                                                                                    • Opcode ID: 73025f3f78fad1dc00868321e0bafeac9a6ffbbb938bc276ef86809188022590
                                                                                                                                                                                    • Instruction ID: 663d9b90db47ff54a7185c69e518b754ab06794c47aabfe323da653a6f08aa24
                                                                                                                                                                                    • Opcode Fuzzy Hash: 73025f3f78fad1dc00868321e0bafeac9a6ffbbb938bc276ef86809188022590
                                                                                                                                                                                    • Instruction Fuzzy Hash: F1310431A44706AFD721CF68DC05BA9BBA5FB44720F10866EF566A72C0CB756400CB54
                                                                                                                                                                                    Function 00F322F0 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • __set_se_translator.LIBVCRUNTIME ref: 00F32308
                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(0102D330), ref: 00F3231E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExceptionFilterUnhandled__set_se_translator
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2480343447-0
                                                                                                                                                                                    • Opcode ID: e45dfd28090d61aaf5c56e183eef1782a197fc54ca9883989300f824ac0a64b6
                                                                                                                                                                                    • Instruction ID: 6886b380682dcecd5f8b2144f2607dc958d745ee0192d5e850783ea5da8391fa
                                                                                                                                                                                    • Opcode Fuzzy Hash: e45dfd28090d61aaf5c56e183eef1782a197fc54ca9883989300f824ac0a64b6
                                                                                                                                                                                    • Instruction Fuzzy Hash: DDE0D836A04310ABDB70A7B1E90DF4E7F54BBA9B21F04446DF28157154CB745849C7A1
                                                                                                                                                                                    Function 01090C60 Relevance: 1.7, Strings: 1, Instructions: 404COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 0e+00
                                                                                                                                                                                    • API String ID: 0-2793203700
                                                                                                                                                                                    • Opcode ID: 1d1041033f13c1c91a53f7baedcabf97f1e858102190ed0b2947e63dae1e2917
                                                                                                                                                                                    • Instruction ID: d8ede679b51fd8e3a621d43f1f191f7373583c80a94641b65759c2706d9a6378
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1d1041033f13c1c91a53f7baedcabf97f1e858102190ed0b2947e63dae1e2917
                                                                                                                                                                                    • Instruction Fuzzy Hash: EFD1C072F042098BCB08DF6DD8916AEFBE5BB88310F14463DF959D7390E774A9448B91
                                                                                                                                                                                    Function 6C5BF8D0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 6C5BF937
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2485893999.000000006C581000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C580000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2485873494.000000006C580000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486013698.000000006C672000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486038035.000000006C681000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6c580000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AdaptersInfo
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3177971545-0
                                                                                                                                                                                    • Opcode ID: e68a7d7c464b28d71d89810a73dd773e877299891e6cea38a0185a5fea9fd365
                                                                                                                                                                                    • Instruction ID: 8ebc1d379c52700d687c6380f3c9501eade8e04833ea59bd126cfd69c273684d
                                                                                                                                                                                    • Opcode Fuzzy Hash: e68a7d7c464b28d71d89810a73dd773e877299891e6cea38a0185a5fea9fd365
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4311CB7D605111BFD348CA6CCCA496EFBA9FF81318F948739D005A7A40EF74AC018790
                                                                                                                                                                                    Function 010806B0 Relevance: 1.6, APIs: 1, Instructions: 54comCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CoCreateInstance.COMBASE(011B4548,00000000,00000001,011D23D0,000000B0), ref: 01080737
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateInstance
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 542301482-0
                                                                                                                                                                                    • Opcode ID: 877040945dbe1244fa36eec2ada80d3c5054ebecb549f000e6627faa850cfcac
                                                                                                                                                                                    • Instruction ID: 7ed5ab27d3a46629cfda877e23a90bec0cc7bb78baa711759caad453a24dc668
                                                                                                                                                                                    • Opcode Fuzzy Hash: 877040945dbe1244fa36eec2ada80d3c5054ebecb549f000e6627faa850cfcac
                                                                                                                                                                                    • Instruction Fuzzy Hash: 191182B5604708AFEB24DF49E844B5ABBF8FB45764F104259F4259B7C0C7B56804CB90
                                                                                                                                                                                    Function 0107BBB0 Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateHeapInstanceProcess
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 776714826-0
                                                                                                                                                                                    • Opcode ID: 0d1d055861e906038b65817c91bfdebad2088219626fb13d1098da807994db81
                                                                                                                                                                                    • Instruction ID: 9f90faa8dff3a14b9093f78c89fc591f2cdd39df27b2ed21526e000290806da6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d1d055861e906038b65817c91bfdebad2088219626fb13d1098da807994db81
                                                                                                                                                                                    • Instruction Fuzzy Hash: 04716AB0A0060AEFD708CF68C49879ABBE0FF48308F5485ADD555AB781DBB5A519CFC0
                                                                                                                                                                                    Function 01013670 Relevance: 114.1, APIs: 8, Strings: 57, Instructions: 355libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,2F45994F,00000000,?,?,?,000000FF), ref: 010137A5
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32,.local,?,?,?,?,000000FF), ref: 0101384C
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0101388B
                                                                                                                                                                                    • SetSearchPathMode.KERNEL32 ref: 010138BE
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectory), ref: 010138ED
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0101394F
                                                                                                                                                                                    • SetDefaultDllDirectories.KERNELBASE ref: 01013982
                                                                                                                                                                                      • Part of subcall function 00FE82D0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00FE8312
                                                                                                                                                                                      • Part of subcall function 00EFB010: RtlAllocateHeap.NTDLL(?,00000000,?,2F45994F,00000000,011239F0,000000FF,?,?,0123843C,?,?,01074927,80004005,2F45994F,?), ref: 00EFB05A
                                                                                                                                                                                    • FreeLibrary.KERNEL32(?,2F45994F,00000000,011239F0,000000FF,?,000000E1,80004005,?,?,000000FF), ref: 01013BF4
                                                                                                                                                                                      • Part of subcall function 010192F0: EnterCriticalSection.KERNEL32(01241F9C,2F45994F), ref: 0101932F
                                                                                                                                                                                      • Part of subcall function 010192F0: DestroyWindow.USER32(00000000), ref: 0101934D
                                                                                                                                                                                      • Part of subcall function 010192F0: LeaveCriticalSection.KERNEL32(01241F9C), ref: 01019396
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$CriticalHeapModuleSection$AllocateDefaultDestroyDirectoriesDirectoryEnterFileFreeHandleLeaveLibraryModeNamePathProcessSearchSystemWindow
                                                                                                                                                                                    • String ID: .local$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$SetDefaultDllDirectories$SetDllDirectory$SetSearchPathMode$USP10.dll$WindowsCodecs.dll$advapi32.dll$apphelp.dll$bcrypt.dll$cabinet.dll$comctl32.dll$comdlg32.dll$crypt32.dll$cryptsp.dll$davhlpr.dll$dbghelp.dll$dwmapi.dll$gdi32.dll$gdiplus.dll$kernel32$kernel32.dll$lpk.dll$mpr.dll$msasn1.dll$msi.dll$msihnd.dll$msimg32.dll$msls31.dll$netapi32.dll$netutils.dll$ole32.dll$oleaut32.dll$profapi.dll$propsys.dll$psapi.dll$rsaenh.dll$samcli.dll$secur32.dll$setupapi.dll$shcore.dll$shell32.dll$shlwapi.dll$srvcli.dll$urlmon.dll$user32.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wininet.dll$wintrust.dll$wkscli.dll$ws2_32.dll
                                                                                                                                                                                    • API String ID: 863123761-3786055182
                                                                                                                                                                                    • Opcode ID: df73e9e89880f839bdbc14cdc75c89d34a52b685c6f78093c2fafbbb9ec1d445
                                                                                                                                                                                    • Instruction ID: bb94fdc90216857e94b9763cafdff1592336710053863f66e39f0356267ed4a7
                                                                                                                                                                                    • Opcode Fuzzy Hash: df73e9e89880f839bdbc14cdc75c89d34a52b685c6f78093c2fafbbb9ec1d445
                                                                                                                                                                                    • Instruction Fuzzy Hash: EAE1B0B050028C9FCB29CF58EA49BEE7BB4FF55B18F10815CE955AB280E7345908CF95
                                                                                                                                                                                    Function 6C5E3BD0 Relevance: 42.2, APIs: 4, Strings: 20, Instructions: 223registryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 851 6c5e3bd0-6c5e3c4e RegOpenKeyExW 854 6c5e3c54-6c5e3c7a RegQueryValueExW 851->854 855 6c5e3ea2-6c5e3eb5 851->855 858 6c5e3c7c-6c5e3c8e call 6c5e0180 854->858 859 6c5e3cca-6c5e3ced RegQueryValueExW 854->859 856 6c5e3eb7-6c5e3ebe RegCloseKey 855->856 857 6c5e3ec5-6c5e3ee7 call 6c5edefb 855->857 856->857 867 6c5e3c9f-6c5e3cb6 call 6c5e0180 858->867 868 6c5e3c90-6c5e3c9d 858->868 859->855 860 6c5e3cf3-6c5e3cfe 859->860 863 6c5e3d0a-6c5e3d0c 860->863 864 6c5e3d00-6c5e3d08 860->864 863->855 869 6c5e3d12-6c5e3d19 863->869 864->863 864->864 875 6c5e3cbd-6c5e3cc3 867->875 876 6c5e3cb8 867->876 870 6c5e3cc5 868->870 872 6c5e3d20-6c5e3d2e call 6c5e0180 869->872 870->859 878 6c5e3d39-6c5e3d47 call 6c5e0180 872->878 879 6c5e3d30-6c5e3d34 872->879 875->870 876->875 884 6c5e3d49-6c5e3d4d 878->884 885 6c5e3d52-6c5e3d60 call 6c5e0180 878->885 881 6c5e3e74 879->881 883 6c5e3e7b-6c5e3e88 881->883 886 6c5e3e9a-6c5e3e9c 883->886 887 6c5e3e8a 883->887 884->881 891 6c5e3d6b-6c5e3d79 call 6c5e0180 885->891 892 6c5e3d62-6c5e3d66 885->892 886->855 886->872 889 6c5e3e90-6c5e3e98 887->889 889->886 889->889 895 6c5e3d7b-6c5e3d7f 891->895 896 6c5e3d84-6c5e3d92 call 6c5e0180 891->896 892->881 895->881 899 6c5e3d9d-6c5e3dab call 6c5e0180 896->899 900 6c5e3d94-6c5e3d98 896->900 903 6c5e3dad-6c5e3db1 899->903 904 6c5e3db6-6c5e3dc4 call 6c5e0180 899->904 900->881 903->881 907 6c5e3dcf-6c5e3ddd call 6c5e0180 904->907 908 6c5e3dc6-6c5e3dca 904->908 911 6c5e3ddf-6c5e3de4 907->911 912 6c5e3de9-6c5e3df7 call 6c5e0180 907->912 908->881 914 6c5e3e71 911->914 916 6c5e3df9-6c5e3dfe 912->916 917 6c5e3e00-6c5e3e0e call 6c5e0180 912->917 914->881 916->914 920 6c5e3e17-6c5e3e25 call 6c5e0180 917->920 921 6c5e3e10-6c5e3e15 917->921 924 6c5e3e2e-6c5e3e3c call 6c5e0180 920->924 925 6c5e3e27-6c5e3e2c 920->925 921->914 928 6c5e3e3e-6c5e3e43 924->928 929 6c5e3e45-6c5e3e53 call 6c5e0180 924->929 925->914 928->914 932 6c5e3e5c-6c5e3e6a call 6c5e0180 929->932 933 6c5e3e55-6c5e3e5a 929->933 932->883 936 6c5e3e6c 932->936 933->914 936->914
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,?,?,00000000,6C6246AD,000000FF), ref: 6C5E3C46
                                                                                                                                                                                    • RegQueryValueExW.KERNEL32(?,ProductType,00000000,00000000,?,?,?,00000000,6C6246AD,000000FF), ref: 6C5E3C72
                                                                                                                                                                                    • RegQueryValueExW.KERNEL32(?,ProductSuite,00000000,00000000,?,?,?,00000000,6C6246AD,000000FF), ref: 6C5E3CE5
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,6C6246AD,000000FF), ref: 6C5E3EB8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2485893999.000000006C581000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C580000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2485873494.000000006C580000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486013698.000000006C672000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486038035.000000006C681000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6c580000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: QueryValue$CloseOpen
                                                                                                                                                                                    • String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT$*
                                                                                                                                                                                    • API String ID: 1586453840-2772774213
                                                                                                                                                                                    • Opcode ID: 4590b47f320ac4f848582d4ec6bfcfe1654581203dff1aa12341c56c0bd6019e
                                                                                                                                                                                    • Instruction ID: e1c616287410eade77d4625a1de011de9b5be1308a5c3de303d2c0919c13c0b8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4590b47f320ac4f848582d4ec6bfcfe1654581203dff1aa12341c56c0bd6019e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F71F475740248ABDB00CF66CD417AB7A75AB8D388F54493ADA069FEA0EB34CD098B54
                                                                                                                                                                                    Function 01033DB0 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 223registryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 937 1033db0-1033e32 RegOpenKeyExW 940 10340a2-10340bb 937->940 941 1033e38-1033e67 RegQueryValueExW 937->941 944 10340ce-10340e9 call 10fc65a 940->944 945 10340bd-10340c4 RegCloseKey 940->945 942 1033eb7-1033ee6 RegQueryValueExW 941->942 943 1033e69-1033e7b call 10398e0 941->943 942->940 948 1033eec-1033efd 942->948 953 1033e7d-1033e8a 943->953 954 1033e8c-1033ea3 call 10398e0 943->954 945->944 951 1033f0a-1033f0c 948->951 952 1033eff 948->952 951->940 956 1033f12-1033f19 951->956 955 1033f00-1033f08 952->955 957 1033eb2 953->957 963 1033ea5 954->963 964 1033eaa-1033eb0 954->964 955->951 955->955 959 1033f20-1033f2e call 10398e0 956->959 957->942 965 1033f30-1033f34 959->965 966 1033f39-1033f47 call 10398e0 959->966 963->964 964->957 967 1034074 965->967 971 1033f52-1033f60 call 10398e0 966->971 972 1033f49-1033f4d 966->972 970 103407b-1034088 967->970 973 103409a-103409c 970->973 974 103408a 970->974 978 1033f62-1033f66 971->978 979 1033f6b-1033f79 call 10398e0 971->979 972->967 973->940 973->959 976 1034090-1034098 974->976 976->973 976->976 978->967 982 1033f84-1033f92 call 10398e0 979->982 983 1033f7b-1033f7f 979->983 986 1033f94-1033f98 982->986 987 1033f9d-1033fab call 10398e0 982->987 983->967 986->967 990 1033fb6-1033fc4 call 10398e0 987->990 991 1033fad-1033fb1 987->991 994 1033fc6-1033fca 990->994 995 1033fcf-1033fdd call 10398e0 990->995 991->967 994->967 998 1033fe9-1033ff7 call 10398e0 995->998 999 1033fdf-1033fe4 995->999 1003 1034000-103400e call 10398e0 998->1003 1004 1033ff9-1033ffe 998->1004 1001 1034071 999->1001 1001->967 1007 1034010-1034015 1003->1007 1008 1034017-1034025 call 10398e0 1003->1008 1004->1001 1007->1001 1011 1034027-103402c 1008->1011 1012 103402e-103403c call 10398e0 1008->1012 1011->1001 1015 1034045-1034053 call 10398e0 1012->1015 1016 103403e-1034043 1012->1016 1019 1034055-103405a 1015->1019 1020 103405c-103406a call 10398e0 1015->1020 1016->1001 1019->1001 1020->970 1023 103406c 1020->1023 1023->1001
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 01033E2A
                                                                                                                                                                                    • RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?,?), ref: 01033E5F
                                                                                                                                                                                    • RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 01033EDE
                                                                                                                                                                                    • RegCloseKey.KERNEL32(00000000), ref: 010340BE
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: QueryValue$CloseOpen
                                                                                                                                                                                    • String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
                                                                                                                                                                                    • API String ID: 1586453840-3149529848
                                                                                                                                                                                    • Opcode ID: df8e67c3f916ee55e00b213f0e48cc4b6fe98bf4c34538f88473840a12cb5a0a
                                                                                                                                                                                    • Instruction ID: 346dd04d1735f377194ed5f71a7749d8c69f71c26a246c490231c6d0e0eea757
                                                                                                                                                                                    • Opcode Fuzzy Hash: df8e67c3f916ee55e00b213f0e48cc4b6fe98bf4c34538f88473840a12cb5a0a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2071F4347043088BDB249F64DD447AAB6ADFBD1744F0041B8E986EFA81EB74DD45CB82
                                                                                                                                                                                    Function 6C5E3890 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 227registrylibraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1024 6c5e3890-6c5e390c RegOpenKeyExW 1027 6c5e3b8c-6c5e3b9f 1024->1027 1028 6c5e3912-6c5e3957 RegQueryValueExW * 2 1024->1028 1031 6c5e3baf-6c5e3bcf call 6c5edefb 1027->1031 1032 6c5e3ba1-6c5e3ba8 RegCloseKey 1027->1032 1029 6c5e3959-6c5e398f RegQueryValueExW 1028->1029 1030 6c5e39b6-6c5e39ec RegQueryValueExW 1028->1030 1029->1030 1033 6c5e3991-6c5e3999 1029->1033 1034 6c5e3a0e 1030->1034 1035 6c5e39ee-6c5e3a0c call 6c5e00d0 1030->1035 1032->1031 1033->1033 1037 6c5e399b-6c5e399e 1033->1037 1039 6c5e3a13-6c5e3a1a 1034->1039 1035->1039 1037->1030 1041 6c5e39a0-6c5e39b3 1037->1041 1043 6c5e3a1c-6c5e3a21 1039->1043 1044 6c5e3a2d-6c5e3a50 RegQueryValueExW 1039->1044 1041->1030 1043->1044 1045 6c5e3a23 1043->1045 1046 6c5e3a6d-6c5e3a93 RegQueryValueExW 1044->1046 1047 6c5e3a52-6c5e3a68 call 6c5e00d0 1044->1047 1045->1044 1048 6c5e3aea-6c5e3b04 1046->1048 1049 6c5e3a95-6c5e3aa4 1046->1049 1047->1046 1054 6c5e3b4d-6c5e3b55 1048->1054 1055 6c5e3b06-6c5e3b1a call 6c5ee1ee 1048->1055 1052 6c5e3aa6-6c5e3aaf 1049->1052 1053 6c5e3ac0-6c5e3ace 1049->1053 1058 6c5e3ab1-6c5e3abe 1052->1058 1059 6c5e3ada-6c5e3ae5 1053->1059 1060 6c5e3ad0-6c5e3ad8 1053->1060 1056 6c5e3b57-6c5e3b75 GetCurrentProcess IsWow64Process 1054->1056 1057 6c5e3b80 1054->1057 1055->1054 1066 6c5e3b1c-6c5e3b4a GetModuleHandleW GetProcAddress call 6c5ee19d 1055->1066 1056->1057 1067 6c5e3b77-6c5e3b7e 1056->1067 1062 6c5e3b82-6c5e3b87 call 6c5e3bd0 1057->1062 1058->1053 1058->1058 1059->1048 1060->1059 1060->1060 1062->1027 1066->1054 1067->1062
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,?,?,?,?,?,?,?,00000000,6C624669,000000FF), ref: 6C5E3904
                                                                                                                                                                                    • RegQueryValueExW.KERNEL32(?,CurrentMajorVersionNumber,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6C624669,000000FF), ref: 6C5E3933
                                                                                                                                                                                    • RegQueryValueExW.KERNEL32(?,CurrentMinorVersionNumber,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6C624669,000000FF), ref: 6C5E394D
                                                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,CurrentVersion,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6C624669,000000FF), ref: 6C5E3977
                                                                                                                                                                                    • RegQueryValueExW.KERNEL32(?,CurrentBuildNumber,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6C624669,000000FF), ref: 6C5E39E4
                                                                                                                                                                                    • RegQueryValueExW.KERNEL32(?,ReleaseId,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6C624669,000000FF), ref: 6C5E3A48
                                                                                                                                                                                    • RegQueryValueExW.KERNEL32(?,CSDVersion,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6C624669,000000FF), ref: 6C5E3A8B
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,?,?,?,?,00000000,6C624669,000000FF), ref: 6C5E3B2A
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 6C5E3B31
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00000000,6C624669,000000FF), ref: 6C5E3B62
                                                                                                                                                                                    • IsWow64Process.KERNEL32(?,?,?,?,?,?,00000000,6C624669,000000FF), ref: 6C5E3B71
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00000000,6C624669,000000FF), ref: 6C5E3BA2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2485893999.000000006C581000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C580000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2485873494.000000006C580000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486013698.000000006C672000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486038035.000000006C681000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6c580000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: QueryValue$Process$AddressCloseCurrentHandleModuleOpenProcWow64
                                                                                                                                                                                    • String ID: CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$kernel32$*
                                                                                                                                                                                    • API String ID: 2654979339-2811115262
                                                                                                                                                                                    • Opcode ID: 00730c97753a04d648f7da86b5a6c88e0b5fef9107a33c7b8694867b6db38a6c
                                                                                                                                                                                    • Instruction ID: 861210ba89ac577ddd90d2cfd830e3208947b27e333989bb4cbe420c380befff
                                                                                                                                                                                    • Opcode Fuzzy Hash: 00730c97753a04d648f7da86b5a6c88e0b5fef9107a33c7b8694867b6db38a6c
                                                                                                                                                                                    • Instruction Fuzzy Hash: E6917FB1A01259EFDF10CF65CC85FEEB7B8FB09714F100629E915A7690E7345A88CB68
                                                                                                                                                                                    Function 01033A00 Relevance: 37.0, APIs: 12, Strings: 9, Instructions: 227registrylibraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1070 1033a00-1033a80 RegOpenKeyExW 1073 1033a86-1033ae9 RegQueryValueExW * 2 1070->1073 1074 1033d5e-1033d77 1070->1074 1075 1033b4b-1033b90 RegQueryValueExW 1073->1075 1076 1033aeb-1033b21 RegQueryValueExW 1073->1076 1077 1033d8a-1033da3 call 10fc65a 1074->1077 1078 1033d79-1033d80 RegCloseKey 1074->1078 1080 1033b92-1033bb7 call 1039840 1075->1080 1081 1033bb9 1075->1081 1076->1075 1079 1033b23-1033b2b 1076->1079 1078->1077 1079->1079 1083 1033b2d-1033b30 1079->1083 1085 1033bbe-1033bc5 1080->1085 1081->1085 1083->1075 1087 1033b32-1033b45 1083->1087 1089 1033bc7-1033bcc 1085->1089 1090 1033bd8-1033c07 RegQueryValueExW 1085->1090 1087->1075 1089->1090 1093 1033bce 1089->1093 1091 1033c09-1033c29 call 1039840 1090->1091 1092 1033c2e-1033c5d RegQueryValueExW 1090->1092 1091->1092 1095 1033cba-1033ccd 1092->1095 1096 1033c5f-1033c6e 1092->1096 1093->1090 1100 1033d16-1033d1e 1095->1100 1101 1033ccf-1033ce3 call 10fcab5 1095->1101 1098 1033c70-1033c7b 1096->1098 1099 1033c8f-1033c9d 1096->1099 1104 1033c80-1033c8d 1098->1104 1105 1033caa-1033cb5 1099->1105 1106 1033c9f 1099->1106 1102 1033d52 1100->1102 1103 1033d20-1033d44 GetCurrentProcess IsWow64Process 1100->1103 1101->1100 1113 1033ce5-1033d13 GetModuleHandleW GetProcAddress call 10fca64 1101->1113 1109 1033d54-1033d59 call 1033db0 1102->1109 1103->1102 1115 1033d46-1033d50 1103->1115 1104->1099 1104->1104 1105->1095 1108 1033ca0-1033ca8 1106->1108 1108->1105 1108->1108 1109->1074 1113->1100 1115->1109
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 01033A78
                                                                                                                                                                                    • RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 01033AB9
                                                                                                                                                                                    • RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 01033ADC
                                                                                                                                                                                    • RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 01033B0F
                                                                                                                                                                                    • RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 01033B88
                                                                                                                                                                                    • RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 01033BFF
                                                                                                                                                                                    • RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 01033C55
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 01033CF3
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 01033CFA
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?), ref: 01033D31
                                                                                                                                                                                    • IsWow64Process.KERNEL32 ref: 01033D40
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 01033D7A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: QueryValue$Process$AddressCloseCurrentHandleModuleOpenProcWow64
                                                                                                                                                                                    • String ID: CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$kernel32
                                                                                                                                                                                    • API String ID: 2654979339-3583743485
                                                                                                                                                                                    • Opcode ID: 5d861237e80a2047e5ac8871b79f20b72ed33168fe0c6b61551b647598752d67
                                                                                                                                                                                    • Instruction ID: 7b8f95d27538e107d6054693f0f587235af8e30d7d58502a3cdbfdffc712a5d5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5d861237e80a2047e5ac8871b79f20b72ed33168fe0c6b61551b647598752d67
                                                                                                                                                                                    • Instruction Fuzzy Hash: C1A1C2B59006289FDB74CF24EC49BADB7B9FB84715F0002E9E519A7280D7365A98CF40
                                                                                                                                                                                    Function 0104BE00 Relevance: 24.9, APIs: 3, Strings: 11, Instructions: 378COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1705 104be00-104be55 call 1074880 call efb3a0 1710 104c917-104c91c call efb010 1705->1710 1711 104be5b-104be8d 1705->1711 1713 104c921 call 110192f 1710->1713 1719 104be8f-104be98 call efa840 1711->1719 1720 104be9a-104bea1 call efae80 1711->1720 1716 104c926 call 110192f 1713->1716 1722 104c92b-104c96f call efb010 1716->1722 1726 104bea6-104bed6 call 10fcc00 1719->1726 1720->1726 1729 104c9f5-104ca09 1722->1729 1730 104c975-104c97e call efb3a0 1722->1730 1733 104bf20-104bf2d call efb3a0 1726->1733 1734 104bed8-104bedb 1726->1734 1738 104c984-104c9df call f14ad0 call 102d6c0 call 1067450 1730->1738 1739 104ca0a-104ca14 call efb010 1730->1739 1733->1710 1744 104bf33-104bf63 call f34bb0 1733->1744 1734->1733 1736 104bedd-104bef4 WideCharToMultiByte 1734->1736 1736->1733 1740 104bef6-104bf1a call 10fcc05 WideCharToMultiByte 1736->1740 1738->1729 1764 104c9e1-104c9f1 1738->1764 1740->1733 1756 104bf65-104bf6c call 1015b30 1744->1756 1757 104bf71-104bf7e call efb3a0 1744->1757 1756->1757 1757->1710 1765 104bf84-104bfaa 1757->1765 1764->1729 1769 104bfc5-104bfcc call 1015250 1765->1769 1770 104bfac-104bfb2 1765->1770 1774 104bfd1-104c022 call 1029e10 call 1074930 1769->1774 1770->1769 1771 104bfb4-104bfc3 call efa840 1770->1771 1771->1774 1780 104c024-104c042 1774->1780 1781 104c045-104c05c 1774->1781 1780->1781 1782 104c05e-104c07c 1781->1782 1783 104c07f-104c090 1781->1783 1782->1783 1784 104c092-104c0a6 1783->1784 1785 104c0a9-104c0dd call 10fcc00 1783->1785 1784->1785 1793 104c0f6-104c0fd 1785->1793 1794 104c0df-104c0f3 1785->1794 1795 104c103-104c11e call 105ac10 call efb3a0 1793->1795 1796 104c1ad-104c20b call 10754f0 SetEvent call 1074fc0 1793->1796 1794->1793 1795->1710 1808 104c124-104c18e call 105cbd0 call 10542c0 SetEvent 1795->1808 1809 104c8d7-104c8e1 call 1075dc0 1796->1809 1810 104c211-104c22e call 105ac10 call efb3a0 1796->1810 1813 104c8e6-104c914 call 1074a40 call 10fc65a 1808->1813 1829 104c194-104c1a8 1808->1829 1809->1813 1810->1710 1821 104c234-104c268 1810->1821 1831 104c27c-104c280 1821->1831 1832 104c26a-104c276 call f154a0 1821->1832 1829->1813 1835 104c286-104c2b4 call 1074c00 1831->1835 1836 104c7d8-104c7e5 call efb3a0 1831->1836 1832->1831 1844 104c2b6-104c2d4 1835->1844 1845 104c2d7-104c30c call 1074af0 1835->1845 1836->1710 1843 104c7eb-104c823 call 10542c0 1836->1843 1858 104c828-104c840 1843->1858 1844->1845 1850 104c30e-104c32c 1845->1850 1851 104c32f-104c35a call 1074c00 1845->1851 1850->1851 1859 104c35c-104c372 1851->1859 1860 104c37a-104c39d 1851->1860 1861 104c860-104c88f call 1074c00 1858->1861 1862 104c842-104c858 1858->1862 1859->1860 1863 104c3a0-104c3a9 1860->1863 1872 104c891-104c89f 1861->1872 1873 104c8af-104c8c1 1861->1873 1862->1861 1863->1863 1865 104c3ab-104c426 call ef87d0 call ef7cf0 call 101f2f0 call 101fba0 call 10108b0 call ef8eb0 1863->1865 1887 104c428-104c43a 1865->1887 1888 104c45a-104c4a4 call ef87d0 call fd50c0 1865->1888 1877 104c8a7 1872->1877 1873->1809 1875 104c8c3-104c8d3 1873->1875 1875->1809 1877->1873 1889 104c450-104c457 call 10fc668 1887->1889 1890 104c43c-104c44a 1887->1890 1897 104c4a6-104c4b8 1888->1897 1898 104c4d8-104c51d call 1069250 call 101f010 1888->1898 1889->1888 1890->1713 1890->1889 1900 104c4ce-104c4d5 call 10fc668 1897->1900 1901 104c4ba-104c4c8 1897->1901 1907 104c527-104c534 call efb3a0 1898->1907 1908 104c51f-104c521 1898->1908 1900->1898 1901->1716 1901->1900 1907->1722 1911 104c53a-104c564 1907->1911 1908->1907 1914 104c595 1911->1914 1915 104c566-104c56c 1911->1915 1916 104c597-104c59f call efae80 1914->1916 1917 104c56e-104c57d call efa840 1915->1917 1918 104c57f-104c581 1915->1918 1924 104c5a4-104c5d9 call 106a5a0 1916->1924 1917->1924 1919 104c584-104c58d 1918->1919 1919->1919 1923 104c58f-104c593 1919->1923 1923->1916 1927 104c5f9-104c634 call ef8eb0 call 1074c00 1924->1927 1928 104c5db-104c5f1 1924->1928 1934 104c654-104c68a call 1074af0 1927->1934 1935 104c636-104c64c 1927->1935 1928->1927 1939 104c68c-104c6a2 1934->1939 1940 104c6aa-104c6d6 call 1074c00 1934->1940 1935->1934 1939->1940 1944 104c6f6-104c76f call 1056550 call 1052060 call 1057e40 1940->1944 1945 104c6d8-104c6ee 1940->1945 1953 104c781-104c798 1944->1953 1954 104c771 1944->1954 1945->1944 1955 104c7aa-104c7d3 call 1048100 call ef8eb0 1953->1955 1956 104c79a-104c7a3 call 11064bb 1953->1956 1957 104c772-104c77a call 11064bb 1954->1957 1955->1861 1956->1955 1957->1953
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000010), ref: 0104BEE6
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 0104BF1A
                                                                                                                                                                                      • Part of subcall function 00EFA840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00F15436,00000000,*.*,?,?,?,?), ref: 00EFA863
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$FindHeapProcessResource
                                                                                                                                                                                    • String ID: %hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\
                                                                                                                                                                                    • API String ID: 2083075878-297406034
                                                                                                                                                                                    • Opcode ID: 9ad71af145c91deab3cc0809d7121736d41eb9e9230c5f8849f6d812d2264328
                                                                                                                                                                                    • Instruction ID: bd0d980afcb172251203520f255f09d04e46a62e035b4641b429a2da669942c4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9ad71af145c91deab3cc0809d7121736d41eb9e9230c5f8849f6d812d2264328
                                                                                                                                                                                    • Instruction Fuzzy Hash: DCE1D0719002199BDB15DB68CC44BAEBBF5EF88320F1442E8E959A73C1DB34AE41CF90
                                                                                                                                                                                    Function 0104BA50 Relevance: 23.9, APIs: 10, Strings: 3, Instructions: 1160threadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetActiveWindow.USER32 ref: 0104BC64
                                                                                                                                                                                    • SetLastError.KERNEL32(0000000E), ref: 0104BC81
                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0104BC99
                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(012472EC), ref: 0104BCB6
                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(012472EC), ref: 0104BCD9
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000010), ref: 0104BEE6
                                                                                                                                                                                    • SetEvent.KERNEL32(?,?,00000000,?,00000001,?,?), ref: 0104C173
                                                                                                                                                                                      • Part of subcall function 01074A40: CloseHandle.KERNEL32(?,2F45994F,?,00000010,?,00000000,01175363,000000FF,?,010503F2,00000000,00000000,00000000,00000001,?,0000000D), ref: 01074A7A
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 0104BF1A
                                                                                                                                                                                      • Part of subcall function 00EFA840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00F15436,00000000,*.*,?,?,?,?), ref: 00EFA863
                                                                                                                                                                                      • Part of subcall function 01015250: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,00000000,?,01242000,010680E8,?), ref: 01015268
                                                                                                                                                                                      • Part of subcall function 01015250: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 0101529A
                                                                                                                                                                                    • DialogBoxParamW.USER32(000007D0,00000000,00F762D0,00000000), ref: 0104BCF6
                                                                                                                                                                                      • Part of subcall function 00EFB010: RtlAllocateHeap.NTDLL(?,00000000,?,2F45994F,00000000,011239F0,000000FF,?,?,0123843C,?,?,01074927,80004005,2F45994F,?), ref: 00EFB05A
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$CriticalHeapSection$ActiveAllocateCloseCurrentDialogEnterErrorEventFindHandleLastLeaveParamProcessResourceThreadWindow
                                                                                                                                                                                    • String ID: Advinst_Extract_$Code returned to Windows by setup:$FILES.7z
                                                                                                                                                                                    • API String ID: 1122345507-2771609608
                                                                                                                                                                                    • Opcode ID: b3f0c5a343585dbadb0fdb8022b2bac97d1649f75f1b2c25bdd6f7cb81276429
                                                                                                                                                                                    • Instruction ID: c66b1b7b174b22aebe5c61f193e676182130125ad627627a5695b39f9c6593d9
                                                                                                                                                                                    • Opcode Fuzzy Hash: b3f0c5a343585dbadb0fdb8022b2bac97d1649f75f1b2c25bdd6f7cb81276429
                                                                                                                                                                                    • Instruction Fuzzy Hash: F9A2CD7090020DDFDB15DBA8C898BEEBBF4AF48314F1481E9E556A7291DB34AE45CF90
                                                                                                                                                                                    Function 01074330 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 371windowCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 2312 1074330-1074367 call efb3a0 2315 1074550-1074555 call efb010 2312->2315 2316 107436d-107438d 2312->2316 2318 107455a-1074579 call efb010 2315->2318 2323 1074390-10743a3 2316->2323 2324 107457f-1074588 2318->2324 2325 107475c-1074760 2318->2325 2326 10743a5-10743af call efae10 2323->2326 2327 10743b2-10743b9 2323->2327 2328 10745f4-10745f9 2324->2328 2329 107458a-10745d5 call 10324c0 SetWindowTextW call f76f20 GetDlgItem SendMessageW 2324->2329 2326->2327 2336 10743c1-10743c6 2327->2336 2328->2325 2331 10745ff-107460e 2328->2331 2350 10745d9-10745f1 SetFocus 2329->2350 2334 1074610-1074643 GetDlgItem * 2 SendMessageW 2331->2334 2335 107466f-1074677 2331->2335 2339 1074645-1074647 2334->2339 2340 1074649-107464d 2334->2340 2343 107469b-10746a3 2335->2343 2344 1074679-1074698 EndDialog 2335->2344 2341 107450c-107450e 2336->2341 2342 10743cc-10743ce 2336->2342 2347 107464e-107466a SendMessageW RedrawWindow 2339->2347 2340->2347 2346 1074511-1074526 2341->2346 2342->2341 2348 10743d4-10743e7 call 1106670 2342->2348 2343->2325 2349 10746a9-10746bd GetDlgItem 2343->2349 2351 107453c-107454f 2346->2351 2352 1074528-1074538 2346->2352 2347->2350 2348->2318 2360 10743ed-10743f3 2348->2360 2354 1074733-1074736 call efac00 2349->2354 2355 10746bf-10746cb 2349->2355 2352->2351 2358 107473b-1074759 EndDialog 2354->2358 2362 1074763-107477d call efb010 call 1074790 2355->2362 2363 10746d1-10746e3 2355->2363 2360->2318 2364 10743f9-107440e call efb3a0 2360->2364 2381 107477f-1074787 call 10fc668 2362->2381 2382 107478a-107478d 2362->2382 2365 10746e5-10746e9 call efae10 2363->2365 2366 10746ee-10746fe 2363->2366 2364->2315 2374 1074414-1074446 2364->2374 2365->2366 2375 1074700-1074705 2366->2375 2376 1074719-107471b 2366->2376 2390 1074455-1074476 call 1106670 2374->2390 2391 1074448-1074452 call efae10 2374->2391 2379 1074707-1074709 2375->2379 2380 107470b-1074717 call 1106670 2375->2380 2376->2362 2383 107471d-1074723 2376->2383 2379->2383 2380->2376 2381->2382 2383->2362 2386 1074725-1074731 2383->2386 2386->2358 2390->2318 2397 107447c-107447f 2390->2397 2391->2390 2397->2318 2398 1074485-107449b call f070e0 2397->2398 2401 107449d-10744af 2398->2401 2402 10744cb-10744d0 2398->2402 2403 10744c5-10744c6 2401->2403 2404 10744b1-10744c1 2401->2404 2405 10744d2-10744d6 call f154a0 2402->2405 2406 10744db-10744ef 2402->2406 2403->2323 2404->2403 2405->2406 2408 10744f1-1074505 2406->2408 2409 1074508-107450a 2406->2409 2408->2409 2409->2346
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 010745A6
                                                                                                                                                                                    • GetDlgItem.USER32(00000000,000007D1), ref: 010745BD
                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000D2,00000000,00000000), ref: 010745CF
                                                                                                                                                                                    • SetFocus.USER32(00000000), ref: 010745DA
                                                                                                                                                                                    • GetDlgItem.USER32(00000000,000007D1), ref: 01074618
                                                                                                                                                                                    • GetDlgItem.USER32(00000000,0000042D), ref: 01074628
                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01074638
                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000CC,?,00000000), ref: 01074654
                                                                                                                                                                                    • RedrawWindow.USER32(00000000,00000000,00000000,00000105), ref: 01074664
                                                                                                                                                                                    • EndDialog.USER32(00000000,00000002), ref: 01074681
                                                                                                                                                                                    • GetDlgItem.USER32(00000000,000007D1), ref: 010746B3
                                                                                                                                                                                    • EndDialog.USER32(00000000,00000001), ref: 01074740
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Item$MessageSend$DialogWindow$FocusHeapProcessRedrawText
                                                                                                                                                                                    • String ID: PackageCode
                                                                                                                                                                                    • API String ID: 264263596-1525858878
                                                                                                                                                                                    • Opcode ID: 51b519edff71fa83ca6ac6a7501c9a47b89a3c2545e761c7ed4326e53e334818
                                                                                                                                                                                    • Instruction ID: ea87ceccf9a5c31e5b479316c8869cf43d1995dc9642c39d6a8959e3dd64ca5e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 51b519edff71fa83ca6ac6a7501c9a47b89a3c2545e761c7ed4326e53e334818
                                                                                                                                                                                    • Instruction Fuzzy Hash: F1D10035A00605AFDB15DF68DC48BAEBBE5FF48310F004169FA56EB291EB75A800CB94
                                                                                                                                                                                    Function 00F323C0 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 372libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 2413 f323c0-f32418 call f03960 2416 f3241a-f32421 2413->2416 2417 f3242e-f32484 call ef8eb0 call ef87d0 call 108c860 2413->2417 2418 f32423 2416->2418 2419 f32425-f32429 call efb710 2416->2419 2427 f32486-f32498 2417->2427 2428 f324b8-f324d0 2417->2428 2418->2419 2419->2417 2429 f3249a-f324a8 2427->2429 2430 f324ae-f324b5 call 10fc668 2427->2430 2431 f324d2 2428->2431 2432 f324d4-f324e1 call 10fdcdf 2428->2432 2429->2430 2433 f32556-f3259e call 110192f call efb3a0 2429->2433 2430->2428 2431->2432 2440 f324e3-f324f2 LoadLibraryExW 2432->2440 2441 f32520-f32524 2432->2441 2450 f325a4-f325ce 2433->2450 2451 f326ce-f32719 call efb010 call efb3a0 2433->2451 2440->2441 2445 f324f4-f3251d GetProcAddress * 3 2440->2445 2442 f32526-f32537 call 6c5cb500 2441->2442 2443 f32539-f32553 call 10fc65a 2441->2443 2442->2443 2445->2441 2460 f325d0-f325d2 2450->2460 2461 f325d4-f325d9 2450->2461 2458 f32844-f3284f call efb010 2451->2458 2459 f3271f-f3274c call efb3a0 2451->2459 2459->2458 2476 f32752-f3277c call efb3a0 2459->2476 2462 f325ef-f3261b call f14ad0 * 3 2460->2462 2463 f325e0-f325e9 2461->2463 2478 f3263b-f3265a 2462->2478 2479 f3261d-f32636 call f14ad0 * 2 2462->2479 2463->2463 2466 f325eb-f325ed 2463->2466 2466->2462 2476->2458 2493 f32782-f327b3 call efb3a0 2476->2493 2480 f32660-f32669 2478->2480 2479->2478 2480->2480 2483 f3266b-f326a2 call ef87d0 2480->2483 2490 f326a4-f326b4 2483->2490 2491 f326b8-f326cb 2483->2491 2490->2491 2493->2458 2499 f327b9-f32841 call f154a0 * 4 call f347d0 call f32850 2493->2499
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00000043), ref: 00F324E8
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,InitializeEmbeddedUI), ref: 00F324FA
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,ShutdownEmbeddedUI), ref: 00F32508
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EmbeddedUIHandler), ref: 00F32517
                                                                                                                                                                                      • Part of subcall function 00EFB010: RtlAllocateHeap.NTDLL(?,00000000,?,2F45994F,00000000,011239F0,000000FF,?,?,0123843C,?,?,01074927,80004005,2F45994F,?), ref: 00EFB05A
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$Heap$AllocateLibraryLoadProcess
                                                                                                                                                                                    • String ID: build $21.5$EmbeddedUIHandler$INAN$InitializeEmbeddedUI$SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll'$ShutdownEmbeddedUI$e6df463a
                                                                                                                                                                                    • API String ID: 230625546-509971943
                                                                                                                                                                                    • Opcode ID: 6b118105496ea5be42e15d283df15f7ade8a666e4f86ba4303b0e5ced56303c7
                                                                                                                                                                                    • Instruction ID: 4b8a77fa20055c8e7be358ab0996356f790e0336e737b30e035c3be2a659e917
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6b118105496ea5be42e15d283df15f7ade8a666e4f86ba4303b0e5ced56303c7
                                                                                                                                                                                    • Instruction Fuzzy Hash: D2D1B075E002099BCB14DFA4C855BEEBBB5FF88324F24421DE915B7380EB74AA45CB90
                                                                                                                                                                                    Function 00F03380 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 263libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 2866 f03380-f033ec 2867 f03429-f03430 2866->2867 2868 f033ee-f03402 call 10fcab5 2866->2868 2870 f03436 call 102a0a0 2867->2870 2871 f03668-f036a4 call ef7cf0 call 10fc65a 2867->2871 2868->2867 2877 f03404-f03426 call 10fca24 call 10fca64 2868->2877 2875 f0343b-f0343d 2870->2875 2878 f03443-f0344e 2875->2878 2879 f0358e-f035a0 GetTempPathW 2875->2879 2877->2867 2883 f03450-f03455 call 10fcab5 2878->2883 2884 f0349a-f034a8 2878->2884 2882 f035a2-f035a4 2879->2882 2882->2871 2887 f035aa-f035ce 2882->2887 2894 f0345a-f03464 2883->2894 2889 f034aa-f034bc 2884->2889 2890 f034be-f034e2 GetWindowsDirectoryW call 11064a5 2884->2890 2893 f035d1-f035da 2887->2893 2900 f034e5-f034f4 PathFileExistsW 2889->2900 2890->2900 2893->2893 2897 f035dc-f03618 call ef87d0 call 101f220 2893->2897 2894->2884 2898 f03466-f03497 GetModuleHandleW GetProcAddress call 10fca64 2894->2898 2912 f0361a-f0362f 2897->2912 2913 f0364b-f03661 2897->2913 2898->2884 2900->2882 2903 f034fa-f03547 call 102a2b0 call 102a4a0 * 2 call 102aa30 2900->2903 2928 f03549-f03577 CreateDirectoryW 2903->2928 2929 f0357d-f0358c call 102a350 2903->2929 2915 f03641-f03648 call 10fc668 2912->2915 2916 f03631-f0363f 2912->2916 2913->2871 2915->2913 2916->2915 2918 f036a5-f03770 call 110192f call f03380 call ef7cf0 call ef8eb0 call f03780 call ef8eb0 call 10fc65a 2916->2918 2928->2929 2929->2882
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W,?), ref: 00F03477
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00F0347E
                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104,2F45994F,?,?), ref: 00F034C4
                                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?), ref: 00F034EC
                                                                                                                                                                                    • CreateDirectoryW.KERNEL32(?,?,S-1-5-32-544,10000000,00000001,S-1-5-18,10000000,00000001), ref: 00F03577
                                                                                                                                                                                      • Part of subcall function 010FCAB5: AcquireSRWLockExclusive.KERNEL32(01240888,?,?,?,00EFB446,0124149C,2F45994F,?,?,01123F6D,000000FF,?,010748BD,2F45994F,?), ref: 010FCAC0
                                                                                                                                                                                      • Part of subcall function 010FCAB5: ReleaseSRWLockExclusive.KERNEL32(01240888,?,?,00EFB446,0124149C,2F45994F,?,?,01123F6D,000000FF,?,010748BD,2F45994F,?), ref: 010FCAFA
                                                                                                                                                                                    • GetTempPathW.KERNEL32(00000104,?,2F45994F,?,?), ref: 00F0359A
                                                                                                                                                                                      • Part of subcall function 010FCA64: AcquireSRWLockExclusive.KERNEL32(01240888,?,?,00EFB4B7,0124149C,01187860), ref: 010FCA6E
                                                                                                                                                                                      • Part of subcall function 010FCA64: ReleaseSRWLockExclusive.KERNEL32(01240888,?,?,00EFB4B7,0124149C,01187860), ref: 010FCAA1
                                                                                                                                                                                      • Part of subcall function 010FCA64: WakeAllConditionVariable.KERNEL32(01240884,?,?,00EFB4B7,0124149C,01187860), ref: 010FCAAC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExclusiveLock$AcquireDirectoryPathRelease$AddressConditionCreateExistsFileHandleModuleProcTempVariableWakeWindows
                                                                                                                                                                                    • String ID: GetTempPath2W$Kernel32.dll$S-1-5-18$S-1-5-32-544$\SystemTemp\
                                                                                                                                                                                    • API String ID: 3143601600-595641723
                                                                                                                                                                                    • Opcode ID: ddced6838fd6951236324be59e8328ff773be988cb86d8583db7ef45c7c70dfa
                                                                                                                                                                                    • Instruction ID: a8702b7bd6ad3447e23b8ef77a305b06b0c9b90f2671a6a84b17c1432383b7e5
                                                                                                                                                                                    • Opcode Fuzzy Hash: ddced6838fd6951236324be59e8328ff773be988cb86d8583db7ef45c7c70dfa
                                                                                                                                                                                    • Instruction Fuzzy Hash: 80A10471D00218EBDB24DFA4DD89BEDB7B8EB14710F104199E509A7280DB746F48DB91
                                                                                                                                                                                    Function 0105C850 Relevance: 18.2, APIs: 12, Instructions: 190threadCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 2943 105c850-105c884 2944 105ca75-105ca86 2943->2944 2945 105c88a-105c8a4 GetActiveWindow 2943->2945 2946 105c8a6-105c8a8 call 1052c70 2945->2946 2947 105c8b2-105c8ba 2945->2947 2952 105c8ad KiUserCallbackDispatcher 2946->2952 2949 105c8d5-105c8e4 call 10fc28b 2947->2949 2950 105c8bc-105c8c6 call 10fc189 2947->2950 2957 105ca9e-105caa5 call f0bc50 2949->2957 2958 105c8ea-105c94f GetCurrentThreadId EnterCriticalSection LeaveCriticalSection CreateDialogParamW 2949->2958 2950->2949 2956 105c8c8-105c8d0 SetLastError 2950->2956 2952->2947 2959 105c955-105c96c GetCurrentThreadId 2956->2959 2962 105caaa-105cab4 call efb010 2957->2962 2958->2959 2963 105c9de-105ca08 SetWindowTextW GetDlgItem SetWindowTextW 2959->2963 2964 105c96e-105c975 2959->2964 2963->2944 2966 105ca0a-105ca14 call efb3a0 2963->2966 2967 105c977-105c983 call f154a0 call 1038e90 2964->2967 2968 105c988-105c9c5 call 1031ce0 call efa2a0 2964->2968 2966->2962 2976 105ca1a-105ca4b call efa840 2966->2976 2967->2968 2968->2963 2980 105c9c7-105c9db 2968->2980 2987 105ca4d-105ca5f 2976->2987 2988 105ca89-105ca9c GetDlgItem SetWindowTextW 2976->2988 2980->2963 2987->2944 2989 105ca61-105ca71 2987->2989 2988->2987 2989->2944
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetActiveWindow.USER32 ref: 0105C88D
                                                                                                                                                                                    • SetLastError.KERNEL32(0000000E,?,?,?), ref: 0105C8CA
                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0105C955
                                                                                                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 0105C9E4
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0105C9F2
                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 0105C9FE
                                                                                                                                                                                      • Part of subcall function 01052C70: GetDlgItem.USER32(?,00000002), ref: 01052C8D
                                                                                                                                                                                      • Part of subcall function 01052C70: GetWindowRect.USER32(00000000,?), ref: 01052CA3
                                                                                                                                                                                      • Part of subcall function 01052C70: ShowWindow.USER32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,0105C8AD), ref: 01052CB8
                                                                                                                                                                                      • Part of subcall function 01052C70: InvalidateRect.USER32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,0105C8AD), ref: 01052CC3
                                                                                                                                                                                      • Part of subcall function 01052C70: GetDlgItem.USER32(?,000003E9), ref: 01052CD1
                                                                                                                                                                                      • Part of subcall function 01052C70: GetWindowRect.USER32(00000000,?), ref: 01052CE7
                                                                                                                                                                                      • Part of subcall function 01052C70: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,00000000), ref: 01052D26
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 0105CA8E
                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,00000000), ref: 0105CA96
                                                                                                                                                                                      • Part of subcall function 00F0BC50: RaiseException.KERNEL32(?,?,00000000,00000000,010192DC,C0000005,00000001,2F45994F,01238AB8,054AAC78,?,01241FAC,01238AB8,01123E70,000000FF), ref: 00F0BC5C
                                                                                                                                                                                      • Part of subcall function 00EFB010: RtlAllocateHeap.NTDLL(?,00000000,?,2F45994F,00000000,011239F0,000000FF,?,?,0123843C,?,?,01074927,80004005,2F45994F,?), ref: 00EFB05A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Item$RectText$ActiveAllocateCurrentErrorExceptionHeapInvalidateLastRaiseShowThread
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1085195845-0
                                                                                                                                                                                    • Opcode ID: 1ee34905d9d392bec9672db7a4e686d472d5f9c25ffba9807afd7732d46addd1
                                                                                                                                                                                    • Instruction ID: ec6efd597b14b2c190a4f6987e66cd84ea073d115e9e3f782a9a0cf72ec1895b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1ee34905d9d392bec9672db7a4e686d472d5f9c25ffba9807afd7732d46addd1
                                                                                                                                                                                    • Instruction Fuzzy Hash: D8718E70900709DFEB21DFA8D948B6EBBF8FF04314F148659E966A7291D774A940CF90
                                                                                                                                                                                    Function 6C5D1960 Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 448fileCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 2991 6c5d1960-6c5d19ba call 6c5d0f40 2994 6c5d1b70-6c5d1b79 call 6c5c1210 2991->2994 2995 6c5d19c0-6c5d19c9 call 6c5c1210 2991->2995 3000 6c5d1b7f-6c5d1b93 call 6c5c1210 call 6c5c1fd0 2994->3000 3001 6c5d1ae6-6c5d1b39 call 6c5c0040 call 6c5c1050 call 6c5d2360 2994->3001 2995->3001 3002 6c5d19cf-6c5d19e3 call 6c5c1210 call 6c5c1fd0 2995->3002 3016 6c5d1fc5-6c5d1fcf call 6c5c1c40 3000->3016 3018 6c5d1b99-6c5d1bd5 call 6c5c1740 call 6c5c1fd0 3000->3018 3023 6c5d1b3f-6c5d1b51 3001->3023 3024 6c5d1c74-6c5d1cab call 6c5c5860 call 6c5dde40 3001->3024 3015 6c5d19e9-6c5d1a25 call 6c5c1740 call 6c5c1fd0 3002->3015 3002->3016 3015->3016 3052 6c5d1a2b-6c5d1a66 call 6c5c1740 3015->3052 3018->3016 3051 6c5d1bdb-6c5d1c16 call 6c5c1740 3018->3051 3026 6c5d1c6a-6c5d1c71 call 6c5edf09 3023->3026 3027 6c5d1b57-6c5d1b65 3023->3027 3043 6c5d1cad 3024->3043 3044 6c5d1caf-6c5d1ccb call 6c5df260 call 6c5c1170 3024->3044 3026->3024 3031 6c5d1b6b 3027->3031 3032 6c5d1fc0 call 6c5f31bf 3027->3032 3031->3026 3032->3016 3043->3044 3057 6c5d1f85-6c5d1fbd call 6c5c5930 call 6c5c1170 call 6c5edefb 3044->3057 3058 6c5d1cd1 3044->3058 3079 6c5d1c18-6c5d1c27 #47 3051->3079 3080 6c5d1c37-6c5d1c4f 3051->3080 3074 6c5d1a68-6c5d1a77 #47 3052->3074 3075 6c5d1a87-6c5d1a9f 3052->3075 3059 6c5d1cd7-6c5d1cde 3058->3059 3063 6c5d1cea-6c5d1cec 3059->3063 3064 6c5d1ce0-6c5d1ce8 3059->3064 3069 6c5d1cee-6c5d1cf6 3063->3069 3070 6c5d1cf8-6c5d1d13 FindNextFileW 3063->3070 3068 6c5d1d19-6c5d1d1b 3064->3068 3076 6c5d1d5c-6c5d1d8e call 6c5df7b0 3068->3076 3077 6c5d1d1d-6c5d1d2c 3068->3077 3069->3076 3070->3068 3074->3075 3083 6c5d1a79-6c5d1a82 call 6c5c1330 3074->3083 3086 6c5d1ab5-6c5d1ad0 3075->3086 3087 6c5d1aa1-6c5d1ab1 3075->3087 3100 6c5d1d90-6c5d1d99 3076->3100 3077->3076 3089 6c5d1d2e-6c5d1d36 3077->3089 3079->3080 3082 6c5d1c29-6c5d1c32 call 6c5c1330 3079->3082 3084 6c5d1c65 3080->3084 3085 6c5d1c51-6c5d1c61 3080->3085 3082->3080 3083->3075 3084->3026 3085->3084 3086->3001 3095 6c5d1ad2-6c5d1ae2 3086->3095 3087->3086 3089->3076 3090 6c5d1d38-6c5d1d42 3089->3090 3096 6c5d1f7d-6c5d1f7f 3090->3096 3097 6c5d1d48-6c5d1d4c 3090->3097 3095->3001 3096->3057 3096->3059 3097->3076 3101 6c5d1d4e-6c5d1d56 3097->3101 3100->3100 3102 6c5d1d9b-6c5d1e14 call 6c5c1050 call 6c5c0040 call 6c5de110 call 6c5de430 call 6c5c1170 3100->3102 3101->3076 3101->3096 3114 6c5d1e16-6c5d1e2a 3102->3114 3115 6c5d1e30-6c5d1e74 call 6c5c1050 call 6c5ddcc0 3102->3115 3114->3115 3122 6c5d1eae-6c5d1ec4 3115->3122 3123 6c5d1e76-6c5d1e88 3115->3123 3124 6c5d1f44-6c5d1f4b 3122->3124 3125 6c5d1ec6-6c5d1ee3 call 6c5d0f40 3122->3125 3126 6c5d1e9e-6c5d1eab call 6c5edf09 3123->3126 3127 6c5d1e8a-6c5d1e98 3123->3127 3128 6c5d1f4d-6c5d1f54 3124->3128 3129 6c5d1f6b-6c5d1f77 call 6c5c1170 3124->3129 3138 6c5d1ee5-6c5d1f0e call 6c5dde40 call 6c5d1fd0 call 6c5c1170 3125->3138 3139 6c5d1f13-6c5d1f2a call 6c5dde40 3125->3139 3126->3122 3127->3032 3127->3126 3128->3129 3133 6c5d1f56-6c5d1f66 call 6c5d1960 3128->3133 3129->3096 3133->3129 3138->3139 3144 6c5d1f2c 3139->3144 3145 6c5d1f2e-6c5d1f3f DeleteFileW call 6c5c1170 3139->3145 3144->3145 3145->3124
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • #47.MSI(?,AiEmbeddedDirectCall,6C64E00C,00000000,?,00000000), ref: 6C5D1A6E
                                                                                                                                                                                    • #47.MSI(?,AiEmbeddedDirectCall,6C64E00C,00000000,?,00000000), ref: 6C5D1C1E
                                                                                                                                                                                      • Part of subcall function 6C5C1FD0: GetProcessHeap.KERNEL32 ref: 6C5C202C
                                                                                                                                                                                    • FindNextFileW.KERNELBASE(00000000,?,00000000,?,6C621A66,*.*,00000003,00000000,?,00000000), ref: 6C5D1D05
                                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000,?), ref: 6C5D1F2F
                                                                                                                                                                                      • Part of subcall function 6C5C1330: #17.MSI(00000002,?,00000000,?,00000000), ref: 6C5C13F3
                                                                                                                                                                                      • Part of subcall function 6C5C1330: #125.MSI(00000000,00000000,[1],?,00000000), ref: 6C5C140A
                                                                                                                                                                                      • Part of subcall function 6C5C1330: #125.MSI(00000000,00000001,00000000,?,00000000), ref: 6C5C1417
                                                                                                                                                                                      • Part of subcall function 6C5C1330: #103.MSI(?,04000000,00000000,?,00000000), ref: 6C5C1429
                                                                                                                                                                                      • Part of subcall function 6C5C1330: #8.MSI(00000000,?,00000000), ref: 6C5C1438
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2485893999.000000006C581000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C580000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2485873494.000000006C580000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486013698.000000006C672000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486038035.000000006C681000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6c580000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: #125File$#103DeleteFindHeapNextProcess
                                                                                                                                                                                    • String ID: *.*$AiEmbeddedDirectCall$Logging is disabled, discard collected data.$Logging is enabled, sending data ...$session$*
                                                                                                                                                                                    • API String ID: 1195310492-2608764594
                                                                                                                                                                                    • Opcode ID: 7467bdf10d1b3100657b6518c04991fd473e56c178debe0500060545063ca26e
                                                                                                                                                                                    • Instruction ID: 075a71a65a1e0c23a1e0dd2c4becf31deaf9f19fbdd61adadc2cc6fd1713ce82
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7467bdf10d1b3100657b6518c04991fd473e56c178debe0500060545063ca26e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1702BE30A01218CBCB15CBA8CC54BEEBBB5AF45328F25418DD405A7791DB34AF89CF96
                                                                                                                                                                                    Function 6C5E44A0 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 343fileCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 3174 6c5e44a0-6c5e4500 3175 6c5e4504-6c5e4514 3174->3175 3176 6c5e4502 3174->3176 3177 6c5e4518-6c5e4548 CreateFileW 3175->3177 3178 6c5e4516 3175->3178 3176->3175 3179 6c5e454a-6c5e4551 3177->3179 3180 6c5e4556-6c5e45a5 call 6c5c3e80 ReadFile 3177->3180 3178->3177 3181 6c5e4882-6c5e4892 3179->3181 3186 6c5e45a7-6c5e45ae 3180->3186 3187 6c5e45b3-6c5e45c3 call 6c5e9290 3180->3187 3184 6c5e4894-6c5e489b CloseHandle 3181->3184 3185 6c5e48a2-6c5e48ae 3181->3185 3184->3185 3188 6c5e48d4-6c5e48f4 call 6c5edefb 3185->3188 3189 6c5e48b0-6c5e48cd 3185->3189 3190 6c5e47dd-6c5e47e3 3186->3190 3198 6c5e45c5-6c5e45cc 3187->3198 3199 6c5e45d1-6c5e45d4 3187->3199 3189->3188 3196 6c5e487f 3190->3196 3197 6c5e47e9-6c5e47f6 3190->3197 3196->3181 3200 6c5e47f8-6c5e4806 3197->3200 3201 6c5e4860-6c5e4878 call 6c5edf09 3197->3201 3198->3190 3204 6c5e45d6-6c5e45d9 3199->3204 3205 6c5e45e7-6c5e4607 SetFilePointer GetFileSize 3199->3205 3206 6c5e480c 3200->3206 3207 6c5e48f7-6c5e4909 call 6c5f31bf 3200->3207 3201->3196 3204->3205 3210 6c5e45db-6c5e45e1 3204->3210 3211 6c5e4609-6c5e460c 3205->3211 3212 6c5e4611-6c5e461a 3205->3212 3206->3201 3210->3205 3214 6c5e467b-6c5e46ad 3210->3214 3211->3190 3215 6c5e461c-6c5e461f 3212->3215 3216 6c5e4621 3212->3216 3219 6c5e4784 3214->3219 3220 6c5e46b3-6c5e46b8 3214->3220 3221 6c5e4651 3215->3221 3217 6c5e4654-6c5e4667 ReadFile 3216->3217 3218 6c5e4623-6c5e462a 3216->3218 3225 6c5e4669-6c5e4670 3217->3225 3226 6c5e4675-6c5e4678 3217->3226 3222 6c5e462c-6c5e4639 call 6c5c3e80 3218->3222 3223 6c5e463b-6c5e464e call 6c5f0170 3218->3223 3224 6c5e478b-6c5e4795 3219->3224 3227 6c5e470a-6c5e4722 call 6c5d6070 3220->3227 3228 6c5e46ba-6c5e46d4 call 6c5e71e0 3220->3228 3221->3217 3222->3217 3223->3221 3231 6c5e47c9-6c5e47d9 3224->3231 3232 6c5e4797-6c5e47a9 3224->3232 3225->3190 3226->3214 3243 6c5e474f-6c5e4753 3227->3243 3244 6c5e4724-6c5e474c call 6c5c1170 3227->3244 3241 6c5e46d6-6c5e46fe call 6c5c1170 3228->3241 3242 6c5e4701-6c5e4708 3228->3242 3231->3190 3237 6c5e47bf-6c5e47c6 call 6c5edf09 3232->3237 3238 6c5e47ab-6c5e47b9 3232->3238 3237->3231 3238->3207 3238->3237 3241->3242 3247 6c5e4756-6c5e4760 call 6c5c1170 3242->3247 3243->3247 3244->3243 3254 6c5e480e-6c5e4815 call 6c5c0170 3247->3254 3255 6c5e4766-6c5e477e 3247->3255 3258 6c5e481a-6c5e483c call 6c5f0170 ReadFile 3254->3258 3255->3219 3255->3258 3262 6c5e483e-6c5e4849 3258->3262 3263 6c5e4854-6c5e485b 3258->3263 3262->3220 3264 6c5e484f 3262->3264 3263->3224 3264->3219
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,E0ED2AEC,?,00000000), ref: 6C5E452B
                                                                                                                                                                                    • ReadFile.KERNEL32(?,00000000,00001000,?,00000000,00001000), ref: 6C5E459D
                                                                                                                                                                                    • ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,?,?), ref: 6C5E4834
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 6C5E4895
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2485893999.000000006C581000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C580000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2485873494.000000006C580000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486013698.000000006C672000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486038035.000000006C681000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6c580000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Read$CloseCreateHandle
                                                                                                                                                                                    • String ID: 4dl$*
                                                                                                                                                                                    • API String ID: 1724936099-1833429064
                                                                                                                                                                                    • Opcode ID: afeb04e946ee5504753d3c3f21ebacff5850a804b1e9f4258a1a9eb13ae78b90
                                                                                                                                                                                    • Instruction ID: 9903a06672af4d9a01b806f21e4e79783d091fd0dfed2565597ac9c34324e2e4
                                                                                                                                                                                    • Opcode Fuzzy Hash: afeb04e946ee5504753d3c3f21ebacff5850a804b1e9f4258a1a9eb13ae78b90
                                                                                                                                                                                    • Instruction Fuzzy Hash: B6D19E71E01348DBDB20CFA9CC48BAEBBB5AF49308F20465DD415AB781D774AA48CF91
                                                                                                                                                                                    Function 6C5CB7D0 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 287COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • #47.MSI(?,AiEmbeddedDirectCall,6C64E00C,00000000), ref: 6C5CBB32
                                                                                                                                                                                    • #47.MSI(?,AiEmbeddedDirectCall,6C64E00C,00000000), ref: 6C5CC042
                                                                                                                                                                                    • #47.MSI(?,AiEmbeddedDirectCall,6C64E00C,00000000), ref: 6C5CBD92
                                                                                                                                                                                      • Part of subcall function 6C5C63E0: #171.MSI(00000000,?,6C64E00C,?), ref: 6C5C6416
                                                                                                                                                                                      • Part of subcall function 6C5C63E0: #171.MSI(00000000,?,00000000,?,?,081BB198), ref: 6C5C6456
                                                                                                                                                                                    • #47.MSI(?,AiEmbeddedDirectCall,6C64E00C,00000000,?,?,081BB198), ref: 6C5CC4C2
                                                                                                                                                                                    • #47.MSI(?,AiEmbeddedDirectCall,6C64E00C,00000000,?,081BB198), ref: 6C5CC831
                                                                                                                                                                                    • #47.MSI(?,AiEmbeddedDirectCall,6C64E00C,00000000), ref: 6C5CC214
                                                                                                                                                                                      • Part of subcall function 6C5C1330: #17.MSI(00000002,?,00000000,?,00000000), ref: 6C5C13F3
                                                                                                                                                                                      • Part of subcall function 6C5C1330: #125.MSI(00000000,00000000,[1],?,00000000), ref: 6C5C140A
                                                                                                                                                                                      • Part of subcall function 6C5C1330: #125.MSI(00000000,00000001,00000000,?,00000000), ref: 6C5C1417
                                                                                                                                                                                      • Part of subcall function 6C5C1330: #103.MSI(?,04000000,00000000,?,00000000), ref: 6C5C1429
                                                                                                                                                                                      • Part of subcall function 6C5C1330: #8.MSI(00000000,?,00000000), ref: 6C5C1438
                                                                                                                                                                                      • Part of subcall function 6C5C1FD0: GetProcessHeap.KERNEL32 ref: 6C5C202C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2485893999.000000006C581000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C580000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2485873494.000000006C580000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486013698.000000006C672000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486038035.000000006C681000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6c580000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: #125#171$#103HeapProcess
                                                                                                                                                                                    • String ID: -> $4gl$Action ended$AiEmbeddedDirectCall$Crash >> $Error: $Exception >> $Info 1720$LIMITUI$Lifecycle: $LogonUser$Track screen: [$W$Warning: $end$fatal error$success$user abort$xxel$*
                                                                                                                                                                                    • API String ID: 3629383927-1530147290
                                                                                                                                                                                    • Opcode ID: 306c2b887df051cf97b61bf6fe830dcc5eab6f052fdae0c5a7e63e23581d0bd1
                                                                                                                                                                                    • Instruction ID: 16031e7b562b051ddd749f9796fc67addb31e6f3f582dfd28669bc4f730074ba
                                                                                                                                                                                    • Opcode Fuzzy Hash: 306c2b887df051cf97b61bf6fe830dcc5eab6f052fdae0c5a7e63e23581d0bd1
                                                                                                                                                                                    • Instruction Fuzzy Hash: F4B1B070F01244DBDB04DFA8C894BEEBBB1EF89318F24814DE411AB780DB749A45CB96
                                                                                                                                                                                    Function 6C5D2FC0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 246fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,E0ED2AEC,?,00000000), ref: 6C5D306F
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 6C5D3191
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,0000FEFF,00000002,?,00000000), ref: 6C5D31BD
                                                                                                                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C5D31D3
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 6C5D3216
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 6C5D327B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2485893999.000000006C581000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C580000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2485873494.000000006C580000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486013698.000000006C672000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486038035.000000006C681000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6c580000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Write$CloseCreateHandlePointerSize
                                                                                                                                                                                    • String ID: 4dl$*
                                                                                                                                                                                    • API String ID: 3932932802-1833429064
                                                                                                                                                                                    • Opcode ID: cb4d2100a7b5b0981f0fe6ed24e053946e543defc1cbdb35033d44d1a043ae08
                                                                                                                                                                                    • Instruction ID: c3c49b4044622eddef35c2543f2faf70a973614fb355cbff5a5fc1cb9e5df859
                                                                                                                                                                                    • Opcode Fuzzy Hash: cb4d2100a7b5b0981f0fe6ed24e053946e543defc1cbdb35033d44d1a043ae08
                                                                                                                                                                                    • Instruction Fuzzy Hash: 81A16EB0D01309DBEB10CFA8CD59BEEBBB4BF55308F208259E415A7681D774AA48CF95
                                                                                                                                                                                    Function 010FBF1B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DecodePointer.KERNEL32(?,?,?,010FC261,01240844,?,?,?,0107486D,?,?,?,00000001,?), ref: 010FBF2D
                                                                                                                                                                                    • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,010FC261,01240844,?,?,?,0107486D,?,?,?,00000001), ref: 010FBF42
                                                                                                                                                                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 010FBFBE
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DecodePointer$LibraryLoad
                                                                                                                                                                                    • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
                                                                                                                                                                                    • API String ID: 1423960858-1745123996
                                                                                                                                                                                    • Opcode ID: 4170d6a9410f46b7ec9b6666e669fbee45681686ef34ab042d2c4bb2cc63b858
                                                                                                                                                                                    • Instruction ID: 729911853b1105ecf5739f7da4551909768cde2af6ee958e6d53ed8e7f58e769
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4170d6a9410f46b7ec9b6666e669fbee45681686ef34ab042d2c4bb2cc63b858
                                                                                                                                                                                    • Instruction Fuzzy Hash: CD01087460531C77EA6A9B15EC07BD93F945F11648F0400ACFF8567186E7A286CCCEC5
                                                                                                                                                                                    Function 01050BE0 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 304filethreadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetExitCodeThread.KERNEL32(?,?,2F45994F,00000000,00000000,?,?,?,00000000,0116EA25,000000FF,?,01049A32,?,000000DC,00000000), ref: 01050C26
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 01050CDB
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 01050D05
                                                                                                                                                                                      • Part of subcall function 00EFA840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00F15436,00000000,*.*,?,?,?,?), ref: 00EFA863
                                                                                                                                                                                      • Part of subcall function 01015250: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,00000000,?,01242000,010680E8,?), ref: 01015268
                                                                                                                                                                                      • Part of subcall function 01015250: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 0101529A
                                                                                                                                                                                    • WriteFile.KERNEL32(?,000000DC,?,000000FF,00000000,CLOSE,00000005), ref: 01050E8A
                                                                                                                                                                                    • FlushFileBuffers.KERNEL32(?), ref: 01050E93
                                                                                                                                                                                      • Part of subcall function 01074A40: CloseHandle.KERNEL32(?,2F45994F,?,00000010,?,00000000,01175363,000000FF,?,010503F2,00000000,00000000,00000000,00000001,?,0000000D), ref: 01074A7A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$File$BuffersCloseCodeExitFindFlushHandleHeapProcessResourceThreadWrite
                                                                                                                                                                                    • String ID: Advinst_Estimate_$CLOSE
                                                                                                                                                                                    • API String ID: 1271795120-755230127
                                                                                                                                                                                    • Opcode ID: 176032f2090b9db491f326143aef10cbf72fb89ad61b896dca93d9a5cba7daae
                                                                                                                                                                                    • Instruction ID: d6855b52d2f4779e614b6eda2c485c56a93b5133f2bb44f9a744d1fc08388321
                                                                                                                                                                                    • Opcode Fuzzy Hash: 176032f2090b9db491f326143aef10cbf72fb89ad61b896dca93d9a5cba7daae
                                                                                                                                                                                    • Instruction Fuzzy Hash: D5B1D170A002499BDB54DBA8CC94BBEBBF4AF44324F1841ACF965A73C5DB349D05CBA1
                                                                                                                                                                                    Function 01038840 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 291fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,2F45994F,00000000,00000000,?), ref: 0103889B
                                                                                                                                                                                    • GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?,?,00000000,00000000), ref: 01038A3D
                                                                                                                                                                                    • Wow64DisableWow64FsRedirection.KERNEL32(00000000,?,?,00000000,00000000), ref: 01038ADF
                                                                                                                                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,00000000,00000000), ref: 01038B07
                                                                                                                                                                                    • Wow64RevertWow64FsRedirection.KERNEL32(00000000,?,?,00000000), ref: 01038B33
                                                                                                                                                                                      • Part of subcall function 00EFB010: RtlAllocateHeap.NTDLL(?,00000000,?,2F45994F,00000000,011239F0,000000FF,?,?,0123843C,?,?,01074927,80004005,2F45994F,?), ref: 00EFB05A
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,2F45994F,?,00000000,01123A40,000000FF,?,80070057,80004005,?), ref: 01038BED
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Wow64$File$Redirection$AllocateCopyDeleteDisableFolderHeapNamePathRevertTemp
                                                                                                                                                                                    • String ID: shim_clone
                                                                                                                                                                                    • API String ID: 4011074531-3944563459
                                                                                                                                                                                    • Opcode ID: 9c4b0ed2b0e2add365507e26be3ffcf826666e3b35007c76e2c25eb1556ce0fc
                                                                                                                                                                                    • Instruction ID: 810ba62928c7e95a0c73059c3dccdeb60daae7fb230fc09c4a084252856aad70
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9c4b0ed2b0e2add365507e26be3ffcf826666e3b35007c76e2c25eb1556ce0fc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 66B1F770900659DFDB29DB28CC44BADB7F8EF84310F1481EEF646A7281EB34AA45CB55
                                                                                                                                                                                    Function 01031DE0 Relevance: 10.9, APIs: 7, Instructions: 423fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,2F45994F,00000000), ref: 01031F4B
                                                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000,00001000), ref: 01031FBD
                                                                                                                                                                                    • ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,?,00000000), ref: 01032269
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 010322C7
                                                                                                                                                                                      • Part of subcall function 01031DE0: LoadStringW.USER32(000000A1,?,00000514,2F45994F), ref: 01031D38
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Read$CloseCreateHandleHeapLoadProcessString
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2846944389-0
                                                                                                                                                                                    • Opcode ID: 273546293d36f50a5d7c9484f042798fcf44a328a0f6ac367c90d2f9149a7014
                                                                                                                                                                                    • Instruction ID: 4731bca4dfa171cf42a3d31e4eb043e8684e458a2c71abbb6872d5b1d2a385a2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 273546293d36f50a5d7c9484f042798fcf44a328a0f6ac367c90d2f9149a7014
                                                                                                                                                                                    • Instruction Fuzzy Hash: 44F18271D00218DBDB24CFA8C948BAEBBF9FF88314F248259E555AB281D774A944CB91
                                                                                                                                                                                    Function 0105A920 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 248fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,?), ref: 0105AB1E
                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,7FFFFFFF,00000000,00000000,?), ref: 0105AB80
                                                                                                                                                                                    • SetEndOfFile.KERNEL32(?), ref: 0105AB89
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0105ABA2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Not enough disk space to extract file:, xrefs: 0105A9FB
                                                                                                                                                                                    • %sholder%d.aiph, xrefs: 0105AAFA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseCreateHandlePointer
                                                                                                                                                                                    • String ID: %sholder%d.aiph$Not enough disk space to extract file:
                                                                                                                                                                                    • API String ID: 22866420-929304071
                                                                                                                                                                                    • Opcode ID: 066b88b23073022bf1cc8282e9936f8c248b4e170eeffe3e28f857fde80962d6
                                                                                                                                                                                    • Instruction ID: 85e20b4bd49ae20220f6917a832fb0f0314feced0a99ca04920dbe0e99b99ad8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 066b88b23073022bf1cc8282e9936f8c248b4e170eeffe3e28f857fde80962d6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1591C375A00209DBDB54CFA8C844BAEBBF5FF88324F144659ED61B7381DB35A901CB90
                                                                                                                                                                                    Function 01079460 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetFilePointer.KERNEL32(000000FF,-00000400,?,00000002,00000400,2F45994F,?,?,?), ref: 01079506
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?), ref: 01079514
                                                                                                                                                                                    • ReadFile.KERNEL32(000000FF,00000000,00000400,?,00000000,?,?,?), ref: 0107952F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$ErrorLastPointerRead
                                                                                                                                                                                    • String ID: ADVINSTSFX
                                                                                                                                                                                    • API String ID: 64821003-4038163286
                                                                                                                                                                                    • Opcode ID: 574d2eab6bd6c0de66fac47ddf2dadde06a2df59d0ffdc25d0bb87cbb213928f
                                                                                                                                                                                    • Instruction ID: 71a09f0dd44f4a5c165ed21b1b90f41acc654914c2288e40ff1dcc97f78092d0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 574d2eab6bd6c0de66fac47ddf2dadde06a2df59d0ffdc25d0bb87cbb213928f
                                                                                                                                                                                    • Instruction Fuzzy Hash: EB61C3B1E002199BDF15CF68C884BBEBBF5FF49328F1482A8E555A7281D7349941CB68
                                                                                                                                                                                    Function 0102E0C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 179fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RemoveDirectoryW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,?,01128ADD,000000FF,?,0102E418,?), ref: 0102E170
                                                                                                                                                                                      • Part of subcall function 00EFA840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00F15436,00000000,*.*,?,?,?,?), ref: 00EFA863
                                                                                                                                                                                    • RemoveDirectoryW.KERNEL32(?,2F45994F,?,?,00000000,?,?,01128ADD,000000FF,?,0102E418,?,00000000), ref: 0102E1AB
                                                                                                                                                                                    • GetLastError.KERNEL32(?,2F45994F,?,?,00000000,?,?,01128ADD,000000FF,?,0102E418,?,00000000), ref: 0102E1BB
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,00000000,01128ADD,000000FF,?,80004005,2F45994F), ref: 0102E290
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000000,?,00000000,01128ADD,000000FF,?,80004005,2F45994F,?,?,00000000,?,?,01128ADD), ref: 0102E2DB
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DirectoryErrorLastRemove$DeleteFileFindHeapProcessResource
                                                                                                                                                                                    • String ID: \\?\
                                                                                                                                                                                    • API String ID: 728736790-4282027825
                                                                                                                                                                                    • Opcode ID: 67c5195facb559cc98b58843c4e91797270a65300015b69f0c5449e1de6f229f
                                                                                                                                                                                    • Instruction ID: 34121fff7bacf6ba70cb2f91b8df7e8bb3ee61ce3b031b6e54a1ae752b904946
                                                                                                                                                                                    • Opcode Fuzzy Hash: 67c5195facb559cc98b58843c4e91797270a65300015b69f0c5449e1de6f229f
                                                                                                                                                                                    • Instruction Fuzzy Hash: F85104356406299FDB14DFA8CC48BBEB7E8FF45324F144169E962E7380DB789904CB90
                                                                                                                                                                                    Function 00F0BD40 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159threadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetLastError.KERNEL32(0000000E,2F45994F,?,?,?,00000000,00000000,?), ref: 00F0BD7F
                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00F0BDC3
                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(012472EC), ref: 00F0BDE3
                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(012472EC), ref: 00F0BE07
                                                                                                                                                                                    • CreateWindowExW.USER32(?,?,00000000,012472EC,?,?,?,?,00000000,?,00000000), ref: 00F0BE61
                                                                                                                                                                                      • Part of subcall function 010FC189: GetProcessHeap.KERNEL32(00000008,00000008,00000000,0105C8C1,?,?,?), ref: 010FC18E
                                                                                                                                                                                      • Part of subcall function 010FC189: HeapAlloc.KERNEL32(00000000,?,?,?), ref: 010FC195
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CriticalHeapSection$AllocCreateCurrentEnterErrorLastLeaveProcessThreadWindow
                                                                                                                                                                                    • String ID: AXWIN UI Window
                                                                                                                                                                                    • API String ID: 213679520-1592869507
                                                                                                                                                                                    • Opcode ID: 12ad823270a2435565362ddfe0ee883fbad203b65ff42df6a81d6cdf49ff4a88
                                                                                                                                                                                    • Instruction ID: 0478d4261c9cb72b6a96f0f9dddd796508d623129d1a7bd10dc8c4f7b3741b7e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 12ad823270a2435565362ddfe0ee883fbad203b65ff42df6a81d6cdf49ff4a88
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1551A376A00309AFDB24CF65ED45FAABBF8FB94725F10451EF914A7280D770A814DBA0
                                                                                                                                                                                    Function 6C5EE9CA Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • __RTC_Initialize.LIBCMT ref: 6C5EEA11
                                                                                                                                                                                    • ___scrt_uninitialize_crt.LIBCMT ref: 6C5EEA2B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2485893999.000000006C581000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C580000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2485873494.000000006C580000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486013698.000000006C672000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486038035.000000006C681000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6c580000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Initialize___scrt_uninitialize_crt
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2442719207-0
                                                                                                                                                                                    • Opcode ID: 725290f171ac4bb4b7dda4cff00f63badb51afde152622d9259e2f0daa5343a2
                                                                                                                                                                                    • Instruction ID: 3264dcdea69682f8914c1f07413db936dd17274e239b7bc459430e852d0b4ab8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 725290f171ac4bb4b7dda4cff00f63badb51afde152622d9259e2f0daa5343a2
                                                                                                                                                                                    • Instruction Fuzzy Hash: E1413732E21624EFDB119F65CC40B9F3BB9EB8E7A8F004519E815A7B90C7B04D058BE0
                                                                                                                                                                                    Function 00F0BA61 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 00F0BB0F
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000FC), ref: 00F0BB1E
                                                                                                                                                                                    • CallWindowProcW.USER32(?,?,00000082,?,?), ref: 00F0BB39
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000FC), ref: 00F0BB53
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,?), ref: 00F0BB65
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Long$CallProc
                                                                                                                                                                                    • String ID: $
                                                                                                                                                                                    • API String ID: 513923721-3993045852
                                                                                                                                                                                    • Opcode ID: 4a1d3c0292d1dae484631571a014d7be48f111bde197d9b44ebeb80dc745e4af
                                                                                                                                                                                    • Instruction ID: d8943f67d47d8e9f4e077a421b7515dfb964f1510e958154ecc934ca668afcc7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4a1d3c0292d1dae484631571a014d7be48f111bde197d9b44ebeb80dc745e4af
                                                                                                                                                                                    • Instruction Fuzzy Hash: BB417BB1608706AFC710CF19D884A2AFBF5FF88360F104A19F995836A0D772E964DF91
                                                                                                                                                                                    Function 01017370 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99registrylibraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(Advapi32.dll,2F45994F,00000000), ref: 010173B5
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 010173DE
                                                                                                                                                                                    • RegCreateKeyExW.KERNEL32(?,0102BE7F,00000000,00000000,00000000,00000000,00000000,00000000,?,2F45994F,00000000), ref: 01017437
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0101744A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressCloseCreateHandleModuleProc
                                                                                                                                                                                    • String ID: Advapi32.dll$RegCreateKeyTransactedW
                                                                                                                                                                                    • API String ID: 1765684683-2994018265
                                                                                                                                                                                    • Opcode ID: d6fddae60826c675881be13cd8f6228d57119a90ffb51d62b3aa8a31acc33c6e
                                                                                                                                                                                    • Instruction ID: f8bba5b0f418d499d0053c63cc38fd7fdd86774c74138ec3bc7590e213660ca7
                                                                                                                                                                                    • Opcode Fuzzy Hash: d6fddae60826c675881be13cd8f6228d57119a90ffb51d62b3aa8a31acc33c6e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9031C471B44209EBEB258F59DC45FAABFB8FB44B10F10806AF905E7284DB75A854CB90
                                                                                                                                                                                    Function 01031A80 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(ComCtl32.dll,2F45994F,?,00000000,00000000), ref: 01031ABA
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 01031AE0
                                                                                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000000), ref: 01031B4B
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 01031B69
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LibraryLoad$AddressFreeImageProc
                                                                                                                                                                                    • String ID: ComCtl32.dll$LoadIconMetric
                                                                                                                                                                                    • API String ID: 1597520822-764666640
                                                                                                                                                                                    • Opcode ID: eed5121a7468d85490881291f8df1f19f1a3fda093a049f97450c6af39e2c5c7
                                                                                                                                                                                    • Instruction ID: 3853244d0dc2095b37af16c708c74ff1569a345ebf9ebd7c3917d131e5b3191e
                                                                                                                                                                                    • Opcode Fuzzy Hash: eed5121a7468d85490881291f8df1f19f1a3fda093a049f97450c6af39e2c5c7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 79318471A40219AFDB198F95D918BBFBFF9EB89750F00426DF916A3280E7755D008B90
                                                                                                                                                                                    Function 01052C70 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 01052C8D
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 01052CA3
                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,0105C8AD), ref: 01052CB8
                                                                                                                                                                                    • InvalidateRect.USER32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,0105C8AD), ref: 01052CC3
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 01052CD1
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 01052CE7
                                                                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,00000000), ref: 01052D26
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Rect$Item$InvalidateShow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2147159307-0
                                                                                                                                                                                    • Opcode ID: 7a7311b378b1e2a0a82f61aa053f7ba2436e58c2589999f7b70ffdea3f6176c6
                                                                                                                                                                                    • Instruction ID: 98156ba3fb7fc4e88f4c7d032b8a5eae1294b270e42f166f001f8b7a72ebed91
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7a7311b378b1e2a0a82f61aa053f7ba2436e58c2589999f7b70ffdea3f6176c6
                                                                                                                                                                                    • Instruction Fuzzy Hash: BF217C75654605AFE310DF34ED49B6BBBE9EF8D700F008619F956D3280E770AD508B92
                                                                                                                                                                                    Function 01057490 Relevance: 9.4, APIs: 6, Instructions: 447fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000000,2F45994F,00000000), ref: 010574F7
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0105782A
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 010578BA
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 01057506
                                                                                                                                                                                      • Part of subcall function 010318D0: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,2F45994F,?,00000000), ref: 0103191B
                                                                                                                                                                                      • Part of subcall function 010318D0: GetLastError.KERNEL32(?,00000000), ref: 01031925
                                                                                                                                                                                    • ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 01057619
                                                                                                                                                                                    • ReadFile.KERNEL32(?,?,00000000,00000000,00000000,00000001), ref: 01057670
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$File$Read$FormatMessagePointer
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3903527278-0
                                                                                                                                                                                    • Opcode ID: 79d6c50f196c568a518594f15e06fe2061504cb2b9eee148ddb21078c5d4dc98
                                                                                                                                                                                    • Instruction ID: ac963641bc8737e37fcca5bc8923e956e6eee6931ef0489481ebfe5d879e49cf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 79d6c50f196c568a518594f15e06fe2061504cb2b9eee148ddb21078c5d4dc98
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A029071E006099FDB04CFA8C844BAEBBB5FF48324F148259E965E7391E774A901CBA1
                                                                                                                                                                                    Function 0104ACB0 Relevance: 9.4, APIs: 3, Strings: 2, Instructions: 615COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FindResource
                                                                                                                                                                                    • String ID: /i $\\?\
                                                                                                                                                                                    • API String ID: 1635176832-3071488798
                                                                                                                                                                                    • Opcode ID: d54fa42fca74c337468ec6563863618e5571ad6bd4a831c512ef0cdc16a95723
                                                                                                                                                                                    • Instruction ID: 1e06b6f5809011ed37484997b140c23357d0e0c4f1ded1f96df27cd2359c499a
                                                                                                                                                                                    • Opcode Fuzzy Hash: d54fa42fca74c337468ec6563863618e5571ad6bd4a831c512ef0cdc16a95723
                                                                                                                                                                                    • Instruction Fuzzy Hash: DA329F70A00609DFDB18DFA8C8947ADBBF5FF44314F148269E966A72D0DB74A946CF80
                                                                                                                                                                                    Function 0105CAC0 Relevance: 9.1, APIs: 6, Instructions: 69threadsynchronizationCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,0107B900,011D2234,00000000,?), ref: 0105CB3D
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0105CB4A
                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0105CB73
                                                                                                                                                                                    • GetExitCodeThread.KERNEL32(00000000,?), ref: 0105CB8D
                                                                                                                                                                                    • TerminateThread.KERNEL32(00000000,00000000), ref: 0105CBA5
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0105CBAE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Thread$CloseCodeCreateErrorExitHandleLastObjectSingleTerminateWait
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1566822279-0
                                                                                                                                                                                    • Opcode ID: d30dd48003138875c1bddc7746f532ab968ec6a6d0f29b8a2fb79aef7f887e53
                                                                                                                                                                                    • Instruction ID: b7a20ee45412e3a5e2edcf860c5533804fc3d0167b2f2b69898bfc6f6e1f3696
                                                                                                                                                                                    • Opcode Fuzzy Hash: d30dd48003138875c1bddc7746f532ab968ec6a6d0f29b8a2fb79aef7f887e53
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C31DBB09002099FEF54DF94CD49BEEBBF8FB08724F204269E960B6280D7755945DB64
                                                                                                                                                                                    Function 0104A360 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 283COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 010732B0: GetUserNameW.ADVAPI32(?,?), ref: 0107332B
                                                                                                                                                                                      • Part of subcall function 010732B0: GetLastError.KERNEL32 ref: 01073335
                                                                                                                                                                                      • Part of subcall function 010732B0: GetUserNameW.ADVAPI32(?,?), ref: 0107337D
                                                                                                                                                                                      • Part of subcall function 010732B0: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 010733B7
                                                                                                                                                                                      • Part of subcall function 010732B0: GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,-00000001,00000000), ref: 01073402
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000008,?,?,?,?), ref: 0104A675
                                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 0104A67C
                                                                                                                                                                                    • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 0104A6AB
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0104A6C0
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: EnvironmentNameProcessTokenUserVariable$CloseCurrentErrorHandleInformationLastOpen
                                                                                                                                                                                    • String ID: \/:*?"<>|
                                                                                                                                                                                    • API String ID: 3139386598-3830478854
                                                                                                                                                                                    • Opcode ID: 95ea34f623e54fb87c5d673717bb9afc2e2dadfd9e276cce97f612dbb929dfdd
                                                                                                                                                                                    • Instruction ID: 58f7f2990efe85d8eebc28e68f2dd6280494cf5ae97b06007c3ac3b852702d9a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 95ea34f623e54fb87c5d673717bb9afc2e2dadfd9e276cce97f612dbb929dfdd
                                                                                                                                                                                    • Instruction Fuzzy Hash: A5C1F071E00218CFDB24DFA8C988BEDBBF0BF58304F14426DD646AB281DB746A45CB91
                                                                                                                                                                                    Function 01038E90 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 217COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileVersionInfoSizeW.KERNELBASE(80004005,01130135,2F45994F,?,?,00000000,00000000,?,00000000,01130135,000000FF,?,80004005,2F45994F,?,00000000), ref: 01038EF5
                                                                                                                                                                                    • GetFileVersionInfoW.KERNELBASE(80004005,?,00000000,000000FF,00000000,?,?,00000000,00000000,?,00000000,01130135,000000FF,?,80004005,2F45994F), ref: 01038F43
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileInfoVersion$Size
                                                                                                                                                                                    • String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
                                                                                                                                                                                    • API String ID: 2104008232-2149928195
                                                                                                                                                                                    • Opcode ID: 938144c9bff30b5ac1c85f2909366a9668668582f52656f7144eb50e177b085e
                                                                                                                                                                                    • Instruction ID: bd318510648ffa782d2d81d46ef7ea8cdd126ef1a11d43e04040439f87617b26
                                                                                                                                                                                    • Opcode Fuzzy Hash: 938144c9bff30b5ac1c85f2909366a9668668582f52656f7144eb50e177b085e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9571C370A04209DFDB14DFA8C848AAEFBF8EF45314F0481ADF656A7291DB749905CBA0
                                                                                                                                                                                    Function 6C5BFB20 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 6C5BFB7D
                                                                                                                                                                                    • GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C5BFBA2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2485893999.000000006C581000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C580000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2485873494.000000006C580000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486013698.000000006C672000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486038035.000000006C681000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6c580000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FolderInformationPathVolume
                                                                                                                                                                                    • String ID: %08X$AABBCCDD$*
                                                                                                                                                                                    • API String ID: 1564939276-135341253
                                                                                                                                                                                    • Opcode ID: a42e48d4281d863666394352a62285d71036680af94e4c72053baa202050e56c
                                                                                                                                                                                    • Instruction ID: 3e15e42dde3afc73ac426affacf99a688ded08b4f2f3da77662e25cfdd68dfe4
                                                                                                                                                                                    • Opcode Fuzzy Hash: a42e48d4281d863666394352a62285d71036680af94e4c72053baa202050e56c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 933186B0E042589BDB20CF64CC45BEAB7F8FF49704F50469DF909A6680D7756A888F98
                                                                                                                                                                                    Function 0102DEA0 Relevance: 7.7, APIs: 5, Instructions: 174fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,?,011CA6C0,00000001,2F45994F,?,0000000A,?,00000000,011688D5,000000FF), ref: 0102DFB7
                                                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 0102DFC8
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,?,011CA6C0,00000001,2F45994F,?,0000000A,?,00000000,011688D5,000000FF), ref: 0102DFDB
                                                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 0102DFEC
                                                                                                                                                                                    • FindNextFileW.KERNELBASE(?,?), ref: 0102E03C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Attributes$FindNext
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3019667586-0
                                                                                                                                                                                    • Opcode ID: 58e7377b810a49dd61c8ce32b448f3dba16b00388f701fc12e5136e2ff21f3e7
                                                                                                                                                                                    • Instruction ID: 6b741e1690c84e493e76b1d4fb3fe49c25c1b3e3bf7612ada0482ef7d5b793b1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 58e7377b810a49dd61c8ce32b448f3dba16b00388f701fc12e5136e2ff21f3e7
                                                                                                                                                                                    • Instruction Fuzzy Hash: E351DD3050025ADFDB68DFA8CC88BED7BA4FF50314F148268F966972D0DB34AA84CB40
                                                                                                                                                                                    Function 6C5EEA7A Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2485893999.000000006C581000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C580000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2485873494.000000006C580000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486013698.000000006C672000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486038035.000000006C681000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6c580000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: dllmain_raw$dllmain_crt_dispatch
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3136044242-0
                                                                                                                                                                                    • Opcode ID: e19b959c37f1410f61d1ec6d3eeffa07e71b98e3c04aec916303bd60e2170279
                                                                                                                                                                                    • Instruction ID: cac29a69ce8edd44120154e49d200be00342a610465dc4cc35cde2cf8a8e9e24
                                                                                                                                                                                    • Opcode Fuzzy Hash: e19b959c37f1410f61d1ec6d3eeffa07e71b98e3c04aec916303bd60e2170279
                                                                                                                                                                                    • Instruction Fuzzy Hash: B121B572E11625EFCB11AF55CC80EAF3A7DEB8A7A8F004519F81567B90C7B08D018BD0
                                                                                                                                                                                    Function 0102F430 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MsgWaitForMultipleObjectsEx.USER32(00000001,000000FF,000000FF,000005FF,00000004), ref: 0102F447
                                                                                                                                                                                    • PeekMessageW.USER32(?,00000000), ref: 0102F478
                                                                                                                                                                                    • TranslateMessage.USER32(00000000), ref: 0102F487
                                                                                                                                                                                    • DispatchMessageW.USER32(00000000), ref: 0102F492
                                                                                                                                                                                    • MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 0102F4A8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$MultipleObjectsWait$DispatchPeekTranslate
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4084795276-0
                                                                                                                                                                                    • Opcode ID: 5e6a943de0f0df4c0cbd1b9aae263fe9ca7926e78fc49ad3a4b46409ebd2114b
                                                                                                                                                                                    • Instruction ID: 61a2a8a53a03bd6207ffd95bb9e8df57467d9b886646756a9d2393ef2e6fd4c0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e6a943de0f0df4c0cbd1b9aae263fe9ca7926e78fc49ad3a4b46409ebd2114b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8901B574A843017BF7208B54DD49F6A7BECAB48B54F504619F668D20C0FBF8D1448B12
                                                                                                                                                                                    Function 6C5E5020 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 480COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 6C5C1FD0: GetProcessHeap.KERNEL32 ref: 6C5C202C
                                                                                                                                                                                    • PathIsUNCW.SHLWAPI(00000010), ref: 6C5E52F3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2485893999.000000006C581000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C580000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2485873494.000000006C580000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486013698.000000006C672000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486038035.000000006C681000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6c580000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HeapPathProcess
                                                                                                                                                                                    • String ID: \\?\$\\?\UNC\$*
                                                                                                                                                                                    • API String ID: 300331711-1668935782
                                                                                                                                                                                    • Opcode ID: 0bd1ecf02aec1770f1cdc7f9044c6f703c80b751cb29298613f7a5e17ce74c08
                                                                                                                                                                                    • Instruction ID: 7ce602db804088ca4ca28e3ed9b461955fa10193003c627af9cf97a88f001718
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0bd1ecf02aec1770f1cdc7f9044c6f703c80b751cb29298613f7a5e17ce74c08
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3802A071A01605CBDB04CFA8CC94BAEB7B5FF89324F14425DE921AB780DB75AD06CB91
                                                                                                                                                                                    Function 6C5E5530 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 187COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • PathIsUNCW.SHLWAPI(?,E0ED2AEC,00000000,?,?,?,00000000,6C6249A5,000000FF,?,6C5D5416,?,00000000), ref: 6C5E5579
                                                                                                                                                                                    • CreateDirectoryW.KERNEL32(6C6249A5,00000000,?,?,6C64E130,00000001), ref: 6C5E562A
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 6C5E5634
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2485893999.000000006C581000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C580000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2485873494.000000006C580000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486013698.000000006C672000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486038035.000000006C681000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6c580000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateDirectoryErrorLastPath
                                                                                                                                                                                    • String ID: *
                                                                                                                                                                                    • API String ID: 953296794-2049891948
                                                                                                                                                                                    • Opcode ID: 607c5262d4a0b4c6cb7d41ab1e67411903d4be5695e12b7a0d09dc3d8658f8c3
                                                                                                                                                                                    • Instruction ID: f44b97ad8e58f1b4efb7860ee6cfc4f6f3287e7d9c706c9f939a5777b2f60c57
                                                                                                                                                                                    • Opcode Fuzzy Hash: 607c5262d4a0b4c6cb7d41ab1e67411903d4be5695e12b7a0d09dc3d8658f8c3
                                                                                                                                                                                    • Instruction Fuzzy Hash: C4617D71A01209CFDB04CFA8C888BEDB7B5FF49328F548659D511A7790DB359909CF91
                                                                                                                                                                                    Function 0102E1E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,00000000,01128ADD,000000FF,?,80004005,2F45994F), ref: 0102E290
                                                                                                                                                                                      • Part of subcall function 00EFA840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00F15436,00000000,*.*,?,?,?,?), ref: 00EFA863
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,2F45994F,?,?,?,?,00000000,01128ADD,000000FF,?,0102DFFA), ref: 0102E2CB
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000000,?,00000000,01128ADD,000000FF,?,80004005,2F45994F,?,?,00000000,?,?,01128ADD), ref: 0102E2DB
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DeleteFile$ErrorFindHeapLastProcessResource
                                                                                                                                                                                    • String ID: \\?\
                                                                                                                                                                                    • API String ID: 2079828947-4282027825
                                                                                                                                                                                    • Opcode ID: 4c980aa24af329fb6cc1812e61d54a0a961293068f89b103e6a7c2b0e9624e8b
                                                                                                                                                                                    • Instruction ID: a90dd9bfb99a3b07272549876a00f44d8d6b99ce155c2431442ac13365b66401
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4c980aa24af329fb6cc1812e61d54a0a961293068f89b103e6a7c2b0e9624e8b
                                                                                                                                                                                    • Instruction Fuzzy Hash: CA31E335640629DFCB14DFA8C848BBEB7E8FF45320F144569E962E7380DB349904CB50
                                                                                                                                                                                    Function 010535B0 Relevance: 6.2, APIs: 4, Instructions: 160fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,2F45994F), ref: 0105368D
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 01053695
                                                                                                                                                                                    • RemoveDirectoryW.KERNEL32(?,2F45994F), ref: 010536FD
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 01053705
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$DeleteDirectoryFileRemove
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 50330452-0
                                                                                                                                                                                    • Opcode ID: a1e4b719584fb024eb7fd93d5dbe6be5122c3c17c9a5c7589d7ece75b940d2aa
                                                                                                                                                                                    • Instruction ID: 8655df541ad8e12d5291647d925df3f9010e012258cb84c2c884512cf9ef86a8
                                                                                                                                                                                    • Opcode Fuzzy Hash: a1e4b719584fb024eb7fd93d5dbe6be5122c3c17c9a5c7589d7ece75b940d2aa
                                                                                                                                                                                    • Instruction Fuzzy Hash: B8519071900219CBDFA1DF68C894BEFBBB5FB05344F1541A8DD856B241DB35A908CBA1
                                                                                                                                                                                    Function 01049BD0 Relevance: 6.2, APIs: 4, Instructions: 159fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,2F45994F,?,00000010,?,0104E130,000000FF), ref: 01049C36
                                                                                                                                                                                    • SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 01049C7F
                                                                                                                                                                                    • ReadFile.KERNEL32(00000000,2F45994F,?,000000FF,00000000,00000078,?), ref: 01049CC1
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 01049D58
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseCreateHandlePointerRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4133201480-0
                                                                                                                                                                                    • Opcode ID: 6fe166b1c7e8f007a4dadcf984447986361de4826b1cda6fe81fefff178dc1d4
                                                                                                                                                                                    • Instruction ID: d088a954ac712b333bc5bb452e9fe0dd41cae2d2d02f1d750eb7c740faddc784
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6fe166b1c7e8f007a4dadcf984447986361de4826b1cda6fe81fefff178dc1d4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2D51C6719006099BDB15DBACCC88BEEBBF8EF49328F148269E561B72C1C7745905CB94
                                                                                                                                                                                    Function 01038D80 Relevance: 6.1, APIs: 4, Instructions: 96fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 01038840: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,2F45994F,00000000,00000000,?), ref: 0103889B
                                                                                                                                                                                    • GetFileVersionInfoSizeW.KERNELBASE(?,00000000,?,2F45994F,00000000,?,?,?,?,00000000,0116A265,000000FF,00000000,01038D36,?), ref: 01038DCD
                                                                                                                                                                                    • GetFileVersionInfoW.KERNELBASE(?,00000000,0116A265,00000000,00000000,?,?,00000000,0116A265,000000FF,00000000,01038D36,?), ref: 01038DF9
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000000,0116A265,000000FF,00000000,01038D36,?), ref: 01038E3E
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 01038E51
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$InfoVersion$DeleteErrorFolderLastPathSize
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2825328469-0
                                                                                                                                                                                    • Opcode ID: 105d39fa0bc0cbdf89193dc37aaf33a4300aacc1a000ee4c89a46ab621ad3fda
                                                                                                                                                                                    • Instruction ID: 49472ce22b1c10bb3bfb20baf25309b34d948650c81b04ae2507d9b33241eb97
                                                                                                                                                                                    • Opcode Fuzzy Hash: 105d39fa0bc0cbdf89193dc37aaf33a4300aacc1a000ee4c89a46ab621ad3fda
                                                                                                                                                                                    • Instruction Fuzzy Hash: 65316175901209DBEB15CFA9D948BEEBBBCFF44710F14429AE545B3240D7359904CBA0
                                                                                                                                                                                    Function 01052C00 Relevance: 6.0, APIs: 4, Instructions: 28threadwindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 01052C09
                                                                                                                                                                                    • DestroyWindow.USER32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0116DBA0), ref: 01052C18
                                                                                                                                                                                    • PostMessageW.USER32(?,00000401,00000000,00000000), ref: 01052C35
                                                                                                                                                                                    • IsWindow.USER32(?), ref: 01052C43
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CurrentDestroyMessagePostThread
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3186974096-0
                                                                                                                                                                                    • Opcode ID: fa4470eaeedcadb5bc7c4bf9d9bc26a516ad64e698a3f900791598c1114b0af3
                                                                                                                                                                                    • Instruction ID: 852f46de880cf747061719a426f6e67b7257ada061a0588e436ea476c9c81907
                                                                                                                                                                                    • Opcode Fuzzy Hash: fa4470eaeedcadb5bc7c4bf9d9bc26a516ad64e698a3f900791598c1114b0af3
                                                                                                                                                                                    • Instruction Fuzzy Hash: BCF05834145710DFE7B59B28EA0CB53BFE4BF09B05F04488CE5879A986D7B1E480CB58
                                                                                                                                                                                    Function 0102E6E0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 387COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    • PathIsUNCW.SHLWAPI(?,?), ref: 0102E8AD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HeapPathProcess
                                                                                                                                                                                    • String ID: \\?\$\\?\UNC\
                                                                                                                                                                                    • API String ID: 300331711-3019864461
                                                                                                                                                                                    • Opcode ID: 2a426078fb531f0e03921fb065bd5123a46fb8040096fc3c5a88fbdae9fe6760
                                                                                                                                                                                    • Instruction ID: b082543b59ae720b2d40c33ecf4e1f2bf5ec6888ed464625ab6a970029140738
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2a426078fb531f0e03921fb065bd5123a46fb8040096fc3c5a88fbdae9fe6760
                                                                                                                                                                                    • Instruction Fuzzy Hash: 71D1D571A006198BDB04DBA8CC94BAEB7F9FF88324F144169E565E73C1DB78AD05CB90
                                                                                                                                                                                    Function 00F03B40 Relevance: 4.9, APIs: 3, Instructions: 352fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTempFileNameW.KERNEL32(?,?,00000000,?,2F45994F,?), ref: 00F03BBA
                                                                                                                                                                                    • MoveFileW.KERNEL32(?,00000000), ref: 00F03DFD
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 00F03E47
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$DeleteMoveNameTemp
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 788073729-0
                                                                                                                                                                                    • Opcode ID: 50476ff8a63c73ab97ebb58bc747a48d55afe3ca8f34add72d25ffdfa3cd8cc8
                                                                                                                                                                                    • Instruction ID: 1c41baa5f5fb468e295216e9cd81bf9bcb8cd474c39d254d0c665295449c605b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 50476ff8a63c73ab97ebb58bc747a48d55afe3ca8f34add72d25ffdfa3cd8cc8
                                                                                                                                                                                    • Instruction Fuzzy Hash: D3F19A70D142699ADB24DF28CD987EDBBB5BF94304F1082C9D408A7291EB756BC4DF80
                                                                                                                                                                                    Function 00F03780 Relevance: 4.8, APIs: 3, Instructions: 276fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTempFileNameW.KERNEL32(?,00000000,00000000,?,2F45994F,?,00000004), ref: 00F037DB
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,00000004), ref: 00F0381F
                                                                                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000,?,00000004), ref: 00F0382E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CreateDeleteDirectoryNameTemp
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2411147693-0
                                                                                                                                                                                    • Opcode ID: 23b0e259a2fc71923cecded3823dd2cb21c984a1536cf3577cdcba33cf545394
                                                                                                                                                                                    • Instruction ID: dd39d2a28d3ef682c17e7c57bba54d2185d00a69975149861a5f60fea9f2ed0f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 23b0e259a2fc71923cecded3823dd2cb21c984a1536cf3577cdcba33cf545394
                                                                                                                                                                                    • Instruction Fuzzy Hash: 26B1D070D04248DBDB14DF68C989BEDBBB4EF54314F20829DE815A7281EB786B84DF90
                                                                                                                                                                                    Function 01099690 Relevance: 4.7, APIs: 3, Instructions: 212synchronizationCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 01099CB0: OpenEventW.KERNEL32(00000000,00000000,2F45994F,_pbl_evt,00000008,?,?,011CD49C,00000001,2F45994F,?), ref: 01099D5E
                                                                                                                                                                                      • Part of subcall function 01099CB0: CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 01099D7B
                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,00000000,00000001,2F45994F,?,?), ref: 010996DE
                                                                                                                                                                                    • ResetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,01178BD9,000000FF), ref: 010996F3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Event$CreateObjectOpenResetSingleWait
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2109722436-0
                                                                                                                                                                                    • Opcode ID: 30c22af165ae6103c84dadff0544778fe6c2569ae4d5c5ed1c9bef74ceeb3099
                                                                                                                                                                                    • Instruction ID: 14948011606a5bd251bec2c07c9524b7d6769bce196ae2aea64e3f724c80c2e8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 30c22af165ae6103c84dadff0544778fe6c2569ae4d5c5ed1c9bef74ceeb3099
                                                                                                                                                                                    • Instruction Fuzzy Hash: E081E171D00248DBDB14CFA8C845BDEBBB0BF54318F24825DE944AB391D775AA86DB90
                                                                                                                                                                                    Function 01053DA0 Relevance: 4.7, APIs: 3, Instructions: 196fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,2F45994F,00000000,00000010,?,00000010,?), ref: 01053E3B
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 01053E7D
                                                                                                                                                                                    • GetLastError.KERNEL32(?), ref: 01053F21
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$CreateFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1722934493-0
                                                                                                                                                                                    • Opcode ID: c381d496a42f5d233d065627aa80ce89388bc6f4caed833e3906fff84a9277fd
                                                                                                                                                                                    • Instruction ID: 0b8f2f0840f93628aa4047ef8e82e57ae88388ed123c2d669bc6737eb2c2c9ea
                                                                                                                                                                                    • Opcode Fuzzy Hash: c381d496a42f5d233d065627aa80ce89388bc6f4caed833e3906fff84a9277fd
                                                                                                                                                                                    • Instruction Fuzzy Hash: E0611331A04A0AEFDB18DB68D844BAAF7B5FF84320F144659E965972D0EB71B901CB90
                                                                                                                                                                                    Function 0108C960 Relevance: 4.7, APIs: 3, Instructions: 185fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(0108D941,40000000,00000001,00000000,00000002,00000080,00000000,2F45994F,?,?), ref: 0108C9C2
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,0000C800,0000C800,00000000,?,0000C800), ref: 0108CA68
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,0000C800), ref: 0108CADC
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1065093856-0
                                                                                                                                                                                    • Opcode ID: db37126aa3b9417158476994b1c69e2f4b3c0716ba04b85a2a10d66f3c726b16
                                                                                                                                                                                    • Instruction ID: f53c7b396e8ea65d1fb77add2bce093db4b8daffe9a3ed9275568ad3cd0a7226
                                                                                                                                                                                    • Opcode Fuzzy Hash: db37126aa3b9417158476994b1c69e2f4b3c0716ba04b85a2a10d66f3c726b16
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8A519171901209AFEB14DFA8DA44FEEBBF5EF48314F104259E451B7280D775AD04CBA4
                                                                                                                                                                                    Function 0102EAF0 Relevance: 4.7, APIs: 3, Instructions: 185COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • PathIsUNCW.SHLWAPI(?,2F45994F,00000000,?,?,?,?,?,01168AB5,000000FF,?,0104237C,00000000,?,?), ref: 0102EB3B
                                                                                                                                                                                    • CreateDirectoryW.KERNEL32(01168AB5,00000000,?,00000000,011C5B58,00000001), ref: 0102EBFA
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0102EC08
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateDirectoryErrorLastPath
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 953296794-0
                                                                                                                                                                                    • Opcode ID: cf2a453e76edd96781e9476accd038985465303740bb2376ccfbb4b16aca077f
                                                                                                                                                                                    • Instruction ID: 04a417d328cc50799e3cf52ae2cbbf2c146b502526203dbdb7229cea83567fab
                                                                                                                                                                                    • Opcode Fuzzy Hash: cf2a453e76edd96781e9476accd038985465303740bb2376ccfbb4b16aca077f
                                                                                                                                                                                    • Instruction Fuzzy Hash: B161C130A4021DCFDB14DFA8C894BADBBF0FF58314F2485A9E516A7281DB35A905CF91
                                                                                                                                                                                    Function 0102C700 Relevance: 4.6, APIs: 3, Instructions: 145fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000,0000002A,00000000,?,2F45994F), ref: 0102C770
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,00000000,0000002A,00000000,?,2F45994F), ref: 0102C80B
                                                                                                                                                                                    • FindNextFileW.KERNEL32(?,?), ref: 0102C862
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Delete$FindNext
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1410743141-0
                                                                                                                                                                                    • Opcode ID: c9da095c13df90fe52635ba70bf12f3c866ed4e2a66e935b5b457bba8f3580a2
                                                                                                                                                                                    • Instruction ID: b9cc54a6ad0eae18dd7a54680c57188be0e260fb8d346e8628f46bfd526fa88f
                                                                                                                                                                                    • Opcode Fuzzy Hash: c9da095c13df90fe52635ba70bf12f3c866ed4e2a66e935b5b457bba8f3580a2
                                                                                                                                                                                    • Instruction Fuzzy Hash: AE51A4309016288FEF24DF58CA88BADB7B5FF44320F1442D9D959A7281EB709E40CB51
                                                                                                                                                                                    Function 0105AC10 Relevance: 4.6, APIs: 3, Instructions: 91fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,00000000,?,00000000,80004005,?,?,?,?,?,?), ref: 0105AC35
                                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,00000080,00000000,2F45994F,00000000,00000000,80004005,?,?,?,?,?), ref: 0105ACAD
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,011B47C0), ref: 0105AD16
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseCreateDeleteHandle
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3273607511-0
                                                                                                                                                                                    • Opcode ID: bf340714847aec511cffaaab476da6d52e0a402aeaaada9afd372386b5be7b08
                                                                                                                                                                                    • Instruction ID: 768d8293b16952dd09792ce0f1ef76fb94b1ed1d0380bd3f645ac6f16d6c90be
                                                                                                                                                                                    • Opcode Fuzzy Hash: bf340714847aec511cffaaab476da6d52e0a402aeaaada9afd372386b5be7b08
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8031C431A00208DBDB64DF54D984BEFBBF4FB04710F108669EEA6BB281D7716905CBA0
                                                                                                                                                                                    Function 01052A00 Relevance: 4.6, APIs: 3, Instructions: 80COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetLastError.KERNEL32(01052356), ref: 01052A00
                                                                                                                                                                                    • EnableWindow.USER32(?,00000000), ref: 01052A95
                                                                                                                                                                                    • DestroyWindow.USER32(00000000,00000000), ref: 01052ABB
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$DestroyEnableErrorLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2755773105-0
                                                                                                                                                                                    • Opcode ID: 8cb8a6a1c37156a89030cc390a019ec9d3a88adc4a5195fe49e4a56b59c4ac23
                                                                                                                                                                                    • Instruction ID: 9280a1dc033aeea3df38b4439c9c2175dca827d47375f37729a1035c96d05472
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8cb8a6a1c37156a89030cc390a019ec9d3a88adc4a5195fe49e4a56b59c4ac23
                                                                                                                                                                                    • Instruction Fuzzy Hash: FD2124766001099BD7719F0CE8057EB7798EB44320F004262FC45C7681D7B5E8A1CBE1
                                                                                                                                                                                    Function 01107D10 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,?,01107D0A,?,?,?,?,2F45994F), ref: 01107D21
                                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,?,01107D0A,?,?,?,?,2F45994F), ref: 01107D28
                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 01107D3A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1703294689-0
                                                                                                                                                                                    • Opcode ID: 31b3b4a80fae8bf6fd9999bd5d134463cb48f83b1ccf045b5a8f8a0c1395c8fe
                                                                                                                                                                                    • Instruction ID: 4567d72135c9cfdda8d8761be28b4df3aaf0e7f4fbc5e2224715e3fcbb1c607a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 31b3b4a80fae8bf6fd9999bd5d134463cb48f83b1ccf045b5a8f8a0c1395c8fe
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1AD09E3240014DBFDF6A3F60DC0C9BD3F2AFF953597548020F95A561A5CB76A992DB40
                                                                                                                                                                                    Function 0102EF70 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 239COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,2F45994F,00000000,00000000), ref: 0102F132
                                                                                                                                                                                      • Part of subcall function 0102F210: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,80004005), ref: 0102F21D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: EnvironmentFolderHeapPathProcessSpecialVariable
                                                                                                                                                                                    • String ID: USERPROFILE
                                                                                                                                                                                    • API String ID: 2976596683-2419442777
                                                                                                                                                                                    • Opcode ID: 886f1f494bbfda775dcaca63375adc328a2393afa665c81e1eaab6ae41cefa60
                                                                                                                                                                                    • Instruction ID: 36ae43e587b1b75ae0ddbadd5ac47dbf2fd8e41825077e21692dc3ad2d227b30
                                                                                                                                                                                    • Opcode Fuzzy Hash: 886f1f494bbfda775dcaca63375adc328a2393afa665c81e1eaab6ae41cefa60
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9971D575A0021A9FDB14DF68C844BBEB7F5FF84310F14426DE915AB381DB74A900CB91
                                                                                                                                                                                    Function 6C5E5750 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000,E0ED2AEC,00000000,?,?,6C6223A7,6C6249FE,000000FF), ref: 6C5E57A2
                                                                                                                                                                                      • Part of subcall function 6C5C1FD0: GetProcessHeap.KERNEL32 ref: 6C5C202C
                                                                                                                                                                                      • Part of subcall function 6C5C61F0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,00000000,6C5E57E3,-00000010,?,6C6223A7,6C6249FE,000000FF), ref: 6C5C6228
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2485893999.000000006C581000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C580000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2485873494.000000006C580000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486013698.000000006C672000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486038035.000000006C681000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6c580000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FindFolderHeapPathProcessResourceSpecial
                                                                                                                                                                                    • String ID: *
                                                                                                                                                                                    • API String ID: 3959041667-2049891948
                                                                                                                                                                                    • Opcode ID: a041186f6f5770119bb4a0da1b022132cebca5249dd98dd34f217b21f2a5adc2
                                                                                                                                                                                    • Instruction ID: 065fa14938ebfc8a57e7562235158f0b8b6e35a6bf831e05c605522c93db285e
                                                                                                                                                                                    • Opcode Fuzzy Hash: a041186f6f5770119bb4a0da1b022132cebca5249dd98dd34f217b21f2a5adc2
                                                                                                                                                                                    • Instruction Fuzzy Hash: D231CD75600248DFDB14DFA9CC98BEEB7B4EF88308F54412DE9169B781DB749A08CB91
                                                                                                                                                                                    Function 6C5C1CB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RtlFreeHeap.NTDLL(?,00000000,?,E0ED2AEC,?,Function_0008C7D0,000000FF), ref: 6C5C1CDF
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2485893999.000000006C581000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C580000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2485873494.000000006C580000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486013698.000000006C672000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486038035.000000006C681000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6c580000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeHeap
                                                                                                                                                                                    • String ID: *
                                                                                                                                                                                    • API String ID: 3298025750-2049891948
                                                                                                                                                                                    • Opcode ID: acc438edb9ac15ffe8ae442e1d8838dab343a50731c3e829a2c2fc8db30b06bc
                                                                                                                                                                                    • Instruction ID: eed27d02835d88512b1c4f6099ea28cd5bd4912fe05537990ef05f03e0629165
                                                                                                                                                                                    • Opcode Fuzzy Hash: acc438edb9ac15ffe8ae442e1d8838dab343a50731c3e829a2c2fc8db30b06bc
                                                                                                                                                                                    • Instruction Fuzzy Hash: D0E06D75644648EBCB15CF45CD45F16B7B8F70AA10F10862AB815D2B80D735A400CA68
                                                                                                                                                                                    Function 6C5FC303 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2485893999.000000006C581000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C580000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2485873494.000000006C580000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2485960344.000000006C627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486013698.000000006C672000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2486038035.000000006C681000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6c580000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                                    • String ID: *
                                                                                                                                                                                    • API String ID: 431132790-2049891948
                                                                                                                                                                                    • Opcode ID: 0fbf7aa5f4f7b74f24c980658018d439fda52cc7659e8d6029c4ce8d3b5daabb
                                                                                                                                                                                    • Instruction ID: 7ef05f8ba67e2364a71682b591aca8b62b35092f907040508cc28b64f511a06d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0fbf7aa5f4f7b74f24c980658018d439fda52cc7659e8d6029c4ce8d3b5daabb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 55E0E572C0020DEACB00DFD4C841BEFB7B8AB48204F504026D204E6240EB7897498FA1
                                                                                                                                                                                    Function 0107BF10 Relevance: 3.2, APIs: 2, Instructions: 158COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsWindow.USER32(00000000), ref: 0107BF62
                                                                                                                                                                                    • EndDialog.USER32(00000000,00000001), ref: 0107BF71
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DialogWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2634769047-0
                                                                                                                                                                                    • Opcode ID: fe00b44d1fa64d5811b3fa89591c191b1e21727bf55f8f321263dcb275424e14
                                                                                                                                                                                    • Instruction ID: 7107216e48ef5102a3d2f043f47d352bedefaa365b257a9cc6883b389278491b
                                                                                                                                                                                    • Opcode Fuzzy Hash: fe00b44d1fa64d5811b3fa89591c191b1e21727bf55f8f321263dcb275424e14
                                                                                                                                                                                    • Instruction Fuzzy Hash: E961BE30A01648DFDB09CF68C94876DBBF4FF49324F1582A9E855AB391C7359E01CB91
                                                                                                                                                                                    Function 01057140 Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: b86360f29791fc9d91a268f292eab3e0fd93e87ab79d59e35931edc9107406c5
                                                                                                                                                                                    • Instruction ID: dc180b410f355b67641a5dfee9a147f7b0fab9c34660a5e79637f285399c5cdc
                                                                                                                                                                                    • Opcode Fuzzy Hash: b86360f29791fc9d91a268f292eab3e0fd93e87ab79d59e35931edc9107406c5
                                                                                                                                                                                    • Instruction Fuzzy Hash: C851BE30A0050A8BCB54DFA8C884BAEBBF1FF48324F544269EC65EB381DB34A945CF50
                                                                                                                                                                                    Function 00FC66B0 Relevance: 3.1, APIs: 2, Instructions: 70COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsWindow.USER32(00000004), ref: 00FC66FA
                                                                                                                                                                                    • DestroyWindow.USER32(00000004,?,?,?,?,?,?,?,?,000000FF), ref: 00FC6707
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Destroy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3707531092-0
                                                                                                                                                                                    • Opcode ID: ebe1830d5efd867b25cceb3ebf69807a65e35a4eb90b249496f70b5577490c76
                                                                                                                                                                                    • Instruction ID: 9d44ba74582a4cde7e4746fa20cf58b4e8aac94e25ce92b84b71701f3d39e915
                                                                                                                                                                                    • Opcode Fuzzy Hash: ebe1830d5efd867b25cceb3ebf69807a65e35a4eb90b249496f70b5577490c76
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3E31AB70804649EECB04DF68CA09B9EFBF4BF10324F10825DD155A3A81DB74AA08DBD1
                                                                                                                                                                                    Function 010324C0 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 01031A80: LoadLibraryW.KERNEL32(ComCtl32.dll,2F45994F,?,00000000,00000000), ref: 01031ABA
                                                                                                                                                                                      • Part of subcall function 01031A80: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 01031AE0
                                                                                                                                                                                      • Part of subcall function 01031A80: FreeLibrary.KERNEL32(00000000), ref: 01031B69
                                                                                                                                                                                      • Part of subcall function 01031A80: LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000000), ref: 01031B4B
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 01032502
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 01032511
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LibraryLoadMessageSend$AddressFreeImageProc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2968665230-0
                                                                                                                                                                                    • Opcode ID: 3a40bcfb8858864ae40d90fdecd659dfd9d3132dd7493951a3c5911f66567c5a
                                                                                                                                                                                    • Instruction ID: 551d5412d1f9d775b891acc10d3abf6774f761c65a6d30829988213a4a8cf94e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3a40bcfb8858864ae40d90fdecd659dfd9d3132dd7493951a3c5911f66567c5a
                                                                                                                                                                                    • Instruction Fuzzy Hash: BDF0E9327903103BE720565D5C46FBBB6DDDBC8B21F108219F6959B2C0D9F16C0113D9
                                                                                                                                                                                    Function 01114746 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RtlFreeHeap.NTDLL(00000000,00000000,?,0111C32A,?,00000000,?,?,0111C5CB,?,00000007,?,?,0111CA27,?,?), ref: 0111475C
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,0111C32A,?,00000000,?,?,0111C5CB,?,00000007,?,?,0111CA27,?,?), ref: 01114767
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorFreeHeapLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 485612231-0
                                                                                                                                                                                    • Opcode ID: 0f8383003bfe2102ed82a27f2ac0a8eb72bf0ea56971ac938173561b977eeec6
                                                                                                                                                                                    • Instruction ID: 99e7c7b0dcc7bef98f31cdac42dbfebd7dffcb0f28c3db94a089238f28fc965a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0f8383003bfe2102ed82a27f2ac0a8eb72bf0ea56971ac938173561b977eeec6
                                                                                                                                                                                    • Instruction Fuzzy Hash: AAE08632500A18ABCB2A2BB5A80C7597B5D9B4076AF504430F60896054DB749491C795
                                                                                                                                                                                    Function 01015250 Relevance: 2.6, APIs: 2, Instructions: 68COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,00000000,?,01242000,010680E8,?), ref: 01015268
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 0101529A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 626452242-0
                                                                                                                                                                                    • Opcode ID: 987d1756a4c461f9cb5c011fa904489afd2b0b81a449be0f871bcedb67377633
                                                                                                                                                                                    • Instruction ID: bebcfb0af2795bf955094a396d99673a623addffa408d125dee5b157ca8a6c42
                                                                                                                                                                                    • Opcode Fuzzy Hash: 987d1756a4c461f9cb5c011fa904489afd2b0b81a449be0f871bcedb67377633
                                                                                                                                                                                    • Instruction Fuzzy Hash: A601D232302215AFD6149A99DC88F6EB79AEFD5321F20412DF324EB2C4CB65681187A4
                                                                                                                                                                                    Function 010E0D60 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 4ea87b0e7d1ab5a73e538cce1a7927709bf67f24f00c299eaa1565e812fcb764
                                                                                                                                                                                    • Instruction ID: 51bf7e9dad29d25819a4ff1f4c479672290ca497ae7fca08a3098ef25067503d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4ea87b0e7d1ab5a73e538cce1a7927709bf67f24f00c299eaa1565e812fcb764
                                                                                                                                                                                    • Instruction Fuzzy Hash: F0A17BB1A05609DFDB04CFA8D548B9EBBF4FF48314F1481ADE859AB380D775AA04CB91
                                                                                                                                                                                    Function 0107AC30 Relevance: 1.7, APIs: 1, Instructions: 180synchronizationCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,2F45994F), ref: 0107AC64
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ObjectSingleWait
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 24740636-0
                                                                                                                                                                                    • Opcode ID: 691b6af090e67debdc7e922f7d70fa326fb195f65fff9308f949ee680d4717af
                                                                                                                                                                                    • Instruction ID: 2ecc8adcc145e63f1ee1d7f3cff43f13d7bc2257a46d2db0533333a5cb5c0fbd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 691b6af090e67debdc7e922f7d70fa326fb195f65fff9308f949ee680d4717af
                                                                                                                                                                                    • Instruction Fuzzy Hash: F5614675B00609CFCB14DFA8C884A6EBBF5FF88310F1945A9E9569B391DB31E805CB54
                                                                                                                                                                                    Function 0105C1A0 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,0105C2E0,?), ref: 0105C1EB
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: EnumLanguagesResource
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4141015960-0
                                                                                                                                                                                    • Opcode ID: 3a501608d3ee8b70a4562c16951517c8f915abd42488e0711ed13f706e99adba
                                                                                                                                                                                    • Instruction ID: 7841f41aadac601b117a498545eef6d21adc100d532786d64e7774deab1b828c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3a501608d3ee8b70a4562c16951517c8f915abd42488e0711ed13f706e99adba
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3F41C27180020ADBEB10DF98CA84BDFBBF8FF04754F104169E854B7281DB75A945CBA0
                                                                                                                                                                                    Function 00EFA840 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00EFA640: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,2F45994F,?,?,000000A7,?,00000000,01123E70,000000FF,?,00EFA850,?), ref: 00EFA696
                                                                                                                                                                                    • FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00F15436,00000000,*.*,?,?,?,?), ref: 00EFA863
                                                                                                                                                                                      • Part of subcall function 00EFA700: LoadResource.KERNEL32(00000000,00000000,2F45994F,00000001,00000000,?,00000000,011237A0,000000FF,?,00EFA6AC,?,?,?,000000A7,?), ref: 00EFA72B
                                                                                                                                                                                      • Part of subcall function 00EFA700: LockResource.KERNEL32(00000000,?,00EFA6AC,?,?,?,000000A7,?,00000000,01123E70,000000FF,?,00EFA850,?,?,000000A7), ref: 00EFA736
                                                                                                                                                                                      • Part of subcall function 00EFA700: SizeofResource.KERNEL32(00000000,00000000,?,00EFA6AC,?,?,?,000000A7,?,00000000,01123E70,000000FF,?,00EFA850,?,?), ref: 00EFA744
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Resource$Find$LoadLockSizeof
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3127896203-0
                                                                                                                                                                                    • Opcode ID: 6cacf33ccedde3d7c4a4f17e18fe6f47833e6deb745793e7460d0d398beb295c
                                                                                                                                                                                    • Instruction ID: 624f61600a227660f4d93158cb8bb9d66a4480879fee2e649505fd16d0155bc9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6cacf33ccedde3d7c4a4f17e18fe6f47833e6deb745793e7460d0d398beb295c
                                                                                                                                                                                    • Instruction Fuzzy Hash: D811EBB17001299BD708AF68C88897BB3DDEF84314718907EF649EF245EB75DC1297A2
                                                                                                                                                                                    Function 00EFA640 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 010FBEB9: EnterCriticalSection.KERNEL32(01240810,?,?,?,00EFA677,00000000,2F45994F,?,?,000000A7,?,00000000,01123E70,000000FF,?,00EFA850), ref: 010FBEC4
                                                                                                                                                                                      • Part of subcall function 010FBEB9: LeaveCriticalSection.KERNEL32(01240810,?,?,?,00EFA677,00000000,2F45994F,?,?,000000A7,?,00000000,01123E70,000000FF,?,00EFA850), ref: 010FBEF0
                                                                                                                                                                                    • FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,2F45994F,?,?,000000A7,?,00000000,01123E70,000000FF,?,00EFA850,?), ref: 00EFA696
                                                                                                                                                                                      • Part of subcall function 00EFA700: LoadResource.KERNEL32(00000000,00000000,2F45994F,00000001,00000000,?,00000000,011237A0,000000FF,?,00EFA6AC,?,?,?,000000A7,?), ref: 00EFA72B
                                                                                                                                                                                      • Part of subcall function 00EFA700: LockResource.KERNEL32(00000000,?,00EFA6AC,?,?,?,000000A7,?,00000000,01123E70,000000FF,?,00EFA850,?,?,000000A7), ref: 00EFA736
                                                                                                                                                                                      • Part of subcall function 00EFA700: SizeofResource.KERNEL32(00000000,00000000,?,00EFA6AC,?,?,?,000000A7,?,00000000,01123E70,000000FF,?,00EFA850,?,?), ref: 00EFA744
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Resource$CriticalSection$EnterFindLeaveLoadLockSizeof
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 529824247-0
                                                                                                                                                                                    • Opcode ID: 463b0ad93282ba0409f391507332cc8fd77819fe96905561b7b8af63542a4e0a
                                                                                                                                                                                    • Instruction ID: e09419dc8bdf78cad25ef94a5518783c2b8cb8240b843b19223f5e637a36d77f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 463b0ad93282ba0409f391507332cc8fd77819fe96905561b7b8af63542a4e0a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 53112772B046185BD3298A59AC41B7AB3E8E788B64F04023EEA0AE7780EB359C004791
                                                                                                                                                                                    Function 0102C620 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0102C700: DeleteFileW.KERNEL32(00000000,0000002A,00000000,?,2F45994F), ref: 0102C770
                                                                                                                                                                                    • RemoveDirectoryW.KERNEL32(00000000,?,2F45994F,?,?,00000000,2F45994F,00000000,?,00000000,01168443,000000FF), ref: 0102C67E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DeleteDirectoryFileRemove
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3325800564-0
                                                                                                                                                                                    • Opcode ID: 0f1abba40d7bd571b0d821cb1d72231723d6e920bda5f1630a2b418061e6cded
                                                                                                                                                                                    • Instruction ID: 986cad9e7dc802c0d80c884141d201bda571578aeae06a403920f8aedf7e1e78
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0f1abba40d7bd571b0d821cb1d72231723d6e920bda5f1630a2b418061e6cded
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8721C571900228CFDB25DF58D584AADF7B4FB48720F1446AADC656B381DB34A9008BD0
                                                                                                                                                                                    Function 0107B160 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,2F45994F,?,?,?,?,?,?,01157F3D), ref: 0107B1C4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                                                    • Opcode ID: 73fba47f5f3444a333eddfc86f997b49f2c424a1b5fbaa584afbe478d683e70c
                                                                                                                                                                                    • Instruction ID: 53739f6fff050a7d7f577963ce73ff5c4ba34094b4f84cc8d2e705608ca2ea50
                                                                                                                                                                                    • Opcode Fuzzy Hash: 73fba47f5f3444a333eddfc86f997b49f2c424a1b5fbaa584afbe478d683e70c
                                                                                                                                                                                    • Instruction Fuzzy Hash: DF21A171A00209EFCB24DF64D945BAEBBF4FB48710F10456AE926A7380DB70B901CB90
                                                                                                                                                                                    Function 0111671E Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 01114780: RtlAllocateHeap.NTDLL(00000000,00000000,011124EA,?,01116733,?,00000000,?,0110652A,00000000,011124EA,?,?,?,?,011122E4), ref: 011147B2
                                                                                                                                                                                    • RtlReAllocateHeap.NTDLL(00000000,00000000,?,011124EA,00000000,?,0110652A,00000000,011124EA,?,?,?,?,011122E4,?,?), ref: 0111677B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                                                    • Opcode ID: 2b122e4013e9f4992e052af88f6d7f72d9b817ee5c0a77621c7e4a58dfee451b
                                                                                                                                                                                    • Instruction ID: 831a56f32e4b661de1360353f387b9930746abe443a87186781e7186ca669916
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2b122e4013e9f4992e052af88f6d7f72d9b817ee5c0a77621c7e4a58dfee451b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3FF04C31100D5266DB3E3A296C48B3BFB599F82670B114035E91496088FFA6C800C1A1
                                                                                                                                                                                    Function 01075310 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,00000000,2F45994F,00000000,2F45994F), ref: 010753A6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                                                    • Opcode ID: 13f149ae530d67fd1b054cae8c19966b93860cbdcf4ffef168e5aa99a3474078
                                                                                                                                                                                    • Instruction ID: 6c496027f77f6f6f65546e9677ffc1727d8feaddc137401be4f378333de4add5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 13f149ae530d67fd1b054cae8c19966b93860cbdcf4ffef168e5aa99a3474078
                                                                                                                                                                                    • Instruction Fuzzy Hash: F3F04471A00559ABCB20CF19DC44FDAB7BDFB45724F104219F821E73D0D7B4A9008694
                                                                                                                                                                                    Function 00EFB010 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 010FE281: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,00000000,80004005,2F45994F,?), ref: 010FE2E1
                                                                                                                                                                                    • RtlAllocateHeap.NTDLL(?,00000000,?,2F45994F,00000000,011239F0,000000FF,?,?,0123843C,?,?,01074927,80004005,2F45994F,?), ref: 00EFB05A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocateExceptionHeapRaise
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3789339297-0
                                                                                                                                                                                    • Opcode ID: 000cc25325615421c2b4334a1993e951bb3ff2c15acd9e1a352eedf21e120fd6
                                                                                                                                                                                    • Instruction ID: 67e3e43eddf84246489a70caf4d0deab1f9d2ec9050533f4feeb81b7a4364246
                                                                                                                                                                                    • Opcode Fuzzy Hash: 000cc25325615421c2b4334a1993e951bb3ff2c15acd9e1a352eedf21e120fd6
                                                                                                                                                                                    • Instruction Fuzzy Hash: B4F0E2B1A0420CFFC7148F44DC06F6ABBA8FB44B10F00862EF91492A90EB35A9108B44
                                                                                                                                                                                    Function 01114780 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000000,00000000,011124EA,?,01116733,?,00000000,?,0110652A,00000000,011124EA,?,?,?,?,011122E4), ref: 011147B2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                                                    • Opcode ID: 341d68acf66be2c104419df616caa8807a411e97fad413ab91f7da3879116d75
                                                                                                                                                                                    • Instruction ID: 56f473436994eea767f2a278fa52706d900febe15b255b4bdedbc3776277fc3a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 341d68acf66be2c104419df616caa8807a411e97fad413ab91f7da3879116d75
                                                                                                                                                                                    • Instruction Fuzzy Hash: A8E0E535100A3666E73D26699C00B6AFA8A9B43FB4F190530EE1496988EB60D84042E2
                                                                                                                                                                                    Function 01112452 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 431132790-0
                                                                                                                                                                                    • Opcode ID: 5ae713bcd27a7bf6e0a844450b719cbbb9a8865478aa7bd833811b3dec56ce54
                                                                                                                                                                                    • Instruction ID: be1a84f7b33c1046fbab70071df769aa306dfae421860850eeb52589dfc7686b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5ae713bcd27a7bf6e0a844450b719cbbb9a8865478aa7bd833811b3dec56ce54
                                                                                                                                                                                    • Instruction Fuzzy Hash: 97E09A76C0020E9ADB41EFD4C556BEFB7B8BB14310F60812AD245E7140EB7897448BE1
                                                                                                                                                                                    Function 01115D29 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 508f1dafbf2911b9cd1e1b77630499983834085ed0e1521de1f4e567c54df9fc
                                                                                                                                                                                    • Instruction ID: f139d520dbe271bb80fdb2bae732df0d4d0ad22e8a0b8bfcd052f5b82d808450
                                                                                                                                                                                    • Opcode Fuzzy Hash: 508f1dafbf2911b9cd1e1b77630499983834085ed0e1521de1f4e567c54df9fc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 00E0CD31D0163567DF791D3B4808B5EBF4E9F82AA4B494030AD046B14CDB60EC4297F0
                                                                                                                                                                                    Function 010FC31D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 010FC2EC
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010F97B8
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 010F9820
                                                                                                                                                                                      • Part of subcall function 010F97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 010F9831
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 697777088-0
                                                                                                                                                                                    • Opcode ID: 744a3f98949740d5f85adb1950329238e1e1dc14c17e828719a88fac835c7c50
                                                                                                                                                                                    • Instruction ID: 2cccec2a082fa4f99898df5c7c141d32572cc88baa8bd4e89a5ce8bd5e6e4c74
                                                                                                                                                                                    • Opcode Fuzzy Hash: 744a3f98949740d5f85adb1950329238e1e1dc14c17e828719a88fac835c7c50
                                                                                                                                                                                    • Instruction Fuzzy Hash: 15B012C52BC2436D304C91861D03D3E010CF0D0910320411FF24AD5400F4410C450031
                                                                                                                                                                                    Function 010FC327 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 010FC2EC
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010F97B8
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 010F9820
                                                                                                                                                                                      • Part of subcall function 010F97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 010F9831
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 697777088-0
                                                                                                                                                                                    • Opcode ID: 129c242ffd6557130b0370d984339ff9267c10b06ca9ae8dafbeb6fae34d954b
                                                                                                                                                                                    • Instruction ID: d223eda3d8aa55c1479d4b98b8a62600dceb2cbd9d1f4c2a4f774ef4d36a9689
                                                                                                                                                                                    • Opcode Fuzzy Hash: 129c242ffd6557130b0370d984339ff9267c10b06ca9ae8dafbeb6fae34d954b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 95B012C52BC243AD304C91961D03D3F010CD0D0910320851FF949D5400E8411C050131
                                                                                                                                                                                    Function 010F8CA0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 010F8CB2
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010F97B8
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 010F9820
                                                                                                                                                                                      • Part of subcall function 010F97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 010F9831
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 697777088-0
                                                                                                                                                                                    • Opcode ID: 7e6169bc4f95b1dc7d6837c1b6effe7c5403a67e5f71d94f6143a5b89e7faad9
                                                                                                                                                                                    • Instruction ID: 163e2f768dfd3ee218ae2f36aa3a9c54bc00145c72693e3c46f4ab08ee833141
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7e6169bc4f95b1dc7d6837c1b6effe7c5403a67e5f71d94f6143a5b89e7faad9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7DB012C23BD315BE300C52035D03D7E010CF1E0911320871FF153D5400D4850CC71071
                                                                                                                                                                                    Function 010F930A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 010F92ED
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010F97B8
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 010F9820
                                                                                                                                                                                      • Part of subcall function 010F97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 010F9831
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 697777088-0
                                                                                                                                                                                    • Opcode ID: f6a50df42678a67b224d9e02b3e5b5eb9c67c860bb30ec383a50334f4a7248f5
                                                                                                                                                                                    • Instruction ID: 991a81827511083770db30f3f1f50919cf785ea0d0f17a835c4189dc5ae9b9c7
                                                                                                                                                                                    • Opcode Fuzzy Hash: f6a50df42678a67b224d9e02b3e5b5eb9c67c860bb30ec383a50334f4a7248f5
                                                                                                                                                                                    • Instruction Fuzzy Hash: D9B012C53BC302ED304C61491C93F3E010CD0D0D18320811EF585C5400E4824C050031
                                                                                                                                                                                    Function 010F9300 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 010F92ED
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010F97B8
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 010F9820
                                                                                                                                                                                      • Part of subcall function 010F97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 010F9831
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 697777088-0
                                                                                                                                                                                    • Opcode ID: dad1fd0b1db79867331658b6775c35723874a28230e5bb14d0eeec6026fad1b1
                                                                                                                                                                                    • Instruction ID: 83dae996063d7adedcf788f7061efe3a51ab6f51ef699a9260ef4e662582d7d6
                                                                                                                                                                                    • Opcode Fuzzy Hash: dad1fd0b1db79867331658b6775c35723874a28230e5bb14d0eeec6026fad1b1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 87B012C53BC202AD314C61551D53F3E010CE0E0A14320812EF285C5400E4874C0A0031
                                                                                                                                                                                    Function 010F933C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 010F92ED
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010F97B8
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 010F9820
                                                                                                                                                                                      • Part of subcall function 010F97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 010F9831
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 697777088-0
                                                                                                                                                                                    • Opcode ID: 8cf951cd4523d3656c600354540e98104d2c4b792249732def10a9cb41cd3314
                                                                                                                                                                                    • Instruction ID: 6fa20e8e7290166e349eca364f347130f1bf41aab83a529f9b63f0349d7eb285
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8cf951cd4523d3656c600354540e98104d2c4b792249732def10a9cb41cd3314
                                                                                                                                                                                    • Instruction Fuzzy Hash: 20B012C53BC202AE304C65451C53F3E020CE0D0914320411EF185C5400E4824C050035
                                                                                                                                                                                    Function 010F9346 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 010F92ED
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010F97B8
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 010F9820
                                                                                                                                                                                      • Part of subcall function 010F97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 010F9831
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 697777088-0
                                                                                                                                                                                    • Opcode ID: aab6de5fffdec8e8a8740d5a13b53007e7bde73434a074333d8f793fc219a23b
                                                                                                                                                                                    • Instruction ID: 166402ffb5b81b3ca302aa11c12c03ebf8aebf7f04e77c743de73fa90b6ab7d2
                                                                                                                                                                                    • Opcode Fuzzy Hash: aab6de5fffdec8e8a8740d5a13b53007e7bde73434a074333d8f793fc219a23b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 96B012C53BC242AD314C61451D53F3E020CD0D0914320811EF285C5400E4874C060035
                                                                                                                                                                                    Function 010F9389 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 010F9376
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010F97B8
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 010F9820
                                                                                                                                                                                      • Part of subcall function 010F97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 010F9831
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 697777088-0
                                                                                                                                                                                    • Opcode ID: 8ac436ec51a3db7138712928248eeffc77e44c8e5d0383ddfacee8d34c51b01f
                                                                                                                                                                                    • Instruction ID: ed9759170037546ddc239a67c984b7e0d815124bb55bfea44a6d07d4187c48d8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8ac436ec51a3db7138712928248eeffc77e44c8e5d0383ddfacee8d34c51b01f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9AB012C12BC3027D304C51051C43E3E015DE1D0914320861EF245C6480E4410C4D1031
                                                                                                                                                                                    Function 010F93BE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 010F93B5
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010F97B8
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 010F9820
                                                                                                                                                                                      • Part of subcall function 010F97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 010F9831
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 697777088-0
                                                                                                                                                                                    • Opcode ID: e95ef60e52f861bf025c3d73c9fa1a6361e7d9d56c1d07df0f3f880d731e15ba
                                                                                                                                                                                    • Instruction ID: 39e4e23da7ede8fed8dfe2917105ec1df7a59826cb2d25708aac93e58128d856
                                                                                                                                                                                    • Opcode Fuzzy Hash: e95ef60e52f861bf025c3d73c9fa1a6361e7d9d56c1d07df0f3f880d731e15ba
                                                                                                                                                                                    • Instruction Fuzzy Hash: B5B012C53FD3026D300C51052C03E3E010CE5D4914320821EF1E6C5440E4460C890031
                                                                                                                                                                                    Function 010F93E2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 010F93B5
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010F97B8
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 010F9820
                                                                                                                                                                                      • Part of subcall function 010F97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 010F9831
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 697777088-0
                                                                                                                                                                                    • Opcode ID: 9c8a07aea5dc39e8fa3f126625f96a5baa821bc0685e9386a8b472ba838a1258
                                                                                                                                                                                    • Instruction ID: 730badcff07f1e1b798322160473f11884cdb3cd8cb0a5a96b223241c4fde6b4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9c8a07aea5dc39e8fa3f126625f96a5baa821bc0685e9386a8b472ba838a1258
                                                                                                                                                                                    • Instruction Fuzzy Hash: D7B012C52FC3026D310C51052C03E3F010CD5E4915320C11FF5D1C5440E4464C090071
                                                                                                                                                                                    Function 010F941E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 010F93B5
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010F97B8
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 010F9820
                                                                                                                                                                                      • Part of subcall function 010F97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 010F9831
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 697777088-0
                                                                                                                                                                                    • Opcode ID: 45f231cbf5c9815e149d342b5401338e3561e7db50568f44923418a754806c6f
                                                                                                                                                                                    • Instruction ID: 975009623b82477e8ac1fea4733e3176074b6edae86143570f9974c71bd3b7a1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 45f231cbf5c9815e149d342b5401338e3561e7db50568f44923418a754806c6f
                                                                                                                                                                                    • Instruction Fuzzy Hash: C3B012C52FC3026E300C51062D07E3F010CD5E4914320811EF5D1C5440E84B0C0A0231
                                                                                                                                                                                    Function 010F9414 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 010F93B5
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010F97B8
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 010F9820
                                                                                                                                                                                      • Part of subcall function 010F97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 010F9831
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 697777088-0
                                                                                                                                                                                    • Opcode ID: db0d377528499d7e5d02a19fc4986d3b04ca036d71788edf1fd0f05a46c0d483
                                                                                                                                                                                    • Instruction ID: 1d3875a5516f3c0013c0c5bae4f11161e02d667503f00687816f582ec0c88820
                                                                                                                                                                                    • Opcode Fuzzy Hash: db0d377528499d7e5d02a19fc4986d3b04ca036d71788edf1fd0f05a46c0d483
                                                                                                                                                                                    • Instruction Fuzzy Hash: 84B012C52FD3026E300C61062C07E3F010CD5D4914320821EF2D5C5440E8460C490131
                                                                                                                                                                                    Function 010F94B5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 010F946E
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadAcquireSectionWriteAccess.DELAYIMP ref: 010F97B8
                                                                                                                                                                                      • Part of subcall function 010F97AD: DloadReleaseSectionWriteAccess.DELAYIMP ref: 010F9820
                                                                                                                                                                                      • Part of subcall function 010F97AD: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 010F9831
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 697777088-0
                                                                                                                                                                                    • Opcode ID: 824a703ddf5b211f25bee4169aa22c38123803ad501ae62a9f63bcf3d4915667
                                                                                                                                                                                    • Instruction ID: ce86cf80972e36b3de15ee897c0c8095fe9f899908f19f34c0ba526568da23d7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 824a703ddf5b211f25bee4169aa22c38123803ad501ae62a9f63bcf3d4915667
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1EB012C52BD2426D300C910A1D13E3E011CE0E2914320411EF245C5400E8451C050431
                                                                                                                                                                                    Function 00EF9CC0 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseHandle
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2962429428-0
                                                                                                                                                                                    • Opcode ID: bdca8aebae263871f7325cd0cffb14606b3364782dd769e4480264cf92a42e5c
                                                                                                                                                                                    • Instruction ID: 8d248a756bb3f707d2480b4f535e1da6fd5950bab8df656ce7f2f5d96ac748be
                                                                                                                                                                                    • Opcode Fuzzy Hash: bdca8aebae263871f7325cd0cffb14606b3364782dd769e4480264cf92a42e5c
                                                                                                                                                                                    • Instruction Fuzzy Hash: DCC08C302042104BD7344E18B60879272DC5F04714F00841EA469E3640C774DC408750

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 00EF3480 Relevance: 170.7, Strings: 134, Instructions: 3218COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$800$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppSearch$BindImage$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileCost$FileSize$Font$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Patch$PatchFiles$PatchSize$ProcessComponents$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
                                                                                                                                                                                    • API String ID: 0-2910470256
                                                                                                                                                                                    • Opcode ID: f1867d901c054d258cb9cf921c9fda078640ad63d0d7274c74be7502104e0b8e
                                                                                                                                                                                    • Instruction ID: 8f0b90d8c7010cf963abbaa6db2ff45d5aa20b355b3dc29378515a0e2d19cddf
                                                                                                                                                                                    • Opcode Fuzzy Hash: f1867d901c054d258cb9cf921c9fda078640ad63d0d7274c74be7502104e0b8e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6473D928A557C8D7D329EB72B91936E3A61BB63708F20634CF2813B2D6DBF41584C791
                                                                                                                                                                                    Function 00F225B3 Relevance: 64.6, APIs: 25, Strings: 11, Instructions: 1650memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F22893
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F229D9
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F22A0E
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F22BA3
                                                                                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 00F22BB4
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F22BFE
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F22C27
                                                                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 00F22C32
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F22D45
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F22D7A
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F22DD4
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F22E93
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F22861
                                                                                                                                                                                      • Part of subcall function 00EFA840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00F15436,00000000,*.*,?,?,?,?), ref: 00EFA863
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F22978
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F229A4
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F2300A
                                                                                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 00F2301B
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F23065
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F2308E
                                                                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 00F23099
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F2319C
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F231F3
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F2321C
                                                                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 00F2322A
                                                                                                                                                                                      • Part of subcall function 00EFB010: RtlAllocateHeap.NTDLL(?,00000000,?,2F45994F,00000000,011239F0,000000FF,?,?,0123843C,?,?,01074927,80004005,2F45994F,?), ref: 00EFB05A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClearVariant$String$Free$AllocHeap$AllocateFindProcessResource
                                                                                                                                                                                    • String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
                                                                                                                                                                                    • API String ID: 2653467708-3153392536
                                                                                                                                                                                    • Opcode ID: b637932127a2e69c86aa9badc2a00a7ddd6762a347d9d0433ce6ada71deace8e
                                                                                                                                                                                    • Instruction ID: 33112131ba12c8b4710652678fcafc35af1f94d3803b99d8cc9976e135156b2f
                                                                                                                                                                                    • Opcode Fuzzy Hash: b637932127a2e69c86aa9badc2a00a7ddd6762a347d9d0433ce6ada71deace8e
                                                                                                                                                                                    • Instruction Fuzzy Hash: AEE2BE75D00258DFDB14DFB8D848BAEBBB4FF48310F248259E515B7281EB74AA85DB80
                                                                                                                                                                                    Function 00F12C40 Relevance: 26.1, APIs: 17, Instructions: 596windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00F12C7C
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 00F12D15
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00F12D34
                                                                                                                                                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F12D42
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00F12D59
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00F12D7A
                                                                                                                                                                                    • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00F12D91
                                                                                                                                                                                      • Part of subcall function 00EFB010: RtlAllocateHeap.NTDLL(?,00000000,?,2F45994F,00000000,011239F0,000000FF,?,?,0123843C,?,?,01074927,80004005,2F45994F,?), ref: 00EFB05A
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00F12E88
                                                                                                                                                                                    • ShowWindow.USER32(?,?,?,00000000), ref: 00F12F3D
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 00F12F71
                                                                                                                                                                                    • ShowWindow.USER32(?,?,?,00000000), ref: 00F12F8F
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00F12FB9
                                                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 00F1311E
                                                                                                                                                                                    • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00F13148
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00F131F9
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00F13244
                                                                                                                                                                                    • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00F13282
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Rect$LongShow$ClientMessageSend$AllocateHeapVisible
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1979148354-0
                                                                                                                                                                                    • Opcode ID: f32d1f33d87d82cd63b75fe84377cbd2823b41d5f945649449e2be72e79780ef
                                                                                                                                                                                    • Instruction ID: c67c973285472c7166dff8bab7cee0a3f113654bb22a6960d9f42116a065d70d
                                                                                                                                                                                    • Opcode Fuzzy Hash: f32d1f33d87d82cd63b75fe84377cbd2823b41d5f945649449e2be72e79780ef
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5432BC71A04219AFCB24DFA8D884AAEBBF5FF88310F10455DF856A7250DB30E985DF91
                                                                                                                                                                                    Function 00F32970 Relevance: 22.1, APIs: 5, Strings: 7, Instructions: 1106stringsleepCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(?,?,msix,00000004,?,?,?,?, ?(-|/)+q,011B9366,?), ref: 00F32DD3
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(?,?,msixbundle,0000000A,msix,00000004,?,?,?,?, ?(-|/)+q,011B9366,?), ref: 00F32F53
                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00F335AB
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    • Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,?, ?(-|/)+q,011B9366,?), ref: 00F33507
                                                                                                                                                                                      • Part of subcall function 00F14AD0: FindClose.KERNEL32(00000000), ref: 00F14C1F
                                                                                                                                                                                      • Part of subcall function 010318D0: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,2F45994F,?,00000000), ref: 0103191B
                                                                                                                                                                                      • Part of subcall function 010318D0: GetLastError.KERNEL32(?,00000000), ref: 01031925
                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00F33877
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Cpp_errorThrow_lstrcmpistd::_$CloseErrorFindFormatHeapLastMessageProcessSleep
                                                                                                                                                                                    • String ID: ?(-|/)+q$Launch failed. Error:$Launching file:$Return code of launched file:$appx$msix$msixbundle
                                                                                                                                                                                    • API String ID: 2536901295-140134217
                                                                                                                                                                                    • Opcode ID: 5a5a8014ca750ad26102d41ce96b23f5afe3ce56ee7e4e003597fa14b9a258a7
                                                                                                                                                                                    • Instruction ID: 9e189851a263b726be980c4146df3f862e004791cdeeb718335ec0f4b450879c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a5a8014ca750ad26102d41ce96b23f5afe3ce56ee7e4e003597fa14b9a258a7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 40A2CD71D00218CFDB24DF68C845BADB7B1BF44324F248299E919AB2C1DB74AE85DF91
                                                                                                                                                                                    Function 0103CDF0 Relevance: 19.8, APIs: 3, Strings: 8, Instructions: 539fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,00000000,00000000), ref: 0103D2C1
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0103D2F5
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0103D3A1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • No acceptable version found. It is already downloaded and it will be installed., xrefs: 0103D94F
                                                                                                                                                                                    • No acceptable version found. It must be downloaded manually from a site., xrefs: 0103D941
                                                                                                                                                                                    • No acceptable version found., xrefs: 0103D956
                                                                                                                                                                                    • Not selected for install., xrefs: 0103D95D
                                                                                                                                                                                    • An acceptable version was found., xrefs: 0103D92C
                                                                                                                                                                                    • No acceptable version found. It must be downloaded., xrefs: 0103D93A
                                                                                                                                                                                    • No acceptable version found. It must be installed from package., xrefs: 0103D933
                                                                                                                                                                                    • No acceptable version found. Operating System not supported., xrefs: 0103D948
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Find$Close$FileFirstHeapProcess
                                                                                                                                                                                    • String ID: An acceptable version was found.$No acceptable version found.$No acceptable version found. It is already downloaded and it will be installed.$No acceptable version found. It must be downloaded manually from a site.$No acceptable version found. It must be downloaded.$No acceptable version found. It must be installed from package.$No acceptable version found. Operating System not supported.$Not selected for install.
                                                                                                                                                                                    • API String ID: 4254541338-749633484
                                                                                                                                                                                    • Opcode ID: 1c5129bd40ee219956fcab0cac322b685090a4a8ad39b72911a5a980210bdb61
                                                                                                                                                                                    • Instruction ID: 323ea6136b89a99ff060720d4e98ef28ca7f2b6a9be59d7bc3d7239ba8e409cd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1c5129bd40ee219956fcab0cac322b685090a4a8ad39b72911a5a980210bdb61
                                                                                                                                                                                    • Instruction Fuzzy Hash: F022BD34A0061A8FDB14DFA8C8983ADBBF5FF88314F5481ADD956A7381DB74A945CF80
                                                                                                                                                                                    Function 0100A0D0 Relevance: 19.7, APIs: 13, Instructions: 170windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,00001036,00010000,00000000), ref: 0100A148
                                                                                                                                                                                    • GetParent.USER32(00000000), ref: 0100A1B4
                                                                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 0100A1BB
                                                                                                                                                                                    • GetParent.USER32(00000000), ref: 0100A1CA
                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 0100A1D1
                                                                                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 0100A22F
                                                                                                                                                                                    • CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 0100A248
                                                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0100A259
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0100A272
                                                                                                                                                                                      • Part of subcall function 00FBCBA0: IsWindowVisible.USER32(?), ref: 00FBCC23
                                                                                                                                                                                      • Part of subcall function 00FBCBA0: GetWindowRect.USER32(?,?), ref: 00FBCC3B
                                                                                                                                                                                      • Part of subcall function 00FBCBA0: GetWindowRect.USER32(?,?), ref: 00FBCC53
                                                                                                                                                                                      • Part of subcall function 00FBCBA0: IntersectRect.USER32(?,?,?), ref: 00FBCC70
                                                                                                                                                                                      • Part of subcall function 00FBCBA0: EqualRect.USER32(?,?), ref: 00FBCC80
                                                                                                                                                                                      • Part of subcall function 00FBCBA0: GetSysColorBrush.USER32(0000000F), ref: 00FBCC97
                                                                                                                                                                                    • FillRect.USER32(?,?,00000000), ref: 0100A288
                                                                                                                                                                                    • DeleteDC.GDI32(?), ref: 0100A2A8
                                                                                                                                                                                    • SendMessageW.USER32(?,00001026,00000000,000000FF), ref: 0100A2C6
                                                                                                                                                                                    • SendMessageW.USER32(?,0000108A,00000000,00000011), ref: 0100A2DD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Rect$Window$MessageSend$CompatibleCreateParent$BitmapBrushColorDeleteEqualFillIntersectObjectPointsSelectVisible
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2161025992-0
                                                                                                                                                                                    • Opcode ID: b05cf174604892acf8a0b6de05377e858dee0f8115e28165e0c5723408dab19a
                                                                                                                                                                                    • Instruction ID: 4acc0ad7bc1749cb1bd2eccd3e0ecb452a21d9ab55a92c788f9225803cb95925
                                                                                                                                                                                    • Opcode Fuzzy Hash: b05cf174604892acf8a0b6de05377e858dee0f8115e28165e0c5723408dab19a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0F614A75D002189FDB10CFA8D949BEDBBB8FF48711F14421AE916B7284DB746981CF90
                                                                                                                                                                                    Function 0100A930 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 389windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0100AC01
                                                                                                                                                                                    • RedrawWindow.USER32(?,00000000,00000000,00000541), ref: 0100AC13
                                                                                                                                                                                    • SendMessageW.USER32(?,00000443,00000000), ref: 0100AC75
                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 0100AC99
                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0100ACA4
                                                                                                                                                                                    • MulDiv.KERNEL32(?,00000000), ref: 0100ACAC
                                                                                                                                                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0100ACD1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CapsCreateDeviceFontMessageRedrawSend
                                                                                                                                                                                    • String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
                                                                                                                                                                                    • API String ID: 367477953-2319862951
                                                                                                                                                                                    • Opcode ID: 15bf4713ff51b0310d35d0b08c9d48389b3af376aa49cef1443b0fed69411d1c
                                                                                                                                                                                    • Instruction ID: 0ed3a2033c88c410d59bd08a035fb657ec71577a4e7cc8ced55f392cd1f78ee0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 15bf4713ff51b0310d35d0b08c9d48389b3af376aa49cef1443b0fed69411d1c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8DE1B331A006199FEB19CF64CC59BEEBBB2FF88300F108259E556A72C1DB746A45CF91
                                                                                                                                                                                    Function 01013300 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 286fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000), ref: 010133FF
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 01013429
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?), ref: 0101346A
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 010134DD
                                                                                                                                                                                    • ShellExecuteExW.SHELL32 ref: 01013578
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseFileHandle$CreateExecuteShellWrite
                                                                                                                                                                                    • String ID: .bat$EXE$open$runas
                                                                                                                                                                                    • API String ID: 548387358-1492471297
                                                                                                                                                                                    • Opcode ID: d454050e608bf041bc092a1948db11c2a2a10d830f17a72a386545dd3b6006de
                                                                                                                                                                                    • Instruction ID: 97fec2a8c9ddaa912c930040955b0c3dd1c78defbd2d2eb5c89184715cb64e20
                                                                                                                                                                                    • Opcode Fuzzy Hash: d454050e608bf041bc092a1948db11c2a2a10d830f17a72a386545dd3b6006de
                                                                                                                                                                                    • Instruction Fuzzy Hash: 24B18C70A006489FDB14DFA8C858BADBBF5BF49324F1482A9E516AB381DB74A905CF50
                                                                                                                                                                                    Function 00F2F5B0 Relevance: 14.9, APIs: 1, Strings: 7, Instructions: 931windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F2F604
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                    • String ID: ' AND `Control_`='$AiTabPage$ControlEvent$Dialog$SpawnDialog$Title$`Dialog_`='
                                                                                                                                                                                    • API String ID: 3850602802-1412757306
                                                                                                                                                                                    • Opcode ID: 4847ec5b79a4572f3906daeda9b7b3456443073c3355b615535c73830e70f8e1
                                                                                                                                                                                    • Instruction ID: c6fa19b0f1e5e098efd93696b7d8a87dc373ea366e76e1967276352db22164b6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4847ec5b79a4572f3906daeda9b7b3456443073c3355b615535c73830e70f8e1
                                                                                                                                                                                    • Instruction Fuzzy Hash: CD829C71D00258CFCB18DFA8C994BEEBBB1BF58314F244269E505A7391DB74AA85CF90
                                                                                                                                                                                    Function 01034520 Relevance: 14.6, APIs: 7, Strings: 1, Instructions: 605COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 010FCAB5: AcquireSRWLockExclusive.KERNEL32(01240888,?,?,?,00EFB446,0124149C,2F45994F,?,?,01123F6D,000000FF,?,010748BD,2F45994F,?), ref: 010FCAC0
                                                                                                                                                                                      • Part of subcall function 010FCAB5: ReleaseSRWLockExclusive.KERNEL32(01240888,?,?,00EFB446,0124149C,2F45994F,?,?,01123F6D,000000FF,?,010748BD,2F45994F,?), ref: 010FCAFA
                                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F5,?,2F45994F,?,?), ref: 01034917
                                                                                                                                                                                    • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 0103491E
                                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 01034932
                                                                                                                                                                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 01034939
                                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F5,000000FF,?,00000000,?,00000000,011B76F4,00000002,?,?), ref: 010349F2
                                                                                                                                                                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 010349F9
                                                                                                                                                                                    • IsWindow.USER32(00000000), ref: 01034C98
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ConsoleHandle$AttributeExclusiveLockText$AcquireBufferInfoReleaseScreenWindow
                                                                                                                                                                                    • String ID: Error
                                                                                                                                                                                    • API String ID: 2349801371-2619118453
                                                                                                                                                                                    • Opcode ID: 0ff5a17f5d77aeb96e3da9d6d48ab987532d439ff9c82b0a7849008cfc5b8a5a
                                                                                                                                                                                    • Instruction ID: f64e2909654235658bf0f5d3b44188e8e3bdf5f7cc7e1823d57f024859b25851
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ff5a17f5d77aeb96e3da9d6d48ab987532d439ff9c82b0a7849008cfc5b8a5a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 78429E70D0025ACFDB24CF68C949BEDBBB4FF94314F104299D569AB681EB746A84CF50
                                                                                                                                                                                    Function 00EF1490 Relevance: 13.9, Strings: 11, Instructions: 186COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • AI_CF_CLOSEBTN_COLORS, xrefs: 00EF16FC
                                                                                                                                                                                    • AI_CF_MINBTN_COLORS, xrefs: 00EF1696
                                                                                                                                                                                    • AI_CF_FRAME_BORDER3_COLORS, xrefs: 00EF1665
                                                                                                                                                                                    • AI_CF_MINBTN_BASE_COLOR, xrefs: 00EF154C
                                                                                                                                                                                    • AI_CF_FRAME_BASE_COLOR, xrefs: 00EF14CC
                                                                                                                                                                                    • AI_CF_FRAME_BORDER2_COLORS, xrefs: 00EF1612
                                                                                                                                                                                    • AI_CF_FRAME_CAPTION2_COLORS, xrefs: 00EF150A
                                                                                                                                                                                    • AI_CF_FRAME_BORDER1_COLORS, xrefs: 00EF15D0
                                                                                                                                                                                    • AI_CF_CLOSEBTN_BORDER_COLORS, xrefs: 00EF172F
                                                                                                                                                                                    • AI_CF_MINBTN_BORDER_COLORS, xrefs: 00EF16C9
                                                                                                                                                                                    • AI_CF_CLOSEBTN_BASE_COLOR, xrefs: 00EF158E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: AI_CF_CLOSEBTN_BASE_COLOR$AI_CF_CLOSEBTN_BORDER_COLORS$AI_CF_CLOSEBTN_COLORS$AI_CF_FRAME_BASE_COLOR$AI_CF_FRAME_BORDER1_COLORS$AI_CF_FRAME_BORDER2_COLORS$AI_CF_FRAME_BORDER3_COLORS$AI_CF_FRAME_CAPTION2_COLORS$AI_CF_MINBTN_BASE_COLOR$AI_CF_MINBTN_BORDER_COLORS$AI_CF_MINBTN_COLORS
                                                                                                                                                                                    • API String ID: 0-1938184520
                                                                                                                                                                                    • Opcode ID: 2424ec2696cfcd914730195e133612169f772bb0a1f24f31446be9f7e04f1063
                                                                                                                                                                                    • Instruction ID: 45a15eafc48f03bbc7a49a6865be68c2cd549ea9e79f018ce1dedf315292519f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2424ec2696cfcd914730195e133612169f772bb0a1f24f31446be9f7e04f1063
                                                                                                                                                                                    • Instruction Fuzzy Hash: C2A15B74D4539CDAEB60DF60C9597DEBBB0AF25308F208289E1483B281EBB416C8DF51
                                                                                                                                                                                    Function 00F24C80 Relevance: 12.9, APIs: 5, Strings: 2, Instructions: 636windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00F24D6B
                                                                                                                                                                                      • Part of subcall function 010FCAB5: AcquireSRWLockExclusive.KERNEL32(01240888,?,?,?,00EFB446,0124149C,2F45994F,?,?,01123F6D,000000FF,?,010748BD,2F45994F,?), ref: 010FCAC0
                                                                                                                                                                                      • Part of subcall function 010FCAB5: ReleaseSRWLockExclusive.KERNEL32(01240888,?,?,00EFB446,0124149C,2F45994F,?,?,01123F6D,000000FF,?,010748BD,2F45994F,?), ref: 010FCAFA
                                                                                                                                                                                      • Part of subcall function 010FCA64: AcquireSRWLockExclusive.KERNEL32(01240888,?,?,00EFB4B7,0124149C,01187860), ref: 010FCA6E
                                                                                                                                                                                      • Part of subcall function 010FCA64: ReleaseSRWLockExclusive.KERNEL32(01240888,?,?,00EFB4B7,0124149C,01187860), ref: 010FCAA1
                                                                                                                                                                                      • Part of subcall function 010FCA64: WakeAllConditionVariable.KERNEL32(01240884,?,?,00EFB4B7,0124149C,01187860), ref: 010FCAAC
                                                                                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,?), ref: 00F2525E
                                                                                                                                                                                    • SendMessageW.USER32(?,0000102B,?,0000000F), ref: 00F2530C
                                                                                                                                                                                    • SendMessageW.USER32(?,00001003,00000001,?), ref: 00F253B3
                                                                                                                                                                                      • Part of subcall function 01022A80: __cftof.LIBCMT ref: 01022AD0
                                                                                                                                                                                    • SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 00F25566
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$ExclusiveLock$AcquireRelease$ConditionVariableWake__cftof
                                                                                                                                                                                    • String ID: AiFeatIco$Icon
                                                                                                                                                                                    • API String ID: 1739475930-1280411655
                                                                                                                                                                                    • Opcode ID: e630a00bb015f9fa2d66008eb70db4b83a5d5e4495a60109ceade664bbddc514
                                                                                                                                                                                    • Instruction ID: 2439d5dde9a5599865055c9cb5cd1d00bc0e45992cf38a5fed943943ba4ca16a
                                                                                                                                                                                    • Opcode Fuzzy Hash: e630a00bb015f9fa2d66008eb70db4b83a5d5e4495a60109ceade664bbddc514
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6B528A70900668DFDB24DF64CD48BEEBBB1BF98304F144199E44AAB291DB706E84DF50
                                                                                                                                                                                    Function 00F1AF20 Relevance: 11.2, APIs: 2, Strings: 4, Instructions: 705COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
                                                                                                                                                                                    • API String ID: 0-932585912
                                                                                                                                                                                    • Opcode ID: 53501b5a53597349da366bb069664da1c78f5b3385776a6290b04039af8558b1
                                                                                                                                                                                    • Instruction ID: 0f3a99668e0737f70d0016c9279c7f7ce096442a806a9f95c87e6cd3a52302af
                                                                                                                                                                                    • Opcode Fuzzy Hash: 53501b5a53597349da366bb069664da1c78f5b3385776a6290b04039af8558b1
                                                                                                                                                                                    • Instruction Fuzzy Hash: AA422371D00228CFDB18DF68C894BEEB7B1FF98310F148259E455AB385D774AA85DBA0
                                                                                                                                                                                    Function 0111E4BF Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: __floor_pentium4
                                                                                                                                                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                    • API String ID: 4168288129-2761157908
                                                                                                                                                                                    • Opcode ID: e90d8a678a89c885202d5e3f6d8bdb1fff6265fba1f337e087ae81ad0fdfc5e9
                                                                                                                                                                                    • Instruction ID: 6566d1c9253ee0917faa458af7f62506b672a3d4e5e36dd0cf71eb6c2f8f5c2c
                                                                                                                                                                                    • Opcode Fuzzy Hash: e90d8a678a89c885202d5e3f6d8bdb1fff6265fba1f337e087ae81ad0fdfc5e9
                                                                                                                                                                                    • Instruction Fuzzy Hash: FFD24A72E092298FDB6ACE68DC407EAB7B5FB45304F1545EAD80DE3244E734AE858F41
                                                                                                                                                                                    Function 01063270 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 465COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    • GetLogicalDriveStringsW.KERNEL32(00000064,?), ref: 010634B0
                                                                                                                                                                                    • GetDriveTypeW.KERNEL32(?), ref: 010634CA
                                                                                                                                                                                    • Wow64DisableWow64FsRedirection.KERNEL32(00000000,00000000), ref: 01063573
                                                                                                                                                                                    • Wow64RevertWow64FsRedirection.KERNEL32(00000000,00000000), ref: 01063816
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Wow64$DriveRedirection$DisableHeapLogicalProcessRevertStringsType
                                                                                                                                                                                    • String ID: ]%!
                                                                                                                                                                                    • API String ID: 4157823300-1069524040
                                                                                                                                                                                    • Opcode ID: 09915ed904aa3597065e877ffac0a67cbfcabe71ccf64490c926d0311af71cf6
                                                                                                                                                                                    • Instruction ID: 56a5ce1e693fe53181b64d2ce728cfb4cd0535e964c939653d99a4daba1234c3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 09915ed904aa3597065e877ffac0a67cbfcabe71ccf64490c926d0311af71cf6
                                                                                                                                                                                    • Instruction Fuzzy Hash: C902D2709002598FDB25DB68CC84BEDB7F9BF48310F0485E9E55AAB281DB749E85CF90
                                                                                                                                                                                    Function 010FC11D Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000C,010FC039,00000000,?,010FC1D1,?,?,?,?), ref: 010FC11F
                                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,?,?,?), ref: 010FC146
                                                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 010FC14D
                                                                                                                                                                                    • InitializeSListHead.KERNEL32(00000000,?,?,?,?), ref: 010FC15A
                                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?), ref: 010FC16F
                                                                                                                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 010FC176
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1475849761-0
                                                                                                                                                                                    • Opcode ID: ce451dbff16a45d9ab336cafc81a8a3fb47b956e247398964bbffc8859a252b2
                                                                                                                                                                                    • Instruction ID: 907d86eb02775384401011f63b5167ee4da007563c1e77cc27584bca14138889
                                                                                                                                                                                    • Opcode Fuzzy Hash: ce451dbff16a45d9ab336cafc81a8a3fb47b956e247398964bbffc8859a252b2
                                                                                                                                                                                    • Instruction Fuzzy Hash: A3F0AF756016059BE7719F78A909F6A37EDBFC661AF04403CFA92C3248DA70C482D7A0
                                                                                                                                                                                    Function 011148D3 Relevance: 6.3, APIs: 4, Instructions: 337COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _strrchr
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3213747228-0
                                                                                                                                                                                    • Opcode ID: 824d4f2881ce02a16d810099f759d65f5230b762a5e6f5921a472dca0959219c
                                                                                                                                                                                    • Instruction ID: 5b9da957c1ec5fbcc9de622003b7e31182502616e2e7577e660f44c7b1e4d622
                                                                                                                                                                                    • Opcode Fuzzy Hash: 824d4f2881ce02a16d810099f759d65f5230b762a5e6f5921a472dca0959219c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1EB197329002569FDB1DCF2CC890BEEFBA5FF09704F15817AE905AB645D3349901CBA6
                                                                                                                                                                                    Function 01064620 Relevance: 6.2, APIs: 4, Instructions: 228COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: b8366f0b6ea37d5c0cac52cbff3b0d0e79cb3017fbfa6832d206292fbc352d40
                                                                                                                                                                                    • Instruction ID: f859316161506443bea3aef9c9927bffa6fca5c7aad4e3936508e9827944bb3a
                                                                                                                                                                                    • Opcode Fuzzy Hash: b8366f0b6ea37d5c0cac52cbff3b0d0e79cb3017fbfa6832d206292fbc352d40
                                                                                                                                                                                    • Instruction Fuzzy Hash: 60918F70901218DFDB64DF28C8487ADBBF4EF48324F1482D8E969A7281DB709E45CF91
                                                                                                                                                                                    Function 00F18F00 Relevance: 6.1, APIs: 4, Instructions: 87timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • KillTimer.USER32(00000003,00000001,2F45994F,?,?,?,?,01129F74,000000FF), ref: 00F18F41
                                                                                                                                                                                    • GetWindowLongW.USER32(00000003,000000FC), ref: 00F18F56
                                                                                                                                                                                    • SetWindowLongW.USER32(00000003,000000FC,?), ref: 00F18F68
                                                                                                                                                                                    • DeleteCriticalSection.KERNEL32(?,2F45994F,?,?,?,?,01129F74,000000FF), ref: 00F18F93
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LongWindow$CriticalDeleteKillSectionTimer
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1032004442-0
                                                                                                                                                                                    • Opcode ID: 8995b6e18cc700d745716149f39b5cd7e8d3444cf191159a824ba3eb4cfef0d6
                                                                                                                                                                                    • Instruction ID: a4f9bf66f5f00b22f8e6868e8829a0d17682ff1dd18f99c56907aca61243940f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8995b6e18cc700d745716149f39b5cd7e8d3444cf191159a824ba3eb4cfef0d6
                                                                                                                                                                                    • Instruction Fuzzy Hash: C131E170A04246ABDB20CF28DA49F99FFB8BF05320F144319E814E36C0DB71E956EB90
                                                                                                                                                                                    Function 01064AA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 195fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,00000000,00000010), ref: 01064B5C
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 01064CDF
                                                                                                                                                                                      • Part of subcall function 00EFB010: RtlAllocateHeap.NTDLL(?,00000000,?,2F45994F,00000000,011239F0,000000FF,?,?,0123843C,?,?,01074927,80004005,2F45994F,?), ref: 00EFB05A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Find$AllocateCloseFileFirstHeap
                                                                                                                                                                                    • String ID: %d.%d.%d.%d
                                                                                                                                                                                    • API String ID: 1673784098-3491811756
                                                                                                                                                                                    • Opcode ID: 25fd0a1027ebf3dda7a9c9433e39f04dda6c1ed63596c6709f2faef465c9d290
                                                                                                                                                                                    • Instruction ID: 11d0531b2eea919565f8efc5a9a77a634c6bbf94132fe07e8dddba4af173b309
                                                                                                                                                                                    • Opcode Fuzzy Hash: 25fd0a1027ebf3dda7a9c9433e39f04dda6c1ed63596c6709f2faef465c9d290
                                                                                                                                                                                    • Instruction Fuzzy Hash: A2719970905219DFDF24DF68C848BADBBF4EF44314F1082D9E859AB281DB359A84CF80
                                                                                                                                                                                    Function 00F2E370 Relevance: 5.4, Strings: 4, Instructions: 378COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: <> "$ = "$Hide$Show
                                                                                                                                                                                    • API String ID: 0-289022205
                                                                                                                                                                                    • Opcode ID: e17995ad3dca4c63f2514680b51ee04bc8daa09adfd03ad326a4a64866f55973
                                                                                                                                                                                    • Instruction ID: 7e9bea07c5c51fddf7b93fde1dedb931394872dc66783c54555bb99bd724e6f9
                                                                                                                                                                                    • Opcode Fuzzy Hash: e17995ad3dca4c63f2514680b51ee04bc8daa09adfd03ad326a4a64866f55973
                                                                                                                                                                                    • Instruction Fuzzy Hash: BA025A70D00269CFDB24DF64C955BEDB7B0AF55304F1086DAE50ABB291EB706A84DFA0
                                                                                                                                                                                    Function 0105C310 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,00000002,011B4720,00000000), ref: 0105C391
                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,00000002,?,-00000001,00000078,-00000001), ref: 0105C3CD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InfoLocale$HeapProcess
                                                                                                                                                                                    • String ID: %d-%s
                                                                                                                                                                                    • API String ID: 3246605784-1781338863
                                                                                                                                                                                    • Opcode ID: 87ab25a05f5f03c5f73476d8aeb949946d0e30983633fb266102582099613ea6
                                                                                                                                                                                    • Instruction ID: 4ad9d4f5515106f18bef5f04168dbdeb92ec02b4b46861dc3e5d411b5aa19ebe
                                                                                                                                                                                    • Opcode Fuzzy Hash: 87ab25a05f5f03c5f73476d8aeb949946d0e30983633fb266102582099613ea6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7F319E71A00219ABDB14DF98C849BBEBBB5FF48724F14416DF625A7381DB755900CB90
                                                                                                                                                                                    Function 00F1F010 Relevance: 5.3, Strings: 4, Instructions: 337COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: MultipleInstances$MultipleInstancesProps$OldProductCode$ProductCode
                                                                                                                                                                                    • API String ID: 0-469785651
                                                                                                                                                                                    • Opcode ID: 8c99067d049bf829161f190e20731519664cb37825073d78bffc70efc0c6531d
                                                                                                                                                                                    • Instruction ID: 4777d08a7ba36fca3d40e7a863a7cf7663217f4c3dc518a7174412ab96d83acb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c99067d049bf829161f190e20731519664cb37825073d78bffc70efc0c6531d
                                                                                                                                                                                    • Instruction Fuzzy Hash: BAC1C27AE00205DBCB18DF68C8906FAB7B1FF95324F14416DD9166B241DB31AD8AEB90
                                                                                                                                                                                    Function 010F95F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • VirtualQuery.KERNEL32(80000000,010F9538,0000001C,010F972D,00000000,?,?,?,?,?,?,?,010F9538,00000004,01240394,010F97BD), ref: 010F9604
                                                                                                                                                                                    • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,010F9538,00000004,01240394,010F97BD), ref: 010F961F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InfoQuerySystemVirtual
                                                                                                                                                                                    • String ID: D
                                                                                                                                                                                    • API String ID: 401686933-2746444292
                                                                                                                                                                                    • Opcode ID: cdf2cb048c44472fe27fcdd8880b5b5847f49888e5af75efb9d11efca356003a
                                                                                                                                                                                    • Instruction ID: 51e0b9a744e23dfac2b02162521391439b85c224dc3bf70e98749143b6671321
                                                                                                                                                                                    • Opcode Fuzzy Hash: cdf2cb048c44472fe27fcdd8880b5b5847f49888e5af75efb9d11efca356003a
                                                                                                                                                                                    • Instruction Fuzzy Hash: C70188726001096BDF24DE29DC05BED7BE9AFC4228F0DC165BE59D6245D634D541C680
                                                                                                                                                                                    Function 01010370 Relevance: 4.7, APIs: 3, Instructions: 172fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,2F45994F,?,?), ref: 0101042F
                                                                                                                                                                                    • FindNextFileW.KERNEL32(000000FF,00000010), ref: 0101053A
                                                                                                                                                                                    • FindClose.KERNEL32(000000FF), ref: 01010595
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Find$File$CloseFirstNext
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3541575487-0
                                                                                                                                                                                    • Opcode ID: c173169a25f1c34e782f909c5129fba300d50041d5d5552fd160c4ef80a6cabd
                                                                                                                                                                                    • Instruction ID: 650c1466122fe5e39f2e966e938f68e7d5b6cb8a615b727369c87f3cee674b53
                                                                                                                                                                                    • Opcode Fuzzy Hash: c173169a25f1c34e782f909c5129fba300d50041d5d5552fd160c4ef80a6cabd
                                                                                                                                                                                    • Instruction Fuzzy Hash: B1619B70A0021DDFDF28DB68C888BEEBBF8EF44314F148199E595A3295DB746A84CF51
                                                                                                                                                                                    Function 00F12700 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsWindow.USER32(00000004), ref: 00F1275B
                                                                                                                                                                                    • GetWindowLongW.USER32(00000004,000000FC), ref: 00F12774
                                                                                                                                                                                    • SetWindowLongW.USER32(00000004,000000FC,?), ref: 00F12786
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Long
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 847901565-0
                                                                                                                                                                                    • Opcode ID: b09a1f6dbd9287399b6d7cf7eca70fe9adec3a08d1609b4ccfbf27857ca05142
                                                                                                                                                                                    • Instruction ID: 446ef980522af26f88465be8e0bc668d1e096d65cb1f5d54fa384b127f3ed280
                                                                                                                                                                                    • Opcode Fuzzy Hash: b09a1f6dbd9287399b6d7cf7eca70fe9adec3a08d1609b4ccfbf27857ca05142
                                                                                                                                                                                    • Instruction Fuzzy Hash: A8419CB0A00756AFDB14CFA4D948B9ABBB4FF04324F004268E815977C0DBB6E924DB90
                                                                                                                                                                                    Function 00EFA700 Relevance: 4.6, APIs: 3, Instructions: 65COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadResource.KERNEL32(00000000,00000000,2F45994F,00000001,00000000,?,00000000,011237A0,000000FF,?,00EFA6AC,?,?,?,000000A7,?), ref: 00EFA72B
                                                                                                                                                                                    • LockResource.KERNEL32(00000000,?,00EFA6AC,?,?,?,000000A7,?,00000000,01123E70,000000FF,?,00EFA850,?,?,000000A7), ref: 00EFA736
                                                                                                                                                                                    • SizeofResource.KERNEL32(00000000,00000000,?,00EFA6AC,?,?,?,000000A7,?,00000000,01123E70,000000FF,?,00EFA850,?,?), ref: 00EFA744
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Resource$LoadLockSizeof
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2853612939-0
                                                                                                                                                                                    • Opcode ID: f227f9bec39b40d1962db424cb0e20193d97117e4af4858141cc0d54684afe9a
                                                                                                                                                                                    • Instruction ID: 3b1178d4fc1604b8716e54ef987df9dc8d0330e74377426de82da11a8d642be3
                                                                                                                                                                                    • Opcode Fuzzy Hash: f227f9bec39b40d1962db424cb0e20193d97117e4af4858141cc0d54684afe9a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B11E772A006589BC7359F59DC44F7AB7FCE788714F144A7BED2AE7240E6359C008690
                                                                                                                                                                                    Function 00F0A680 Relevance: 4.5, APIs: 3, Instructions: 28COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowLongW.USER32(0000001B,000000FC), ref: 00F0A699
                                                                                                                                                                                    • SetWindowLongW.USER32(0000001B,000000FC,?), ref: 00F0A6A7
                                                                                                                                                                                    • DestroyWindow.USER32(0000001B,?,?,?,?,?,?,?,?,?,?,?,?,80004003,?,00000000), ref: 00F0A6D3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Long$Destroy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3055081903-0
                                                                                                                                                                                    • Opcode ID: cda95f2beb0da3263e24cec4f2c3cc5697b6926b0cae633a4a8b2b73c5c1e836
                                                                                                                                                                                    • Instruction ID: d18ee47f1cf046c26f1b2e3bb78c93bf53c6951173ffc2281b37a04fafe5f9fa
                                                                                                                                                                                    • Opcode Fuzzy Hash: cda95f2beb0da3263e24cec4f2c3cc5697b6926b0cae633a4a8b2b73c5c1e836
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0EF0B735404B119BDB715F28FD09B92BFE1BF05761F184B29E4AB829E4DBA1A854BB00
                                                                                                                                                                                    Function 0110C6B0 Relevance: 3.4, APIs: 2, Instructions: 449COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: d27568dee6e504eeda6fcdcc351cfe64da91595b8b7e8ca66b4b8da94aa0efd7
                                                                                                                                                                                    • Instruction ID: e7b5a67a00873bd839f10c87ad165154960300b9389070d8c734115acbe09151
                                                                                                                                                                                    • Opcode Fuzzy Hash: d27568dee6e504eeda6fcdcc351cfe64da91595b8b7e8ca66b4b8da94aa0efd7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 30F12E71E002199FDF19CFA8D8807ADBBB1FF88324F1582AAD915A7391D7709A41CF94
                                                                                                                                                                                    Function 00F26440 Relevance: 3.3, APIs: 2, Instructions: 288windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00F2656B
                                                                                                                                                                                    • SendMessageW.USER32(?,0000102B,0000009B,-00000002), ref: 00F267A8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                    • Opcode ID: 4aa3cd6cf0f84f5090c6461425f74833e8408ea967ceff87a4c8bd580c2f451c
                                                                                                                                                                                    • Instruction ID: 86f6a16ec637bb55e4788dc0ce2df7f1350ba960b59d079a0a6a2c2c76617ce5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4aa3cd6cf0f84f5090c6461425f74833e8408ea967ceff87a4c8bd580c2f451c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 77C1B1719002168FCF18CF64D8A5AEEBBF5FF08314F188169E816EF285D734A945DB90
                                                                                                                                                                                    Function 010540C0 Relevance: 3.2, APIs: 2, Instructions: 151fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileW.KERNEL32(?,00000000,?,?,00000003,2F45994F,00000000,?,00000000), ref: 010541B4
                                                                                                                                                                                    • FindClose.KERNEL32(00000000,?,00000000), ref: 010541FF
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2295610775-0
                                                                                                                                                                                    • Opcode ID: 6c5aae7524b50083ae000c5f90cfa2edd603c6ce9923b361de188411c6a10619
                                                                                                                                                                                    • Instruction ID: d881d4e40d58a8156a6eb329aa78d68b6a64fcfb623974d15527c6edbeb330e2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6c5aae7524b50083ae000c5f90cfa2edd603c6ce9923b361de188411c6a10619
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4A51AF7190061ACFDB25DFA8C854BAEBBF4FF48314F104558DD56AB381EB34AA05CB91
                                                                                                                                                                                    Function 00F34F40 Relevance: 3.0, APIs: 2, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • __set_se_translator.LIBVCRUNTIME ref: 00F34F45
                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_0013D330), ref: 00F34F5B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExceptionFilterUnhandled__set_se_translator
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2480343447-0
                                                                                                                                                                                    • Opcode ID: 2cb5c89530c7d6ebc08090d6ed253671d00e581520012b9bb5e3f8d9cdd95cf0
                                                                                                                                                                                    • Instruction ID: e92ae1add9c68a5f018c2c0c300bd6dbdeb43f14c74a4085b0d25e3f6c414612
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2cb5c89530c7d6ebc08090d6ed253671d00e581520012b9bb5e3f8d9cdd95cf0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2AD02230908340EBEB70E7B0E20E7583E003360724F08041CE0C302148CBB83848D313
                                                                                                                                                                                    Function 00F74B50 Relevance: 1.8, Strings: 1, Instructions: 523COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExceptionRaise__floor_pentium4
                                                                                                                                                                                    • String ID: unordered_map/set too long
                                                                                                                                                                                    • API String ID: 996205981-306623848
                                                                                                                                                                                    • Opcode ID: ba370148b450529511259a4cd44d551415423b6e57d8e5ec15c06faf92dbe3c9
                                                                                                                                                                                    • Instruction ID: 1245534af5585c7ce8d3694b7d4113067b7ed16adb8de9bb882aba34e51720c7
                                                                                                                                                                                    • Opcode Fuzzy Hash: ba370148b450529511259a4cd44d551415423b6e57d8e5ec15c06faf92dbe3c9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3412E271A006099FCB19CF68C981AADF7F5FF98310F14C26AE819EB391D775A941CB90
                                                                                                                                                                                    Function 00F08480 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSysColor.USER32(00000008), ref: 00F08623
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Color
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2811717613-0
                                                                                                                                                                                    • Opcode ID: ded734f6d0a07f71a3c415f8572c0a717efd6af722991675bfc200aae0322069
                                                                                                                                                                                    • Instruction ID: 077097ebe785bd20c35330f43fe158a8c454768ee1471283e7f48285f223a2a8
                                                                                                                                                                                    • Opcode Fuzzy Hash: ded734f6d0a07f71a3c415f8572c0a717efd6af722991675bfc200aae0322069
                                                                                                                                                                                    • Instruction Fuzzy Hash: AF71E7B1801B48CFE761CF78C94578ABBF0BB05324F148A5DD4AA9B3D1D3B96648CB91
                                                                                                                                                                                    Function 00F1E8F0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,00F1CF48,?,?,?,?,?), ref: 00F1E940
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: NtdllProc_Window
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4255912815-0
                                                                                                                                                                                    • Opcode ID: 8516621b81ea259d871a53b7ef9c54ae65c961d5fb9ec199c09f453964be858d
                                                                                                                                                                                    • Instruction ID: 3b19eb684416c47c1943c2216c0d709a92782b059d075a5248392e6794243a51
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8516621b81ea259d871a53b7ef9c54ae65c961d5fb9ec199c09f453964be858d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 45F08C30004186DFE3548B18D898AA9BBB6FF45322F8849F6F898C6460C3398E84EF10
                                                                                                                                                                                    Function 010DE8E0 Relevance: .7, Instructions: 682COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 824da703aff44298c2ccee6994937afd990546c1e9eca577f984dc7ac5814ef5
                                                                                                                                                                                    • Instruction ID: 70149678d55d9c98d355b57e15898e23fda742e369e11fcc297b4e43ba0c08ed
                                                                                                                                                                                    • Opcode Fuzzy Hash: 824da703aff44298c2ccee6994937afd990546c1e9eca577f984dc7ac5814ef5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9F22C3B3B543104BD75CCE5DCCA23ADB2D3ABD4218B0E853DB48AC3342EA7DD9598685
                                                                                                                                                                                    Function 0109A310 Relevance: .6, Instructions: 556COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: fc3fe2d83b0780b9843c916d4aa2c103e74e9c2c8195e21950f15c594dee7d2e
                                                                                                                                                                                    • Instruction ID: 2bdb8854684ecfb343c0e254a301b584b5598eb6e0a7c497c6cbd2c3a4b9ffa7
                                                                                                                                                                                    • Opcode Fuzzy Hash: fc3fe2d83b0780b9843c916d4aa2c103e74e9c2c8195e21950f15c594dee7d2e
                                                                                                                                                                                    • Instruction Fuzzy Hash: AA126A75E00218DFCF15DFA8D994AAEBBB1FF88310F158159E951BB380DB30A941DB90
                                                                                                                                                                                    Function 010910D0 Relevance: .4, Instructions: 409COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: c2e69d3caebb6fee92d6171b7532aace08acb7d963b8991d5c1e083ca7b570fa
                                                                                                                                                                                    • Instruction ID: 1245447a22afb91fd0563dbd49b0fee45bb25d3dc33ca2f4be969c30b9a3eaee
                                                                                                                                                                                    • Opcode Fuzzy Hash: c2e69d3caebb6fee92d6171b7532aace08acb7d963b8991d5c1e083ca7b570fa
                                                                                                                                                                                    • Instruction Fuzzy Hash: 17D10371B083028FDB15CE2CC89066EBBE1ABC8360F59867DF9D6C7355E671D8458742
                                                                                                                                                                                    Function 0110505C Relevance: .4, Instructions: 388COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: debd04df1fa92fb09c1e05f06b6b8d498dc935c7ffb76fa9c676e4ccc05bcd51
                                                                                                                                                                                    • Instruction ID: 5a846d21a2e3c5f86b749160adca792232da0323c08a61061c82384d18837cec
                                                                                                                                                                                    • Opcode Fuzzy Hash: debd04df1fa92fb09c1e05f06b6b8d498dc935c7ffb76fa9c676e4ccc05bcd51
                                                                                                                                                                                    • Instruction Fuzzy Hash: 55E1AD34E00605CFDBAECF68C5806AEBBB2FF49314F148A49D5569B2D1D7B0A942CF52
                                                                                                                                                                                    Function 01104CCE Relevance: .3, Instructions: 344COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 4b762e6039f9642a5e1227d10a8391abc23c10584f32d3bf19373495a5340aa9
                                                                                                                                                                                    • Instruction ID: 62851d2dfd4e658b59afb1cc1a7e9752445d4c09c4c249cae0fbada90805b7f3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4b762e6039f9642a5e1227d10a8391abc23c10584f32d3bf19373495a5340aa9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 90C10D74E006068FDB2ECF6CC4D4ABEBBA2AF55314F14461DD79297AD1C7B4A841CB82
                                                                                                                                                                                    Function 01189508 Relevance: .3, Instructions: 285COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 4bc83b18faac88a6e3771fd38bc7927f788dd44acb5111a132af322f63b27db3
                                                                                                                                                                                    • Instruction ID: 5692a86a58fc563c9ce46e76cdfd8cf14db9f69db4e68cdb64440321a3de2152
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4bc83b18faac88a6e3771fd38bc7927f788dd44acb5111a132af322f63b27db3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5BC153A685E3C04FD7038B745869A903FB19F63158B4F86EBC0C5CF0B3E2595A1AD722
                                                                                                                                                                                    Function 0118951C Relevance: .3, Instructions: 279COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 5643636a3966a01b1effbd4416a2adaa750e7c262321689ecadc4c5b92051449
                                                                                                                                                                                    • Instruction ID: dd755fdbec606c7a40dddd0305d1178cfb8a38fc7d2462c31806e7718c73c191
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5643636a3966a01b1effbd4416a2adaa750e7c262321689ecadc4c5b92051449
                                                                                                                                                                                    • Instruction Fuzzy Hash: 94C140A684E3C14FD7038B745869A913FB09F63158B4F86EBC0C5CF0B3E2585A1AD722
                                                                                                                                                                                    Function 01189518 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 0d7c2365a5d7dd156d0bfbed741267fb1021bfa17299828bdb599341e05cb0a0
                                                                                                                                                                                    • Instruction ID: b32a70b39b6789dbdd0e8c51853fc88e2b602b62fc06643d551bfa2fa26771d9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d7c2365a5d7dd156d0bfbed741267fb1021bfa17299828bdb599341e05cb0a0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 69B140A684E3C14FD7038B745869A917FB09F63158B4F86EBC0C5CF0B3E2585A1AD722
                                                                                                                                                                                    Function 01189520 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 04ecbf17060112310df5d612bf1b6fa9ef972bf28a8d4fa4dd185f70c28f3abb
                                                                                                                                                                                    • Instruction ID: 88f2340e1457e9c0e7603b2aae1e76f84a9018fde15dc2fc9707b473a34b9900
                                                                                                                                                                                    • Opcode Fuzzy Hash: 04ecbf17060112310df5d612bf1b6fa9ef972bf28a8d4fa4dd185f70c28f3abb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6DB140A684E3C14FD7038B745869A917FB09F63158B4F86EBC0C5CF0B3E2585A1AD722
                                                                                                                                                                                    Function 010E5500 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 9b7baeb35f0c3025b0976912844d78f886fd9433682338f1fc66bb37e7723662
                                                                                                                                                                                    • Instruction ID: 99d18dee4bb763049f82115aaf1b40284c2cd868c705a013552483976cec328d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9b7baeb35f0c3025b0976912844d78f886fd9433682338f1fc66bb37e7723662
                                                                                                                                                                                    • Instruction Fuzzy Hash: C121D63A7209064BD74CCA29EC7B67932D1E384315788967DDA6BCB285E73884118740
                                                                                                                                                                                    Function 00FC64E0 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 30fb1732e63bc02569fcf532a3f0968bbc268b37b83e4e2cd2a634003767363f
                                                                                                                                                                                    • Instruction ID: ffa34e625f495d27adc7d82f516fb1e4eec454e159fd23aa81d2d0006277c1fb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 30fb1732e63bc02569fcf532a3f0968bbc268b37b83e4e2cd2a634003767363f
                                                                                                                                                                                    • Instruction Fuzzy Hash: D14106B0905745EED708CF69C50878AFBF0BB19318F20825DD4589B681D3BAA618CF94
                                                                                                                                                                                    Function 00F12590 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 0d67ac3600dcd9d9d150e1cf930467efb5a3fe65f313fd5c672b3498701d6893
                                                                                                                                                                                    • Instruction ID: 4ead7d7ac7b282bde0943f5ec4d1a17811655f255bd4b8eb6a02e96b0663e55b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d67ac3600dcd9d9d150e1cf930467efb5a3fe65f313fd5c672b3498701d6893
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8731CEB0405B84CEE321CF29C65878BBFF0BB05718F148A4DD4A65BB91D3BAA508CB91
                                                                                                                                                                                    Function 00F0AE70 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: f75fb4e3be7448feb5fdfd5cae55a003bd773d4cb26c8f1284a17ad5b405cf2e
                                                                                                                                                                                    • Instruction ID: 024a89121c498a385c81b004e30cbc7e278d3500016756a0e3d494e94081ae56
                                                                                                                                                                                    • Opcode Fuzzy Hash: f75fb4e3be7448feb5fdfd5cae55a003bd773d4cb26c8f1284a17ad5b405cf2e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5D216DB5901348DFDB05CF58C54479ABBF4FB59318F25829ED414AB381D37AAA06CF90
                                                                                                                                                                                    Function 00F0B4D0 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 24872e770cfd8717a0c066d03e0b9876403ff42db80db05961bd7a4035b0b61c
                                                                                                                                                                                    • Instruction ID: 64963de6a83ee1e3a6a6bee2bcb5d855a472df59ae451e7558903f2e0e8a73d1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 24872e770cfd8717a0c066d03e0b9876403ff42db80db05961bd7a4035b0b61c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 00215CB5901348DFD705CF58C54479ABBF4FB59318F25829ED414AB381D37A9A06CF90
                                                                                                                                                                                    Function 00F2CC50 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 39860a949d04e46f68161330093111744554b5b7a82b512ba01681fa5039bc0c
                                                                                                                                                                                    • Instruction ID: e8f6256e5f8483964fce49befc38f1be8c7f84c567abc09a3641719d36121baa
                                                                                                                                                                                    • Opcode Fuzzy Hash: 39860a949d04e46f68161330093111744554b5b7a82b512ba01681fa5039bc0c
                                                                                                                                                                                    • Instruction Fuzzy Hash: C71112B1904248DFD754CF58D544789BBF4FB09728F20869EE8189B781D3769A16CF80
                                                                                                                                                                                    Function 01116676 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 78ea3f347e61def5ca214fcaee938a8fcc03353b2b280905ceacf125a706b1f0
                                                                                                                                                                                    • Instruction ID: 0ba2882917773aa38f2a7627d98d65c41c7ea20aa4b33ee1ca35249ea7ca7f97
                                                                                                                                                                                    • Opcode Fuzzy Hash: 78ea3f347e61def5ca214fcaee938a8fcc03353b2b280905ceacf125a706b1f0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5CF03072611224DBCB2ADB4CD405A99B7ECEB45A55F1144A6E50197245C7B1ED40C7C0
                                                                                                                                                                                    Function 011166BA Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 84adcf6e336c4bae0f721f8d2f7d32daac37cdaf3c253ded2eee1c659e4a4c20
                                                                                                                                                                                    • Instruction ID: 9d7f750bb3e9d922fed08932f35f436d88af289e8786fbc513a5f75d5747fa5b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 84adcf6e336c4bae0f721f8d2f7d32daac37cdaf3c253ded2eee1c659e4a4c20
                                                                                                                                                                                    • Instruction Fuzzy Hash: C2E0EC72915238EBCB19DB9CD94499AF7FCEB45A54B1544A6F601E3154C3B1DE00C7D0
                                                                                                                                                                                    Function 0106EAF0 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 343COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Unable to find file , xrefs: 0106EB26
                                                                                                                                                                                    • Unable to create process: , xrefs: 0106ED28
                                                                                                                                                                                    • Unable to retrieve PowerShell output from file: , xrefs: 0106EE84
                                                                                                                                                                                    • Unable to get a temp file for script output, temp path: , xrefs: 0106EC27
                                                                                                                                                                                    • powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new, xrefs: 0106EC83
                                                                                                                                                                                    • txt, xrefs: 0106EBDE
                                                                                                                                                                                    • ps1, xrefs: 0106EBB1, 0106EBC3, 0106EBCD
                                                                                                                                                                                    • Unable to retrieve exit code from process., xrefs: 0106EEA7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: Unable to create process: $Unable to find file $Unable to get a temp file for script output, temp path: $Unable to retrieve PowerShell output from file: $Unable to retrieve exit code from process.$powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new$ps1$txt
                                                                                                                                                                                    • API String ID: 0-4129021124
                                                                                                                                                                                    • Opcode ID: 77a32b0c3b61039e7edba4d0bc61834f205cb36727172e7a7adbc6ade9066b90
                                                                                                                                                                                    • Instruction ID: cbb019613e98a0cc9f411175b9d80cc3ebdc45c853185ff5739900bca9acc1ff
                                                                                                                                                                                    • Opcode Fuzzy Hash: 77a32b0c3b61039e7edba4d0bc61834f205cb36727172e7a7adbc6ade9066b90
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8AD1CE74E00609AFDB14DFA8C944BAEBBF9FF48314F148199E515B7281DB74AA01CB91
                                                                                                                                                                                    Function 0103A7B0 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 248COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(00000007,000001F6), ref: 0103A7F8
                                                                                                                                                                                    • GetDlgItem.USER32(00000007,000001F8), ref: 0103A808
                                                                                                                                                                                    • GetDlgItem.USER32(00000007,000001F7), ref: 0103A84E
                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 0103A861
                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000005), ref: 0103A8BF
                                                                                                                                                                                    • GetDlgItem.USER32(00000007,000001F7), ref: 0103A8E5
                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 0103A8F8
                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 0103A955
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 0103A960
                                                                                                                                                                                    • SetWindowPos.USER32(00000007,00000000,00000000,00000000,?,?,00000616), ref: 0103A9AD
                                                                                                                                                                                    • GetDlgItem.USER32(?,000000FF), ref: 0103A9E0
                                                                                                                                                                                    • IsWindow.USER32(00000000), ref: 0103A9EA
                                                                                                                                                                                    • SetWindowPos.USER32(000000FF,00000000,?,?,?,?,00000014,?,000000FF,?,?,00000616), ref: 0103AA37
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Item$Show$Text
                                                                                                                                                                                    • String ID: Details <<$Details >>
                                                                                                                                                                                    • API String ID: 2476474966-3763984547
                                                                                                                                                                                    • Opcode ID: f39b1c90637d847eb54d7137c5ed0211bb99fd36e45e4c63652ec210d382ad9c
                                                                                                                                                                                    • Instruction ID: 32f5aed610f8f6173e062f340c30022247f5f24d57ed49c7c947a7ca23732506
                                                                                                                                                                                    • Opcode Fuzzy Hash: f39b1c90637d847eb54d7137c5ed0211bb99fd36e45e4c63652ec210d382ad9c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3F91DE71A00604EBDB24DF68DD49BAEBBF9EF88700F14861DF582E7690D774A881CB50
                                                                                                                                                                                    Function 00F08710 Relevance: 25.7, APIs: 17, Instructions: 158windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • BeginPaint.USER32(?,?), ref: 00F08736
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00F0874E
                                                                                                                                                                                    • FillRect.USER32(00000000,?,00000000), ref: 00F0876D
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00F08774
                                                                                                                                                                                    • EndPaint.USER32(?,?), ref: 00F08782
                                                                                                                                                                                    • BeginPaint.USER32(?,?), ref: 00F087B7
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00F087CF
                                                                                                                                                                                    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00F087E8
                                                                                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00F087FD
                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00F0880F
                                                                                                                                                                                    • FillRect.USER32(00000000,?,00000000), ref: 00F0883C
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00F08846
                                                                                                                                                                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00F0888D
                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00F0889C
                                                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 00F088A3
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00F088AA
                                                                                                                                                                                    • EndPaint.USER32(?,?), ref: 00F088B8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Object$DeletePaintRect$BeginClientCompatibleCreateFillSelect$Bitmap
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1280635051-0
                                                                                                                                                                                    • Opcode ID: d90cf1be2568a1b3351235ebd057b660c16c41a31f7333272c60052df516dedb
                                                                                                                                                                                    • Instruction ID: c4c0e6bfb905846d337d1e4108b9a0101c44c1baf531c5cdb887d2b7d1ba637c
                                                                                                                                                                                    • Opcode Fuzzy Hash: d90cf1be2568a1b3351235ebd057b660c16c41a31f7333272c60052df516dedb
                                                                                                                                                                                    • Instruction Fuzzy Hash: C1518D76244306AFE3209F64EC49F2BBBE8FF48751F004529FA8A93190DB71E801DB91
                                                                                                                                                                                    Function 0103A490 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 128windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 01031A80: LoadLibraryW.KERNEL32(ComCtl32.dll,2F45994F,?,00000000,00000000), ref: 01031ABA
                                                                                                                                                                                      • Part of subcall function 01031A80: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 01031AE0
                                                                                                                                                                                      • Part of subcall function 01031A80: FreeLibrary.KERNEL32(00000000), ref: 01031B69
                                                                                                                                                                                    • GetDlgItem.USER32(?,000001F4), ref: 0103A4CB
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 0103A4DA
                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 0103A4E6
                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000), ref: 0103A4ED
                                                                                                                                                                                    • MulDiv.KERNEL32(00000009,00000000), ref: 0103A4F6
                                                                                                                                                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Courier New), ref: 0103A51F
                                                                                                                                                                                    • GetDlgItem.USER32(?,000001F6), ref: 0103A530
                                                                                                                                                                                    • IsWindow.USER32(00000000), ref: 0103A539
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000030,?,00000000), ref: 0103A550
                                                                                                                                                                                    • GetDlgItem.USER32(?,000001F8), ref: 0103A55E
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0103A56D
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0103A581
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0103A595
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$ItemRect$LibraryMessageSend$AddressCapsCreateDeviceFontFreeLoadProc
                                                                                                                                                                                    • String ID: Courier New
                                                                                                                                                                                    • API String ID: 1731048342-2572734833
                                                                                                                                                                                    • Opcode ID: e6490d53e78eceea4f51765ee02f2cb7e4871e343767dbec27d37159aa6f67b8
                                                                                                                                                                                    • Instruction ID: e90bd58bee931987ebfe6f9e0b90640b0d000c0f2b2052403c0d305b96a0eb68
                                                                                                                                                                                    • Opcode Fuzzy Hash: e6490d53e78eceea4f51765ee02f2cb7e4871e343767dbec27d37159aa6f67b8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 634199717C03017FFB245F649C4AFAA3BA9AF58B05F114529FB476E1C5DAF1A8408B14
                                                                                                                                                                                    Function 0102A4A0 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 398libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(Advapi32.dll,2F45994F,00000000,00000000), ref: 0102A531
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0102A55F
                                                                                                                                                                                      • Part of subcall function 00EFB010: RtlAllocateHeap.NTDLL(?,00000000,?,2F45994F,00000000,011239F0,000000FF,?,?,0123843C,?,?,01074927,80004005,2F45994F,?), ref: 00EFB05A
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 0102A575
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 0102A591
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0102A59E
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0102A795
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0102A7FA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$Library$AddressAllocateFreeHeapLoadProc
                                                                                                                                                                                    • String ID: Advapi32.dll$ConvertStringSidToSidW
                                                                                                                                                                                    • API String ID: 3460774402-1129428314
                                                                                                                                                                                    • Opcode ID: 5175e858fce23a9b2f3c30ba6c3a9f28bc088959a38b61a9dc630de34b5275a8
                                                                                                                                                                                    • Instruction ID: e10d38667c29144c1efd4693c2e9e7491ce5e9e9beb106c72992810b3af6b485
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5175e858fce23a9b2f3c30ba6c3a9f28bc088959a38b61a9dc630de34b5275a8
                                                                                                                                                                                    • Instruction Fuzzy Hash: F1F19BB1E0022AEFDB10CF94C944BEEBBB4FF08314F118159D955B7681EB74AA45CBA1
                                                                                                                                                                                    Function 00F082B0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 115registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(012472EC,2F45994F,00000000,?,?,?,?,?,?,00F07A15,0112713D,000000FF), ref: 00F082ED
                                                                                                                                                                                    • GetClassInfoExW.USER32 ref: 00F0832D
                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00F08368
                                                                                                                                                                                    • RegisterClassExW.USER32(00000030), ref: 00F08391
                                                                                                                                                                                    • GetClassInfoExW.USER32(AtlAxWinLic140,00000030), ref: 00F083D8
                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00F08410
                                                                                                                                                                                    • RegisterClassExW.USER32(00000030), ref: 00F08431
                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(012472EC), ref: 00F08463
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Class$CriticalCursorInfoLoadRegisterSection$EnterLeave
                                                                                                                                                                                    • String ID: 0$AtlAxWin140$AtlAxWinLic140$WM_ATLGETCONTROL$WM_ATLGETHOST
                                                                                                                                                                                    • API String ID: 927868316-283551416
                                                                                                                                                                                    • Opcode ID: 413c8d565ae8319f5e2013b0360dfa89339c64c0852fe46093f097b158343700
                                                                                                                                                                                    • Instruction ID: ef0a3ae34ffb1706aad15726ed87b5ea17cddc03151d9cf36b66910844cefcdb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 413c8d565ae8319f5e2013b0360dfa89339c64c0852fe46093f097b158343700
                                                                                                                                                                                    • Instruction Fuzzy Hash: F55133B4C502189BDB25DFA4E948BEEBFB8BB08704F14411AE411B7284EBB95549CF94
                                                                                                                                                                                    Function 00F01250 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 282libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,2F45994F,00000000,?,?,?,?,?,?,?,?,?,?,?,2F45994F), ref: 00F012D3
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00F012D9
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(?,.dll,-00000001,00000000,011B4720,00000000,00000000,00000000), ref: 00F0149B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LibraryLoad$AddressProc
                                                                                                                                                                                    • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
                                                                                                                                                                                    • API String ID: 1469910268-2454113998
                                                                                                                                                                                    • Opcode ID: 8c6fc816104e7bf130cd56770aef8124e99044c78490f8df5aae63992a031000
                                                                                                                                                                                    • Instruction ID: 7df285b31c3113c9fbdce893b362ff66efce46d403930ba793bd05589c42df1b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c6fc816104e7bf130cd56770aef8124e99044c78490f8df5aae63992a031000
                                                                                                                                                                                    • Instruction Fuzzy Hash: 69B16B71D00219EFCB24DFA8D885BEDBBB5FF58710F148169E811AB290DB74AD44EB90
                                                                                                                                                                                    Function 00F2C0F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 231windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000,2F45994F), ref: 00F2C178
                                                                                                                                                                                      • Part of subcall function 00F09C20: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00F09C62
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00F2C283
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 00F2C297
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000421,00000003,?), ref: 00F2C2AC
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 00F2C2C1
                                                                                                                                                                                    • SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 00F2C2D8
                                                                                                                                                                                    • ClientToScreen.USER32(?,?), ref: 00F2C2F8
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00F2C30A
                                                                                                                                                                                    • PtInRect.USER32(?,?,?), ref: 00F2C31A
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000412,00000000), ref: 00F2C366
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 00F2C37A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Window$Rect$ClientCreateLongScreen
                                                                                                                                                                                    • String ID: tooltips_class32
                                                                                                                                                                                    • API String ID: 1090444958-1918224756
                                                                                                                                                                                    • Opcode ID: b8f7586d56e94a67c5673833643bdd7737596cdb75e510bd59f2c1b1eb0c5fe0
                                                                                                                                                                                    • Instruction ID: b8ee19a419b0018e55a3dcb6f6083f75e1b9ea312b529c881ff3a848ac2447ea
                                                                                                                                                                                    • Opcode Fuzzy Hash: b8f7586d56e94a67c5673833643bdd7737596cdb75e510bd59f2c1b1eb0c5fe0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 66914FB1940218AFEB14CFA4DC59BAEBBF9FF48700F10852AF516EB294D774A904DB50
                                                                                                                                                                                    Function 00F76F20 Relevance: 19.7, APIs: 13, Instructions: 167COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00F76F67
                                                                                                                                                                                    • GetParent.USER32(00000000), ref: 00F76F7A
                                                                                                                                                                                    • GetWindow.USER32(00000000,00000004), ref: 00F76F85
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00F76F93
                                                                                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00F76FA6
                                                                                                                                                                                    • MonitorFromWindow.USER32(00000000,00000002), ref: 00F76FBE
                                                                                                                                                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 00F76FD4
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00F76FFA
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015), ref: 00F770B5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$LongMonitorRect$FromInfoParent
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1468510684-0
                                                                                                                                                                                    • Opcode ID: 9c9414f0d6790e019c74a5ebf59c253a5660749ee612598e47ab2a3386e9741a
                                                                                                                                                                                    • Instruction ID: 8b58256cbd3556078a8a6c7d324cbae50cfe18f43c8cd1106bf073ce949ad7e3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9c9414f0d6790e019c74a5ebf59c253a5660749ee612598e47ab2a3386e9741a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1F516376D045199FDB20DF68DD49AAEBBB5FB44710F244219F816E3284EB30AD00DB51
                                                                                                                                                                                    Function 0103D4B0 Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 441libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00000000), ref: 0103D616
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0103D61D
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,?,?,00000000), ref: 0103D657
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressCurrentHandleModuleProcProcess
                                                                                                                                                                                    • String ID: IsWow64Process2$Not selected for install.$Search result:$Searching for:$Undefined$Wrong OS or Os language for:$kernel32
                                                                                                                                                                                    • API String ID: 4190356694-4272450043
                                                                                                                                                                                    • Opcode ID: 67af305d3237e714d7959cf454f4e630faf04d9b9b6352e157e5e23a92e3f560
                                                                                                                                                                                    • Instruction ID: 97f5ff4518ed4fe22e92ef5c33df5c52b0c8d73bbdc440efef6566ca955f4da3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 67af305d3237e714d7959cf454f4e630faf04d9b9b6352e157e5e23a92e3f560
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9002D270900609DFDB15DFA8C944BADBBFAFF84314F54425DE966A7281DB30E946CB80
                                                                                                                                                                                    Function 01067450 Relevance: 16.7, APIs: 11, Instructions: 214fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • InitializeCriticalSection.KERNEL32(01242000,2F45994F,-00000001), ref: 0106748C
                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(-00000001,2F45994F,-00000001), ref: 01067499
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,?,2F45994F,00000000), ref: 010674CB
                                                                                                                                                                                    • FlushFileBuffers.KERNEL32(00000000,?,?,2F45994F,00000000), ref: 010674D4
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,011B46F0,00000001,?,?,2F45994F,00000000), ref: 0106756C
                                                                                                                                                                                    • FlushFileBuffers.KERNEL32(00000000,?,?,2F45994F,00000000), ref: 01067575
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,2F45994F,00000000), ref: 010675B8
                                                                                                                                                                                    • FlushFileBuffers.KERNEL32(00000000,?,?,2F45994F,00000000), ref: 010675C1
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,000000FF,?,?,00000000,011B76F4,00000002,?,?,2F45994F,00000000), ref: 0106762E
                                                                                                                                                                                    • FlushFileBuffers.KERNEL32(00000000,?,?,2F45994F,00000000), ref: 01067637
                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(00000000,?,?,2F45994F,00000000), ref: 01067676
                                                                                                                                                                                      • Part of subcall function 00EFA840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00F15436,00000000,*.*,?,?,?,?), ref: 00EFA863
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$BuffersFlushWrite$CriticalSection$EnterFindInitializeLeaveResource
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1900893598-0
                                                                                                                                                                                    • Opcode ID: 1825730b6b1652118cb2c1189ada58c984679a0d43eb14871465daf01c4800d5
                                                                                                                                                                                    • Instruction ID: fa95e2d5c302b7c0389ef709f42b7bb0ffd3c590136d1fff62113c7e9077f40c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1825730b6b1652118cb2c1189ada58c984679a0d43eb14871465daf01c4800d5
                                                                                                                                                                                    • Instruction Fuzzy Hash: AD71AF309002489FDB15DF68C949BBDBBB9FF88318F148198F951A7391DB319D42CB90
                                                                                                                                                                                    Function 01068BF0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 308libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 01012AC0: GetLastError.KERNEL32(2F45994F,01172DFD,01172DFD,01172DFD,?,00000000,011645BD,000000FF,?,80070057,00000000,?,?,01172DFD,01029ECA,00000000), ref: 01012B31
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetPackagePath), ref: 01068DAF
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetPackagePath), ref: 01068E18
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,011730E5,000000FF,?,010476D0,?,?,?,?,?,?,00000000), ref: 01068E42
                                                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,?,00000000,00000000,?,?,011730E5,000000FF), ref: 01068F44
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressErrorLastProc$FreeLibrary
                                                                                                                                                                                    • String ID: GetPackagePath$Kernel32.dll$neutral$x64$x86
                                                                                                                                                                                    • API String ID: 329358263-4043905686
                                                                                                                                                                                    • Opcode ID: f71c71ea8dd68a84f92bb41ef736938750eeb51cc16e5d9f34f309cfd413b4dd
                                                                                                                                                                                    • Instruction ID: 302d573a7abead9f01f29b1379fecc780322679343266b9e0dc6fc0e5a814180
                                                                                                                                                                                    • Opcode Fuzzy Hash: f71c71ea8dd68a84f92bb41ef736938750eeb51cc16e5d9f34f309cfd413b4dd
                                                                                                                                                                                    • Instruction Fuzzy Hash: D2C1AD70A00209DFDF08DFA8C988AADBBF5FF18314F1481ADE516A7391EB75A905CB51
                                                                                                                                                                                    Function 00F2AAF0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 132windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,0000043A,00000000,00000074), ref: 00F2AB71
                                                                                                                                                                                    • lstrcpynW.KERNEL32(?,?,00000020), ref: 00F2ABF1
                                                                                                                                                                                    • GetDC.USER32(?), ref: 00F2AC14
                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000), ref: 00F2AC1B
                                                                                                                                                                                    • MulDiv.KERNEL32(?,00000048,00000000), ref: 00F2AC2E
                                                                                                                                                                                    • SendMessageW.USER32(?,00000444,00000000,00000074), ref: 00F2AC60
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00F2AC9D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$CapsDeleteDeviceObjectlstrcpyn
                                                                                                                                                                                    • String ID: ?$t
                                                                                                                                                                                    • API String ID: 2619291461-1995845436
                                                                                                                                                                                    • Opcode ID: 0e7d4b9a93f1c05bd4bd669b2cce39cf3cdacfc307d77e8f417d4070fb2b90fa
                                                                                                                                                                                    • Instruction ID: 18a4d7366f5b95fb1b81633c70ceb92c8d178f8b1ca0d6e9207d670d6081c18d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e7d4b9a93f1c05bd4bd669b2cce39cf3cdacfc307d77e8f417d4070fb2b90fa
                                                                                                                                                                                    • Instruction Fuzzy Hash: 79519171A48345AFE720DF60D849BABBBE8FB88300F00091DF699C7291D774E558CB82
                                                                                                                                                                                    Function 0103A2D0 Relevance: 15.2, APIs: 10, Instructions: 154COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 0103A2DE
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0103A336
                                                                                                                                                                                    • EndDialog.USER32(?,00000000), ref: 0103A3B6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DeleteDialogLongObjectWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1328495006-0
                                                                                                                                                                                    • Opcode ID: 035ba3ce57d188cb9c4f6b71e1545abc0881c55ecd5e0dbf21fe496767e7cdb4
                                                                                                                                                                                    • Instruction ID: d503c866249bb9e2ae0c87d4d4d127e9d2e825fe74fdc6fd49574478361b7fef
                                                                                                                                                                                    • Opcode Fuzzy Hash: 035ba3ce57d188cb9c4f6b71e1545abc0881c55ecd5e0dbf21fe496767e7cdb4
                                                                                                                                                                                    • Instruction Fuzzy Hash: EB41D2363502149BD6349E2CA80CBAA3B9CD7C5331F00476AFAE2C32D0DAA2841196A0
                                                                                                                                                                                    Function 00FBCBA0 Relevance: 15.1, APIs: 10, Instructions: 131windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 00FBCC23
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00FBCC3B
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00FBCC53
                                                                                                                                                                                    • IntersectRect.USER32(?,?,?), ref: 00FBCC70
                                                                                                                                                                                    • EqualRect.USER32(?,?), ref: 00FBCC80
                                                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00FBCC97
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00FBCCC0
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00FBCCD5
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00FBCCE4
                                                                                                                                                                                    • SetBrushOrgEx.GDI32(?,?,?,00000000), ref: 00FBCD02
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Rect$Brush$ColorEqualIntersectLongPointsVisible
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2158939716-0
                                                                                                                                                                                    • Opcode ID: 61225994033728aa57bbb6d66b51494255d357f28c6a4709153108eb049b4561
                                                                                                                                                                                    • Instruction ID: f62c522f2eb4dba69ec9642409b685996d277433c87f8220d7e63b02941b4946
                                                                                                                                                                                    • Opcode Fuzzy Hash: 61225994033728aa57bbb6d66b51494255d357f28c6a4709153108eb049b4561
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7A419F76A083059FC310CF15D848E6BBBE9FF99710F054A2EF94A97200E770E9448B92
                                                                                                                                                                                    Function 00F0C480 Relevance: 15.1, APIs: 10, Instructions: 95windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDC.USER32(?), ref: 00F0C4C1
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00F0C4E8
                                                                                                                                                                                    • CreateCompatibleDC.GDI32(?), ref: 00F0C4F8
                                                                                                                                                                                    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00F0C519
                                                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 00F0C526
                                                                                                                                                                                    • FillRect.USER32(?,?,00000006), ref: 00F0C56A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CompatibleCreateRect$BitmapClientDeleteFill
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1262984673-0
                                                                                                                                                                                    • Opcode ID: 5021001ebda5d2b8895fa5347eb0eb0c958af5b9f5d8a74caef336eb66ad44c9
                                                                                                                                                                                    • Instruction ID: 0c01814b3d2bbe9836860db6d3bd76331210e0be2e72442e7c7bb753d13b91bc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5021001ebda5d2b8895fa5347eb0eb0c958af5b9f5d8a74caef336eb66ad44c9
                                                                                                                                                                                    • Instruction Fuzzy Hash: B331E17A5042059FD720DF28E84CB3ABBE4BF98350F080A0DF98797295D731E844EB91
                                                                                                                                                                                    Function 0104E280 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 320processfileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0104FBA0: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000010), ref: 0104FBCD
                                                                                                                                                                                      • Part of subcall function 00F03380: GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W,?), ref: 00F03477
                                                                                                                                                                                      • Part of subcall function 00F03380: GetProcAddress.KERNEL32(00000000), ref: 00F0347E
                                                                                                                                                                                      • Part of subcall function 00F03380: PathFileExistsW.SHLWAPI(?), ref: 00F034EC
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,00000003,?,00000001,?,00000000,00000000), ref: 0104E428
                                                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000080), ref: 0104E43B
                                                                                                                                                                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 0104E448
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0104E58A
                                                                                                                                                                                    • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 0104E5A0
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0104E5C1
                                                                                                                                                                                    • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 0104E5D4
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Wow64$AttributesHandleModuleProcessRedirectionRevert$AddressCloseCopyCreateExistsHeapNamePathProc
                                                                                                                                                                                    • String ID: "%s" %s
                                                                                                                                                                                    • API String ID: 3861218247-1070868581
                                                                                                                                                                                    • Opcode ID: 2c8edadb1b07b428eed97870b81c5450a567552ca8a739db3a069a64082da2ee
                                                                                                                                                                                    • Instruction ID: 4a749ed8c0fd729d20fdea369022638ff662358b0da5278708eb8f85e3301e80
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c8edadb1b07b428eed97870b81c5450a567552ca8a739db3a069a64082da2ee
                                                                                                                                                                                    • Instruction Fuzzy Hash: 21D1B170D00248DFDB15DBA8C848BADBBF1BF48314F1482ACE551AB2D1DB79A945CF80
                                                                                                                                                                                    Function 00F062B0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 283memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F062EE
                                                                                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 00F06306
                                                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 00F06341
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F063AA
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F063B8
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F063C6
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F063D7
                                                                                                                                                                                      • Part of subcall function 00EFB010: RtlAllocateHeap.NTDLL(?,00000000,?,2F45994F,00000000,011239F0,000000FF,?,?,0123843C,?,?,01074927,80004005,2F45994F,?), ref: 00EFB05A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • <body><h3 style="color:green;">Error loading resource:</h3><p style="white-space:nowrap">"%s"</p></body>, xrefs: 00F0645B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Variant$Clear$AllocAllocateHeapInitString
                                                                                                                                                                                    • String ID: <body><h3 style="color:green;">Error loading resource:</h3><p style="white-space:nowrap">"%s"</p></body>
                                                                                                                                                                                    • API String ID: 1547307772-1571955069
                                                                                                                                                                                    • Opcode ID: 8ca30647fa490364f1295c4d0c0dcd6b5376d7df649301940477e5290b440c6c
                                                                                                                                                                                    • Instruction ID: a81e117403a78a8f272133ffbef00478ce752663b6493daf6d8afd16fada4ae2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8ca30647fa490364f1295c4d0c0dcd6b5376d7df649301940477e5290b440c6c
                                                                                                                                                                                    • Instruction Fuzzy Hash: B8A1A375D00258DFDB14DFA8D848BAEBBB8FF49324F144269E411E7380DB74AA44DB90
                                                                                                                                                                                    Function 0106E8B0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 193fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                      • Part of subcall function 00EFA840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00F15436,00000000,*.*,?,?,?,?), ref: 00EFA863
                                                                                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,ps1,ps1,00000003,?,01047FF8), ref: 0106E9C8
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 0106EA0E
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0106EA2B
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0106EA45
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0106EA84
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseHandleWrite$CreateFindHeapProcessResource
                                                                                                                                                                                    • String ID: Unable to get temp file $Unable to save script file $ps1
                                                                                                                                                                                    • API String ID: 3201387394-4253966538
                                                                                                                                                                                    • Opcode ID: 4ee9d3725ef5157b4cbc68d897951c8bd10ebad48778223735197b736633632d
                                                                                                                                                                                    • Instruction ID: dd7a450caecd2c4223486309d75f4bc0c8ca93dce4d57bc02733c7e3433337dd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4ee9d3725ef5157b4cbc68d897951c8bd10ebad48778223735197b736633632d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 92612434A006099BDB14CFA8C844BBEBBF8FF44714F148258E951BB3C2DB746A05CBA0
                                                                                                                                                                                    Function 00EFECF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 179processsynchronizationCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00EFEE08
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00EFEE12
                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00EFEE24
                                                                                                                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00EFEE41
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00EFEE4B
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00EFEE58
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00EFEE62
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLastProcess$CloseCodeCreateExitHandleHeapObjectSingleWait
                                                                                                                                                                                    • String ID: "%s" %s
                                                                                                                                                                                    • API String ID: 3234789809-1070868581
                                                                                                                                                                                    • Opcode ID: 92f0a82ab98f4ab78cef790ba35373555a230be117c28230338eb0b8f6c9fc4d
                                                                                                                                                                                    • Instruction ID: 712f149cb0e34dc72db13f4eb6ff67d0b6f5d5ba5721be0b0f79b02c62518b66
                                                                                                                                                                                    • Opcode Fuzzy Hash: 92f0a82ab98f4ab78cef790ba35373555a230be117c28230338eb0b8f6c9fc4d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7F515C71E006199FCB24CF64D844BBEB7B9FF84718F204629EA26B7390D771A941CB91
                                                                                                                                                                                    Function 01122173 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,01121ADF), ref: 0112218C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DecodePointer
                                                                                                                                                                                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                                                    • API String ID: 3527080286-3064271455
                                                                                                                                                                                    • Opcode ID: c9f205e8d0e08b8c2b6c35a7bd4ac4c6dcb293839b50738c0225e28d37100715
                                                                                                                                                                                    • Instruction ID: 62132d42be1fc66f8238c06e12dfe44d607866dc59335bd6dfa3b0ce46d7ef7b
                                                                                                                                                                                    • Opcode Fuzzy Hash: c9f205e8d0e08b8c2b6c35a7bd4ac4c6dcb293839b50738c0225e28d37100715
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4251A97090462ADBDF2C9FA8E98C2FCBFB4FB4A300F428144D591AA258CB358575CB55
                                                                                                                                                                                    Function 01100260 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 01100297
                                                                                                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 0110029F
                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 01100328
                                                                                                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 01100353
                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 011003A8
                                                                                                                                                                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 011003BE
                                                                                                                                                                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 011003D3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                    • API String ID: 1385549066-1018135373
                                                                                                                                                                                    • Opcode ID: 250dc258b987d9f2351d59dbbece38aee3a7eb97ea1848f9a0372410acfe5e7b
                                                                                                                                                                                    • Instruction ID: c62ba5cb17b520b831ab2509d411bad64d6b7b72cd4e3e841673bf1de6857559
                                                                                                                                                                                    • Opcode Fuzzy Hash: 250dc258b987d9f2351d59dbbece38aee3a7eb97ea1848f9a0372410acfe5e7b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0541A034E04209AFCF1ADF69C880B9EBBA0AF49398F048055F9149B3D2D7B5DA15CB91
                                                                                                                                                                                    Function 00EF2C50 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(01241FBC,00000000,2F45994F,00000000,01164873,000000FF,?,2F45994F), ref: 00EF2DC3
                                                                                                                                                                                    • GetLastError.KERNEL32(?,2F45994F), ref: 00EF2DCD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CountCriticalErrorInitializeLastSectionSpin
                                                                                                                                                                                    • String ID: VolumeCostAvailable$VolumeCostDifference$VolumeCostRequired$VolumeCostSize$VolumeCostVolume
                                                                                                                                                                                    • API String ID: 439134102-34576578
                                                                                                                                                                                    • Opcode ID: 230bbbbb370297cdd7942118fc02bddafd6c6074b4b03b7881e134e5806f58ef
                                                                                                                                                                                    • Instruction ID: 9cdd694dc4327b91e3b28b44e557938407c0dc83ab146e9e897a1cdf08c235fb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 230bbbbb370297cdd7942118fc02bddafd6c6074b4b03b7881e134e5806f58ef
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9151F0B5D003099BDB28CF94E9097EEB7F8EB18754F00422DDA11A7384E77AA915CF91
                                                                                                                                                                                    Function 010FC027 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,010FC1D1,?,?,?,?), ref: 010FC04B
                                                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 010FC052
                                                                                                                                                                                      • Part of subcall function 010FC11D: IsProcessorFeaturePresent.KERNEL32(0000000C,010FC039,00000000,?,010FC1D1,?,?,?,?), ref: 010FC11F
                                                                                                                                                                                    • InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,010FC1D1,?,?,?,?), ref: 010FC062
                                                                                                                                                                                    • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,?,?), ref: 010FC089
                                                                                                                                                                                    • RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,?,?,?), ref: 010FC09D
                                                                                                                                                                                    • InterlockedPopEntrySList.KERNEL32(00000000,?,?,?,?), ref: 010FC0B0
                                                                                                                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?), ref: 010FC0C3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2460949444-0
                                                                                                                                                                                    • Opcode ID: a61272588f1164a31fd66ee791f6e9a6b90bdb271f3afb08930d0f0c0b91835c
                                                                                                                                                                                    • Instruction ID: 3c1828dd307359987718c467af727d5ab3e53386c220437dbd731b127f20800b
                                                                                                                                                                                    • Opcode Fuzzy Hash: a61272588f1164a31fd66ee791f6e9a6b90bdb271f3afb08930d0f0c0b91835c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 56113B7164121D6BF7311668AE4BF7F7A9DEF85744F044434FB82D6504CA71DC4287A0
                                                                                                                                                                                    Function 00F107A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 289registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,2F45994F), ref: 00F10841
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00F10878
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,Function_002C4720,00000000,Function_002C4720,00000000,?,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 00F10AEE
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,2F45994F,?,?,00000000,011285ED,000000FF,?,Function_002C4720,00000000,Function_002C4720,00000000,?,80000001,00000001,00000000), ref: 00F10B7E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00F108B0
                                                                                                                                                                                    • Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 00F10836
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Close$CreateErrorEventHandleLast
                                                                                                                                                                                    • String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
                                                                                                                                                                                    • API String ID: 1253123496-2079760225
                                                                                                                                                                                    • Opcode ID: c2e058753a9387de0314cf79057d09df196cb1159f4977e9a14867688d1c8893
                                                                                                                                                                                    • Instruction ID: 3ae3dbff6bbb2cf444e07e53a34202120719d42b1e29ffa9b52c360316e81bff
                                                                                                                                                                                    • Opcode Fuzzy Hash: c2e058753a9387de0314cf79057d09df196cb1159f4977e9a14867688d1c8893
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8BC1EF70D00249EFDB14CF68C948BEEBBB4FF55304F10829DE459A7681DBB4AA84CB91
                                                                                                                                                                                    Function 00F02B80 Relevance: 10.7, APIs: 7, Instructions: 223memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 00F02C80
                                                                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 00F02D08
                                                                                                                                                                                    • GetProcessHeap.KERNEL32(-000000FE,?,?), ref: 00F02D80
                                                                                                                                                                                    • HeapFree.KERNEL32(00000000,-000000FE,?,?), ref: 00F02D86
                                                                                                                                                                                    • GetProcessHeap.KERNEL32(-000000FE,00000000,?,00000000,00000000,00000000,2F45994F,?,?,?), ref: 00F02DB3
                                                                                                                                                                                    • HeapFree.KERNEL32(00000000,-000000FE,00000000,?,00000000,00000000,00000000,2F45994F,?,?,?), ref: 00F02DB9
                                                                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 00F02DD1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Free$Heap$String$Process
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2680101141-0
                                                                                                                                                                                    • Opcode ID: 836e0e07b2f90946e81bb75c618cf5bfb17fcfe75d0cc5d58e2f679312e6971a
                                                                                                                                                                                    • Instruction ID: d5a4d7ea51adfe2774e01ec122244f9a1caf22507e18a526a4b2529ed98b68c6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 836e0e07b2f90946e81bb75c618cf5bfb17fcfe75d0cc5d58e2f679312e6971a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4A916A70D0121ADBDF10DFA8C848BEEBBB4BF54324F244559E850A72C1DB789E04EBA1
                                                                                                                                                                                    Function 00F0097A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 214libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(?,.dll,00000004,-00000001,00000000,Function_002C4720,00000000,00000000,00000000), ref: 00F00A7D
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,DllGetActivationFactory), ref: 00F00AC6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                                                    • String ID: .dll$DllGetActivationFactory
                                                                                                                                                                                    • API String ID: 2574300362-1250754257
                                                                                                                                                                                    • Opcode ID: 99e1f6df0c447079b7ca88f265a8c00f0c7746a9ce4413286aa6ed124eaa16df
                                                                                                                                                                                    • Instruction ID: a373c4bb8e7dead352967445ecf0accfe5c90d3b5ceb283a9eeb848ce07f9d87
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99e1f6df0c447079b7ca88f265a8c00f0c7746a9ce4413286aa6ed124eaa16df
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5291A870E00209EFDB18DFA8C895BEDBBB1AF94314F248119E011A72D1DF74AA44EB90
                                                                                                                                                                                    Function 00F10530 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 150fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?,2F459951), ref: 00F10673
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00F106D0
                                                                                                                                                                                      • Part of subcall function 010FCAB5: AcquireSRWLockExclusive.KERNEL32(01240888,?,?,?,00EFB446,0124149C,2F45994F,?,?,01123F6D,000000FF,?,010748BD,2F45994F,?), ref: 010FCAC0
                                                                                                                                                                                      • Part of subcall function 010FCAB5: ReleaseSRWLockExclusive.KERNEL32(01240888,?,?,00EFB446,0124149C,2F45994F,?,?,01123F6D,000000FF,?,010748BD,2F45994F,?), ref: 010FCAFA
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00F10737
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?), ref: 00F1075D
                                                                                                                                                                                      • Part of subcall function 010FCA64: AcquireSRWLockExclusive.KERNEL32(01240888,?,?,00EFB4B7,0124149C,01187860), ref: 010FCA6E
                                                                                                                                                                                      • Part of subcall function 010FCA64: ReleaseSRWLockExclusive.KERNEL32(01240888,?,?,00EFB4B7,0124149C,01187860), ref: 010FCAA1
                                                                                                                                                                                      • Part of subcall function 010FCA64: WakeAllConditionVariable.KERNEL32(01240884,?,?,00EFB4B7,0124149C,01187860), ref: 010FCAAC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExclusiveLock$AcquireCloseFileHandleRelease$ConditionCreateVariableWakeWrite
                                                                                                                                                                                    • String ID: aix$html
                                                                                                                                                                                    • API String ID: 3683816281-2369804267
                                                                                                                                                                                    • Opcode ID: 7f029c553d94ceecf36abe0b4cc21613940406c06ce97f644d4a14a279571937
                                                                                                                                                                                    • Instruction ID: ea3978ff9c655d6e8cfeacc86dbf67fe6eed3266dfe4ed0a9cc95214e6ab5800
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f029c553d94ceecf36abe0b4cc21613940406c06ce97f644d4a14a279571937
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2661AB70900248DFEB24DFA4E949BDEBBF0FB54718F10455DE411AB281DBB92A88CB91
                                                                                                                                                                                    Function 00F1E770 Relevance: 10.6, APIs: 7, Instructions: 130COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowDC.USER32(?,2F45994F,00000000,?,?,?,?,?,?,?,?,00000000,0112ADD5,000000FF,?,00F1E593), ref: 00F1E7B2
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00F1E7D1
                                                                                                                                                                                    • IsWindowEnabled.USER32(?), ref: 00F1E7E0
                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00F1E84D
                                                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 00F1E891
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00F1E8A0
                                                                                                                                                                                    • DeleteDC.GDI32(?), ref: 00F1E8C3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ObjectWindow$DeleteSelect$EnabledRect
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2818206005-0
                                                                                                                                                                                    • Opcode ID: 236043759e84a773f7158cc2ebbcfcc931f42716c146d837de2cee7601e7d2fa
                                                                                                                                                                                    • Instruction ID: 452bd7e636970b88da899c3fa5551d1e7476653f6e6f4ecc366740ad4a0640b4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 236043759e84a773f7158cc2ebbcfcc931f42716c146d837de2cee7601e7d2fa
                                                                                                                                                                                    • Instruction Fuzzy Hash: 91413F75A00218AFEB14CFA9D988BAEBBF9FF8C711F144159F916A7284D7746D00CB60
                                                                                                                                                                                    Function 01038C90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(Shlwapi.dll,-00000001,00000000,?,?,?,?,?,?,?,?,0104537B,?), ref: 01038CAF
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 01038CC5
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 01038D08
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,0104537B,?), ref: 01038D24
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$Free$AddressLoadProc
                                                                                                                                                                                    • String ID: DllGetVersion$Shlwapi.dll
                                                                                                                                                                                    • API String ID: 1386263645-2240825258
                                                                                                                                                                                    • Opcode ID: cdf83ae8ec7e6b7a7858191f14f76802e2c3768468d75cb76ceccf43f7b52e77
                                                                                                                                                                                    • Instruction ID: 43782f9d2e1b1447d4b0b79d6f4e026b29c4d3d4ecfd9aa4389fecbd8c455fa2
                                                                                                                                                                                    • Opcode Fuzzy Hash: cdf83ae8ec7e6b7a7858191f14f76802e2c3768468d75cb76ceccf43f7b52e77
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7021A3756043058BC324DF29D88997FFBE8FFDD255B404A6EF899C2200EA3094458BA2
                                                                                                                                                                                    Function 010F953E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,010F95B9,010F951C,010F97BD), ref: 010F9555
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 010F956B
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 010F9580
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                                    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                                                                                    • API String ID: 667068680-1718035505
                                                                                                                                                                                    • Opcode ID: 1b91146497eab66e68ab84cb4c548a681cdec7e850c60a343b48ad6e99860ea0
                                                                                                                                                                                    • Instruction ID: 88d030a45d9e1d8171e2ac6c46a24de7f0abc861f52d313960a1e4df0d7233c6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1b91146497eab66e68ab84cb4c548a681cdec7e850c60a343b48ad6e99860ea0
                                                                                                                                                                                    • Instruction Fuzzy Hash: F2F0C2327002129B5FF58FA9588E7BB3BDC6E45E5C30001BDFF91D3A04D625C4818398
                                                                                                                                                                                    Function 00F13370 Relevance: 9.2, APIs: 6, Instructions: 194windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • BeginPaint.USER32(?,?), ref: 00F133FA
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00F1341B
                                                                                                                                                                                    • GetParent.USER32(?), ref: 00F1343B
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000135,?,?), ref: 00F1344B
                                                                                                                                                                                    • FillRect.USER32(?,?,00000000), ref: 00F13459
                                                                                                                                                                                    • EndPaint.USER32(?,?), ref: 00F1361C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PaintRect$BeginClientFillMessageParentSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 732421049-0
                                                                                                                                                                                    • Opcode ID: ad6aca75c695c4ff205635bfd6f5cb125a05335e4d8535f7e58ceb654052a1c8
                                                                                                                                                                                    • Instruction ID: df9052b312cb9d988c3b974037ca933dcb57570f2e192325d21932a1ce901a07
                                                                                                                                                                                    • Opcode Fuzzy Hash: ad6aca75c695c4ff205635bfd6f5cb125a05335e4d8535f7e58ceb654052a1c8
                                                                                                                                                                                    • Instruction Fuzzy Hash: A4915870900219DFEF21CF68D948BADBBB5FF08314F1481A9E809A7241DB71AE85DF50
                                                                                                                                                                                    Function 00F35350 Relevance: 9.2, APIs: 6, Instructions: 156COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F3539A
                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F353BC
                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F353E4
                                                                                                                                                                                    • __Getctype.LIBCPMT ref: 00F354C5
                                                                                                                                                                                    • std::_Facet_Register.LIBCPMT ref: 00F35527
                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F3555B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1102183713-0
                                                                                                                                                                                    • Opcode ID: bd1dff5422ed395b93e04a163419969f065eb1401b95b5d889d648a93751999c
                                                                                                                                                                                    • Instruction ID: a5d7f36e7a0db47967280dabb5e82cd184fab489a23e98cd3aec58e072ad25e0
                                                                                                                                                                                    • Opcode Fuzzy Hash: bd1dff5422ed395b93e04a163419969f065eb1401b95b5d889d648a93751999c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3861DCB0D0064ACFDB14CF58D9447AEFBB4FF94324F148259D959AB380EB74AA84CB91
                                                                                                                                                                                    Function 00F35150 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F3518D
                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F351AF
                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F351D7
                                                                                                                                                                                    • __Getcoll.LIBCPMT ref: 00F352A1
                                                                                                                                                                                    • std::_Facet_Register.LIBCPMT ref: 00F352E6
                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00F35327
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1184649410-0
                                                                                                                                                                                    • Opcode ID: f5d219335200f75ebf68f2b82af05e9936338065f253eee9857a6f56cca8cb29
                                                                                                                                                                                    • Instruction ID: 14a57e6c4d96ce3b9c84c60a7f4ee9f06dd9959775c86f30f67f051e6a289778
                                                                                                                                                                                    • Opcode Fuzzy Hash: f5d219335200f75ebf68f2b82af05e9936338065f253eee9857a6f56cca8cb29
                                                                                                                                                                                    • Instruction Fuzzy Hash: E651CE70D01208DFDB11DF98E985BAEFBB4FF90324F248159E855AB280DB74AE05DB91
                                                                                                                                                                                    Function 010FE16A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,010FE161,010FE124,?,?,00F3230D,0102CD10,?,00000008), ref: 010FE178
                                                                                                                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 010FE186
                                                                                                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 010FE19F
                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,010FE161,010FE124,?,?,00F3230D,0102CD10,?,00000008), ref: 010FE1F1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3852720340-0
                                                                                                                                                                                    • Opcode ID: e7725ff0bbc81db8dc519fbb2561dc210f0854a785cafb0afdddbd87a43793bb
                                                                                                                                                                                    • Instruction ID: 667698a2d7a6ac4fc271a5970dd3278a10e190923bccc135c55a13cca8fee466
                                                                                                                                                                                    • Opcode Fuzzy Hash: e7725ff0bbc81db8dc519fbb2561dc210f0854a785cafb0afdddbd87a43793bb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6F014C3250D3176EE73A25B9FC896EA2789FB02B78321037DF620845E4FF5588128244
                                                                                                                                                                                    Function 010708F0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 220COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$ActiveForeground
                                                                                                                                                                                    • String ID: User accepted to install a newer version.$User refused to install a newer version.
                                                                                                                                                                                    • API String ID: 307657957-4113633398
                                                                                                                                                                                    • Opcode ID: b980041ae22bd43f39bd8b059f23cf3c46dbe30d5a6be0a4566bf9537def13cd
                                                                                                                                                                                    • Instruction ID: b8033b0715c608ad697b8a1dc49020cf52a7eadd13cddd9f7d4cbe793608d30b
                                                                                                                                                                                    • Opcode Fuzzy Hash: b980041ae22bd43f39bd8b059f23cf3c46dbe30d5a6be0a4566bf9537def13cd
                                                                                                                                                                                    • Instruction Fuzzy Hash: B781E431E001099FDB15DF68C8447AEBBF5EF89324F28829DE955A7381DB35AD02CB91
                                                                                                                                                                                    Function 01067270 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 174COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • InitializeCriticalSection.KERNEL32(01242000,2F45994F,?), ref: 010672AF
                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(?,2F45994F,?), ref: 010672BC
                                                                                                                                                                                    • OutputDebugStringW.KERNEL32(01048DF2,?,00000000), ref: 01067385
                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,00000000), ref: 01067417
                                                                                                                                                                                      • Part of subcall function 00EFB010: RtlAllocateHeap.NTDLL(?,00000000,?,2F45994F,00000000,011239F0,000000FF,?,?,0123843C,?,?,01074927,80004005,2F45994F,?), ref: 00EFB05A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Logger::SetLogFile( %s ) while OLD path is:%s, xrefs: 01067303
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CriticalSection$AllocateDebugEnterHeapInitializeLeaveOutputString
                                                                                                                                                                                    • String ID: Logger::SetLogFile( %s ) while OLD path is:%s
                                                                                                                                                                                    • API String ID: 117955849-1927537607
                                                                                                                                                                                    • Opcode ID: 5d1aad932ad2b8bf3a03a7faa90d603258d1f039032560bc6de9d67ec8c97b57
                                                                                                                                                                                    • Instruction ID: d0c34be8694981f495d3298856f7a311bf20d520817dc8782a35353690d55c7d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5d1aad932ad2b8bf3a03a7faa90d603258d1f039032560bc6de9d67ec8c97b57
                                                                                                                                                                                    • Instruction Fuzzy Hash: FD51D035900219CFCF05DFA8C8456AEBBB9EF89318F14819CE952A7381DB359A02CB90
                                                                                                                                                                                    Function 00F345F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00F34642
                                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000028,00000000), ref: 00F3464F
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00F3468D
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00F346C4
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Process$CloseCurrentErrorHandleLastOpenToken
                                                                                                                                                                                    • String ID: SeShutdownPrivilege
                                                                                                                                                                                    • API String ID: 2767541406-3733053543
                                                                                                                                                                                    • Opcode ID: 31b74c7661c0182d4939fcf1a8a193c91882f3b9cd4f2398974221103b68ef95
                                                                                                                                                                                    • Instruction ID: 18c34932a266bf392bd0c51f36637aa47ef1b87398f1c1ec5b2a7d41b23b3fbd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 31b74c7661c0182d4939fcf1a8a193c91882f3b9cd4f2398974221103b68ef95
                                                                                                                                                                                    • Instruction Fuzzy Hash: B4316DB5A406089FEB24DFA4D949BEEBBF8FB09724F104119E512B72C0DB756904CB64
                                                                                                                                                                                    Function 0100A360 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 76libraryloaderwindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetProcAddress.KERNEL32(SetWindowTheme), ref: 0100A42D
                                                                                                                                                                                    • SendMessageW.USER32(?,00001036,00010000,00010000), ref: 0100A478
                                                                                                                                                                                      • Part of subcall function 010FCAB5: AcquireSRWLockExclusive.KERNEL32(01240888,?,?,?,00EFB446,0124149C,2F45994F,?,?,01123F6D,000000FF,?,010748BD,2F45994F,?), ref: 010FCAC0
                                                                                                                                                                                      • Part of subcall function 010FCAB5: ReleaseSRWLockExclusive.KERNEL32(01240888,?,?,00EFB446,0124149C,2F45994F,?,?,01123F6D,000000FF,?,010748BD,2F45994F,?), ref: 010FCAFA
                                                                                                                                                                                      • Part of subcall function 00FE82D0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00FE8312
                                                                                                                                                                                      • Part of subcall function 010FCA64: AcquireSRWLockExclusive.KERNEL32(01240888,?,?,00EFB4B7,0124149C,01187860), ref: 010FCA6E
                                                                                                                                                                                      • Part of subcall function 010FCA64: ReleaseSRWLockExclusive.KERNEL32(01240888,?,?,00EFB4B7,0124149C,01187860), ref: 010FCAA1
                                                                                                                                                                                      • Part of subcall function 010FCA64: WakeAllConditionVariable.KERNEL32(01240884,?,?,00EFB4B7,0124149C,01187860), ref: 010FCAAC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExclusiveLock$AcquireRelease$AddressConditionDirectoryMessageProcSendSystemVariableWake
                                                                                                                                                                                    • String ID: SetWindowTheme$UxTheme.dll$explorer
                                                                                                                                                                                    • API String ID: 1065053019-3123591815
                                                                                                                                                                                    • Opcode ID: 61bd2133ffd0a6ae9dc429e9160f07582fe3483f2aa76f6f42f548a18e178837
                                                                                                                                                                                    • Instruction ID: 0fcd582eb7f149e23f0b6ee0aeef04fe5baac995bbf670fd093eba30a16fb1f2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 61bd2133ffd0a6ae9dc429e9160f07582fe3483f2aa76f6f42f548a18e178837
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3B21E175A40385EBD324DB59F94AF8977A4E750B20F144269E932AB2C4D77079408BD1
                                                                                                                                                                                    Function 00F0E520 Relevance: 7.8, APIs: 5, Instructions: 306COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(01241F9C,2F45994F,?,?,?,?,?,?,?,?,?,?,?,?,00000000,01127EB5), ref: 00F0E58A
                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,01127EB5), ref: 00F0E604
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CriticalEnterFileModuleNameSection
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 764724386-0
                                                                                                                                                                                    • Opcode ID: a1bec2b6d16324b0e7d68db0968b10703579d1fc56cac29c935b759007e80a7e
                                                                                                                                                                                    • Instruction ID: 7d3768bb2c663016a7119244bcf6bd049210d6a8892f3fbe47c1da51694f80db
                                                                                                                                                                                    • Opcode Fuzzy Hash: a1bec2b6d16324b0e7d68db0968b10703579d1fc56cac29c935b759007e80a7e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1EC1AE75A00218DFDB15CFA4D888BAEBBF4BF48314F144469E815E7390CB75AD45EBA0
                                                                                                                                                                                    Function 00F19200 Relevance: 7.7, APIs: 5, Instructions: 238windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDC.USER32(00000001), ref: 00F19272
                                                                                                                                                                                    • GetParent.USER32(00000001), ref: 00F1929D
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000138,?,00000001), ref: 00F192AD
                                                                                                                                                                                    • FillRect.USER32(?,?,00000000), ref: 00F192BB
                                                                                                                                                                                    • ReleaseDC.USER32(00000001,00000000), ref: 00F1948E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FillMessageParentRectReleaseSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2215362955-0
                                                                                                                                                                                    • Opcode ID: 8e61754be753f5adf4e4bec07e9a2dde7f510d852aa35295ae6f6aa3876441f0
                                                                                                                                                                                    • Instruction ID: 4ea90caee269fc669c1fabe8801de7529d1a0e419692301e3e74b5b25c268e9f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e61754be753f5adf4e4bec07e9a2dde7f510d852aa35295ae6f6aa3876441f0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 64918AB2E04619AFDB25CFA4D908BEEBBB8FF08310F044129E916E7254D731A955DF90
                                                                                                                                                                                    Function 0106C510 Relevance: 7.7, APIs: 5, Instructions: 229COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HeapProcess
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 54951025-0
                                                                                                                                                                                    • Opcode ID: 4519dce976a5e8f47da08f32f1035ada318a4bb2ea14e3d04c960fb40c22526f
                                                                                                                                                                                    • Instruction ID: 55782e01fb3c248679c28472c76a2be40f0408693e3a847382c91bd9330d4cbe
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4519dce976a5e8f47da08f32f1035ada318a4bb2ea14e3d04c960fb40c22526f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4A919F35A00209DFEB15CFA8D98879DBBF9FF48324F148199E955AB381CB749901CF90
                                                                                                                                                                                    Function 0100B290 Relevance: 7.7, APIs: 5, Instructions: 163windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowDC.USER32(?,2F45994F,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0116335D), ref: 0100B2C0
                                                                                                                                                                                    • GetWindowRect.USER32(?,00000000), ref: 0100B2E0
                                                                                                                                                                                    • IsWindowEnabled.USER32(?), ref: 0100B311
                                                                                                                                                                                    • GetFocus.USER32 ref: 0100B31F
                                                                                                                                                                                    • DeleteDC.GDI32(?), ref: 0100B45E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$DeleteEnabledFocusRect
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 733580484-0
                                                                                                                                                                                    • Opcode ID: efe833c28b8388a93a2595f5adb0dc37e8e9ba99a21130206fe81acdfb90d3ba
                                                                                                                                                                                    • Instruction ID: 346319666539cd7c73cd7d7f0cc47d4a6a47c8c2ff2b1faf3475128ec93cbe69
                                                                                                                                                                                    • Opcode Fuzzy Hash: efe833c28b8388a93a2595f5adb0dc37e8e9ba99a21130206fe81acdfb90d3ba
                                                                                                                                                                                    • Instruction Fuzzy Hash: 08611974A00619EFEF25DFA4D988BEDBBF8FF08310F144169E916A7280D775A944CB60
                                                                                                                                                                                    Function 0100B490 Relevance: 7.6, APIs: 5, Instructions: 146windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0100B4F9
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    • IsWindowEnabled.USER32(?), ref: 0100B53D
                                                                                                                                                                                    • GetFocus.USER32 ref: 0100B54A
                                                                                                                                                                                    • GetDC.USER32(?), ref: 0100B578
                                                                                                                                                                                      • Part of subcall function 010340F0: SelectObject.GDI32(?,?), ref: 01034153
                                                                                                                                                                                      • Part of subcall function 010340F0: SetTextColor.GDI32(?,?), ref: 010341A2
                                                                                                                                                                                      • Part of subcall function 010340F0: SelectObject.GDI32(?,?), ref: 010341CC
                                                                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 0100B5A7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ObjectSelectWindow$CallClientColorEnabledFocusHeapProcProcessRectText
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1129051362-0
                                                                                                                                                                                    • Opcode ID: d383afe6114ab69dd9c9e4e237fd597da2302267649723cea52a80500f354b2e
                                                                                                                                                                                    • Instruction ID: 2925c88fdf993fdadab537ad6425aa3e1787ebf6fccf2e39b3c930e9df98c41d
                                                                                                                                                                                    • Opcode Fuzzy Hash: d383afe6114ab69dd9c9e4e237fd597da2302267649723cea52a80500f354b2e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 73515D75900218DFEB11DF64D988BEDBBF5FF08310F1881A9E916AB291DB35A940CF60
                                                                                                                                                                                    Function 00F08AB0 Relevance: 7.6, APIs: 5, Instructions: 132windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemMessageSendWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 799199299-0
                                                                                                                                                                                    • Opcode ID: b93c0155a84ac47f5f23885fd9b2fc5455fa35714507cca3a1aeedaab0599d20
                                                                                                                                                                                    • Instruction ID: 7dbe59426052f69727f3e088d2ace1e7ca267351d12166a1239ec2144a755d8a
                                                                                                                                                                                    • Opcode Fuzzy Hash: b93c0155a84ac47f5f23885fd9b2fc5455fa35714507cca3a1aeedaab0599d20
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0841E5B22011059FE7248F14E898E76B7B5FBC43A1F14856AE486C75D1DF22E912FB20
                                                                                                                                                                                    Function 00F0ED60 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDC.USER32(?), ref: 00F0EE3C
                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F0EE4B
                                                                                                                                                                                    • ReleaseDC.USER32(00000000), ref: 00F0EE92
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CapsDeviceRelease
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 127614599-0
                                                                                                                                                                                    • Opcode ID: c12e615de58e0482ae2f4845e9709ea8d61f2315f505d5076a888cf5f418c8b5
                                                                                                                                                                                    • Instruction ID: 101915d94df9bc67276a44d0db18fa8c772fa9b6a43e4e6b5c49fad9655687c5
                                                                                                                                                                                    • Opcode Fuzzy Hash: c12e615de58e0482ae2f4845e9709ea8d61f2315f505d5076a888cf5f418c8b5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 05512A75A40349DFDB20DFA5D848BAE7BF8FF08351F10452AF95AA7281D7749900EB60
                                                                                                                                                                                    Function 00F12860 Relevance: 7.6, APIs: 5, Instructions: 98COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,00000000), ref: 00F128B6
                                                                                                                                                                                    • GetClientRect.USER32(?,00000000), ref: 00F128DC
                                                                                                                                                                                    • GetParent.USER32(?), ref: 00F128EA
                                                                                                                                                                                      • Part of subcall function 010FC189: GetProcessHeap.KERNEL32(00000008,00000008,00000000,0105C8C1,?,?,?), ref: 010FC18E
                                                                                                                                                                                      • Part of subcall function 010FC189: HeapAlloc.KERNEL32(00000000,?,?,?), ref: 010FC195
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000EB), ref: 00F1292B
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00F1294D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$HeapLong$AllocClientParentProcessRectShow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3563161840-0
                                                                                                                                                                                    • Opcode ID: 07d589da5e2c572b968f415c65af5cd66cd6b5fe8b1283783297d9b7747ed869
                                                                                                                                                                                    • Instruction ID: 9ba520dee27be38ea0e2df9f2a8fa202721ac27b8a7dc85361bf5c02ea197f77
                                                                                                                                                                                    • Opcode Fuzzy Hash: 07d589da5e2c572b968f415c65af5cd66cd6b5fe8b1283783297d9b7747ed869
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1231C4356042159FDB54AF28D98897E7BE8FF88320B44416AFC05D7245DB30EC54CF61
                                                                                                                                                                                    Function 0102AA30 Relevance: 7.6, APIs: 6, Instructions: 98memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LocalFree.KERNEL32(?,80004005,?), ref: 0102AA42
                                                                                                                                                                                    • LocalFree.KERNEL32(?,80004005,?), ref: 0102AA56
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0102AA98
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 0102AAD8
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0102AAF2
                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 0102AB03
                                                                                                                                                                                      • Part of subcall function 00EFB010: RtlAllocateHeap.NTDLL(?,00000000,?,2F45994F,00000000,011239F0,000000FF,?,?,0123843C,?,?,01074927,80004005,2F45994F,?), ref: 00EFB05A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Local$Free$ErrorLast$AllocAllocateHeap
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1027944315-0
                                                                                                                                                                                    • Opcode ID: 9f6949746423673526a1cd78287507f67be5f02d127dd5c19c020cfa05b8c002
                                                                                                                                                                                    • Instruction ID: ee39f21b4192757f9c6a7f3b8ce7c67ecaa4ffadc5b6944db03ec41dc8414d0d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9f6949746423673526a1cd78287507f67be5f02d127dd5c19c020cfa05b8c002
                                                                                                                                                                                    • Instruction Fuzzy Hash: 50311770600315EFEB71CF69E948B5BBBE8BF48715F00896DE596D2A40EB74D048CB91
                                                                                                                                                                                    Function 00F0C250 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ClientToScreen.USER32(?,?), ref: 00F0C292
                                                                                                                                                                                    • ClientToScreen.USER32(?,?), ref: 00F0C2A4
                                                                                                                                                                                    • GetParent.USER32(?), ref: 00F0C2AE
                                                                                                                                                                                    • ScreenToClient.USER32(00000000,?), ref: 00F0C2C0
                                                                                                                                                                                    • ScreenToClient.USER32(00000000,?), ref: 00F0C2D0
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClientScreen$Parent
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3677003336-0
                                                                                                                                                                                    • Opcode ID: 66cdba096c3d5d3b9b19c5188c4ffcde86c22f9dac446bfa792ea2c26132a3e7
                                                                                                                                                                                    • Instruction ID: 99fb91b70c23857d414606331fde8f6464800364264f3401ed6bc415aaa28bc4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 66cdba096c3d5d3b9b19c5188c4ffcde86c22f9dac446bfa792ea2c26132a3e7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 78214D76604202AFE315DF68D84996BB7E9FF98710F44491DF886C3214E731E844AB62
                                                                                                                                                                                    Function 00F02680 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F026CA
                                                                                                                                                                                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00F026D0
                                                                                                                                                                                    • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 00F026F3
                                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,01125A96,000000FF), ref: 00F0271B
                                                                                                                                                                                    • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,01125A96,000000FF), ref: 00F02721
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Heap$FreeProcess$FormatMessage
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1606019998-0
                                                                                                                                                                                    • Opcode ID: c9b1c35a41af95673f474831197932517ade8752f434200aa845433e7cfdc591
                                                                                                                                                                                    • Instruction ID: 47b9589a00a1ce73417e87dae6e5edb5b1e5eb49d0ea4e3f8a5201c551f604cd
                                                                                                                                                                                    • Opcode Fuzzy Hash: c9b1c35a41af95673f474831197932517ade8752f434200aa845433e7cfdc591
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E1130B1A44219ABEB10DF94CD46FEFBBB8EB04B54F10451AE510B76C0D7B59A048BA1
                                                                                                                                                                                    Function 0106F000 Relevance: 7.6, APIs: 5, Instructions: 60fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(0106F000,80000000,00000000,00000000,00000003,00000080,00000000,2F45994F,?,0106F000), ref: 0106F03C
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0106F05A
                                                                                                                                                                                    • ReadFile.KERNEL32(00000000,2F45994F,00000004,0106F000,00000000), ref: 0106F070
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0106F07A
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0106F099
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorFileLast$CloseCreateHandleRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3160720760-0
                                                                                                                                                                                    • Opcode ID: 36262e060aab4594747a8f5de40de84f9c9e7eb9b522762364bded9b303dc5b4
                                                                                                                                                                                    • Instruction ID: 55c00f41f4fcc0a297bd3732da9717faa10adcfc311c9434b82366ed18b2d11c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 36262e060aab4594747a8f5de40de84f9c9e7eb9b522762364bded9b303dc5b4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6411B671A04209AFE7348F98ED49B6EBBFCFB45B64F104229FA21B62C0D77459008790
                                                                                                                                                                                    Function 00F1E040 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F1E04A
                                                                                                                                                                                    • SendMessageW.USER32(?,?,?,0000102B), ref: 00F1E0A1
                                                                                                                                                                                    • SendMessageW.USER32(?,?,?,0000102B), ref: 00F1E0F4
                                                                                                                                                                                    • SendMessageW.USER32(?,00001043,00000000,00000000), ref: 00F1E109
                                                                                                                                                                                    • SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00F1E11A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$LongWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 312131281-0
                                                                                                                                                                                    • Opcode ID: 20a319086d6e2374712c4e1542ec5177cc7cd818ef5aabf4a1026d35684352b9
                                                                                                                                                                                    • Instruction ID: 80818d213540cb698a139ceca40075c2a2e077238059cd5e9f03177253dc9c6f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 20a319086d6e2374712c4e1542ec5177cc7cd818ef5aabf4a1026d35684352b9
                                                                                                                                                                                    • Instruction Fuzzy Hash: DB214D31958386A7E320CF50DD48B5ABBF5BFDDB18F206B0EF18121198E7F195849B86
                                                                                                                                                                                    Function 00F2A6D0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 310windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateWindowExW.USER32(?,RichEdit20W,?,?,00000000,80000000,00000000,00000000,00000000,00000000,00000000), ref: 00F2A8AB
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00F2A8BA
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00F2A8C6
                                                                                                                                                                                      • Part of subcall function 00EFB010: RtlAllocateHeap.NTDLL(?,00000000,?,2F45994F,00000000,011239F0,000000FF,?,?,0123843C,?,?,01074927,80004005,2F45994F,?), ref: 00EFB05A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$AllocateCreateHeapWindow
                                                                                                                                                                                    • String ID: RichEdit20W
                                                                                                                                                                                    • API String ID: 2359350451-4173859555
                                                                                                                                                                                    • Opcode ID: 64b096f77a3fcfbae73962e2f9d10abaff0e0f2ab1cd51f8158478a874998c31
                                                                                                                                                                                    • Instruction ID: 6d053c753569f1a0c1fc1aa3b7dc939887b7fd992eb90353fee3e3b41a2c488e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 64b096f77a3fcfbae73962e2f9d10abaff0e0f2ab1cd51f8158478a874998c31
                                                                                                                                                                                    • Instruction Fuzzy Hash: 15C18875E002189FDB14CFA8D894BEEBBF5FF48310F14416AE916AB391DB74A801CB94
                                                                                                                                                                                    Function 01068320 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 250COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0107D670: SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?,80000002,80000002,01242000), ref: 0107D680
                                                                                                                                                                                      • Part of subcall function 0107D670: LoadLibraryW.KERNEL32(Shell32.dll,?,80000002,80000002,01242000), ref: 0107D693
                                                                                                                                                                                      • Part of subcall function 0107D670: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0107D6A3
                                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?,ADVINST_LOGS,0000000C,01242000), ref: 01068416
                                                                                                                                                                                      • Part of subcall function 00EFB010: RtlAllocateHeap.NTDLL(?,00000000,?,2F45994F,00000000,011239F0,000000FF,?,?,0123843C,?,?,01074927,80004005,2F45994F,?), ref: 00EFB05A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressAllocateExistsFileFolderHeapLibraryLoadLocationPathProcSpecial
                                                                                                                                                                                    • String ID: ADVINST_LOGS$Everyone
                                                                                                                                                                                    • API String ID: 3321256476-3921853867
                                                                                                                                                                                    • Opcode ID: d99ce19fd2d13c397e8182cd87018cfefef2b3da03d1949101ded3a87340e29e
                                                                                                                                                                                    • Instruction ID: c95e8fe8b2a3cc6a3fb9d76e7db9713d86eb0cda2b170ba87a7fdc8cd196ef08
                                                                                                                                                                                    • Opcode Fuzzy Hash: d99ce19fd2d13c397e8182cd87018cfefef2b3da03d1949101ded3a87340e29e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 41A1FF71901209CFDB04DFA8C948BAEBBB4EF48324F248199E952BB391DB355E05CB90
                                                                                                                                                                                    Function 00F24A10 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 234windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00EFB010: RtlAllocateHeap.NTDLL(?,00000000,?,2F45994F,00000000,011239F0,000000FF,?,?,0123843C,?,?,01074927,80004005,2F45994F,?), ref: 00EFB05A
                                                                                                                                                                                      • Part of subcall function 01009EB0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,00000000,?,00F1D5B8,?,80004005,?), ref: 01009F3A
                                                                                                                                                                                      • Part of subcall function 01009EB0: RedrawWindow.USER32(?,00000000,00000000,00000541,?,?,?,00000000,?,00F1D5B8,?,80004005,?), ref: 01009F4B
                                                                                                                                                                                      • Part of subcall function 01009EB0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01009F74
                                                                                                                                                                                    • SendMessageW.USER32(?,00001036,00000004,00000004), ref: 00F24BE1
                                                                                                                                                                                    • SendMessageW.USER32(?,00001036,00000400,00000400), ref: 00F24BFC
                                                                                                                                                                                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 00F24C5C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Window$AllocateHeapRedraw
                                                                                                                                                                                    • String ID: QuickSelectionList
                                                                                                                                                                                    • API String ID: 884508843-3633591268
                                                                                                                                                                                    • Opcode ID: fcc32c349e6d6d656a4eb893df88008a3ee1efeef8116005972ff0c9d51ab85f
                                                                                                                                                                                    • Instruction ID: 3c798d2806ede48ebc9e2bb5f2641d359ccc35ae8838248db96a61d0a8be9ac4
                                                                                                                                                                                    • Opcode Fuzzy Hash: fcc32c349e6d6d656a4eb893df88008a3ee1efeef8116005972ff0c9d51ab85f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E81CF71A002199FCB14DFA8D884BAEBBF5FF88324F044569F956A7381DB74A944CF90
                                                                                                                                                                                    Function 0107D400 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197comCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0107D431
                                                                                                                                                                                    • CoCreateInstance.COMBASE(011D22F8,00000000,00000001,011D2308,00000000), ref: 0107D461
                                                                                                                                                                                    • CoUninitialize.COMBASE ref: 0107D64B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • {374DE290-123F-4565-9164-39C4925E467B}, xrefs: 0107D4AD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateInitializeInstanceUninitialize
                                                                                                                                                                                    • String ID: {374DE290-123F-4565-9164-39C4925E467B}
                                                                                                                                                                                    • API String ID: 948891078-4280329633
                                                                                                                                                                                    • Opcode ID: a044b03a0de496f41dde1d1c30711068457ff3767d301dffcc70706892378237
                                                                                                                                                                                    • Instruction ID: dcfbe3af2952c9de2cf8ca5b95adec1385061b200b1581b5a1a88375a42467bb
                                                                                                                                                                                    • Opcode Fuzzy Hash: a044b03a0de496f41dde1d1c30711068457ff3767d301dffcc70706892378237
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5A71E470E002199FDF14DFA8D844BEDBBB4FF48718F044199E982B7290EB749945CBA5
                                                                                                                                                                                    Function 01068800 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,2F45994F,?,80000002,80000002), ref: 01068853
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,2F45994F,80000002,?,00000000,01173053,000000FF,?,80004005,?,80000002), ref: 010689F0
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,2F45994F,80000002,?,00000000,01173053,000000FF,?,80004005,?,80000002), ref: 01068A1F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseHandle$FileModuleName
                                                                                                                                                                                    • String ID: LOG
                                                                                                                                                                                    • API String ID: 3884789274-429402703
                                                                                                                                                                                    • Opcode ID: a69c7a73433cb3eea121cdbe158435afdcb11a259644dc1ad2d7daef192b294d
                                                                                                                                                                                    • Instruction ID: 8439229b7b3ce1caa4bed69147d62d41e1e60bcf5fba1c1d3e6afa2e31df69fd
                                                                                                                                                                                    • Opcode Fuzzy Hash: a69c7a73433cb3eea121cdbe158435afdcb11a259644dc1ad2d7daef192b294d
                                                                                                                                                                                    • Instruction Fuzzy Hash: D161DF71A00308DFDB28CF68D8447AEB7F9FF44710F14866EE9569B281E7749A048B90
                                                                                                                                                                                    Function 00F02A60 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00F02AA4
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00F02AAA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                                                    • String ID: RoOriginateLanguageException$combase.dll
                                                                                                                                                                                    • API String ID: 2574300362-3996158991
                                                                                                                                                                                    • Opcode ID: 2b38ee165814b5a3924742e4511e10c079085bbb77cda747ad624cad91bf7020
                                                                                                                                                                                    • Instruction ID: e0cd83f31ff28f592ab1fa0c8808d9733b73b4c1fd877c38c0633d20333f36be
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2b38ee165814b5a3924742e4511e10c079085bbb77cda747ad624cad91bf7020
                                                                                                                                                                                    • Instruction Fuzzy Hash: 55318F71D00219DBCB64DF94D949BEEBBB4FB44720F14422AE811A72C0DB781A44EBE1
                                                                                                                                                                                    Function 01037340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 010FCAB5: AcquireSRWLockExclusive.KERNEL32(01240888,?,?,?,00EFB446,0124149C,2F45994F,?,?,01123F6D,000000FF,?,010748BD,2F45994F,?), ref: 010FCAC0
                                                                                                                                                                                      • Part of subcall function 010FCAB5: ReleaseSRWLockExclusive.KERNEL32(01240888,?,?,00EFB446,0124149C,2F45994F,?,?,01123F6D,000000FF,?,010748BD,2F45994F,?), ref: 010FCAFA
                                                                                                                                                                                    • LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 0103739E
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 010373A5
                                                                                                                                                                                      • Part of subcall function 010FCA64: AcquireSRWLockExclusive.KERNEL32(01240888,?,?,00EFB4B7,0124149C,01187860), ref: 010FCA6E
                                                                                                                                                                                      • Part of subcall function 010FCA64: ReleaseSRWLockExclusive.KERNEL32(01240888,?,?,00EFB4B7,0124149C,01187860), ref: 010FCAA1
                                                                                                                                                                                      • Part of subcall function 010FCA64: WakeAllConditionVariable.KERNEL32(01240884,?,?,00EFB4B7,0124149C,01187860), ref: 010FCAAC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExclusiveLock$AcquireRelease$AddressConditionLibraryLoadProcVariableWake
                                                                                                                                                                                    • String ID: Dbghelp.dll$SymFromAddr
                                                                                                                                                                                    • API String ID: 1702099962-642441706
                                                                                                                                                                                    • Opcode ID: d1fd0e77b21cd1d1de5d4f244f930775bada2931eafe120b1bb548d9c0ff3611
                                                                                                                                                                                    • Instruction ID: be5ee0e6ea08dff68a3fa3531dbd01f39017f605250f89c73aaf78bf390f271b
                                                                                                                                                                                    • Opcode Fuzzy Hash: d1fd0e77b21cd1d1de5d4f244f930775bada2931eafe120b1bb548d9c0ff3611
                                                                                                                                                                                    • Instruction Fuzzy Hash: B90171B6A4064ADFC724CF98E94AF5877B4E748B24F1042ADE93693780D7756600CB41
                                                                                                                                                                                    Function 0110123C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,011011ED,?,?,00000000,?,?,?,01101317,00000002,FlsGetValue,011AECEC,FlsGetValue), ref: 01101249
                                                                                                                                                                                    • GetLastError.KERNEL32(?,011011ED,?,?,00000000,?,?,?,01101317,00000002,FlsGetValue,011AECEC,FlsGetValue,?,?,010FE18B), ref: 01101253
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 0110127B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                    • String ID: api-ms-
                                                                                                                                                                                    • API String ID: 3177248105-2084034818
                                                                                                                                                                                    • Opcode ID: 0e46e75aca325668dbf8d9274de59c0f8fa4feeb1cb52ed43ae7bdb618eeb98f
                                                                                                                                                                                    • Instruction ID: 9c1e07aee4b282101dcab89d9a061eb41d7d1b5e9079de5decb2ec1394d07859
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e46e75aca325668dbf8d9274de59c0f8fa4feeb1cb52ed43ae7bdb618eeb98f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0EE04F70A80208F7EF6A1EA5EC06B2D3E59AB40B48F208434FE0DE80D5D7A5E6919656
                                                                                                                                                                                    Function 00F1D3E0 Relevance: 6.3, APIs: 4, Instructions: 337windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,00001037,00000000,00000000), ref: 00F1D55D
                                                                                                                                                                                    • SendMessageW.USER32(?,00001036,00000000,00000000), ref: 00F1D576
                                                                                                                                                                                      • Part of subcall function 00EFB010: RtlAllocateHeap.NTDLL(?,00000000,?,2F45994F,00000000,011239F0,000000FF,?,?,0123843C,?,?,01074927,80004005,2F45994F,?), ref: 00EFB05A
                                                                                                                                                                                      • Part of subcall function 01009EB0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,00000000,?,00F1D5B8,?,80004005,?), ref: 01009F3A
                                                                                                                                                                                      • Part of subcall function 01009EB0: RedrawWindow.USER32(?,00000000,00000000,00000541,?,?,?,00000000,?,00F1D5B8,?,80004005,?), ref: 01009F4B
                                                                                                                                                                                      • Part of subcall function 01009EB0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01009F74
                                                                                                                                                                                    • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00F1D6B3
                                                                                                                                                                                    • SendMessageW.USER32(?,00001061,00000000,00000005), ref: 00F1D7AF
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Window$AllocateHeapRedraw
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 884508843-0
                                                                                                                                                                                    • Opcode ID: ddce3f166cad95927b07eb673e6345387ed8582e6c2f61ba529e0cba1d2877bb
                                                                                                                                                                                    • Instruction ID: f028402577987e0aa8c0095036a1c06a4d5188b37e0e1cfae88739b4890f291e
                                                                                                                                                                                    • Opcode Fuzzy Hash: ddce3f166cad95927b07eb673e6345387ed8582e6c2f61ba529e0cba1d2877bb
                                                                                                                                                                                    • Instruction Fuzzy Hash: D6D17F71E002199FDB18DFA8D984BEEFBB5FF48324F144219E915A7280DB75A940CF90
                                                                                                                                                                                    Function 00F27060 Relevance: 6.3, APIs: 4, Instructions: 279windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(00000001,0000110A,00000004,?), ref: 00F27161
                                                                                                                                                                                    • SendMessageW.USER32(00000001,0000110A,00000001,00000000), ref: 00F27196
                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000004,?), ref: 00F27352
                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00F27378
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                    • Opcode ID: c524ef6b4d57a67642769388783b61b293b9ecc79d2a392fb67b54ea68e5ff11
                                                                                                                                                                                    • Instruction ID: b2ef3c9803e3b75ef60739f9cc67a26041766639d7ab163495d857d009874e9c
                                                                                                                                                                                    • Opcode Fuzzy Hash: c524ef6b4d57a67642769388783b61b293b9ecc79d2a392fb67b54ea68e5ff11
                                                                                                                                                                                    • Instruction Fuzzy Hash: 08B17D71E04328DFCB15DF64E884AEEBBB5FF49320F1541A9E815AB291D730AC45DB90
                                                                                                                                                                                    Function 0103EB70 Relevance: 6.2, APIs: 4, Instructions: 233COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetActiveWindow.USER32 ref: 0103ED07
                                                                                                                                                                                    • GetForegroundWindow.USER32(?,00000000,0116B31D,000000FF,?,01048009), ref: 0103ED17
                                                                                                                                                                                    • OutputDebugStringW.KERNEL32(?,2F45994F,00000000,00000000,00000000,?,00000000,0116B31D,000000FF,?,01048009,?), ref: 0103EDB8
                                                                                                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 0103ED4F
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Foreground$ActiveDebugHeapOutputProcessString
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 799693181-0
                                                                                                                                                                                    • Opcode ID: 1e727fe4607e7019f7fee5dc393bd01b6f36d9067b3339af65d858495da47f2a
                                                                                                                                                                                    • Instruction ID: 880d3be86c80bbe4aa0fcec4337b5af7907b60c390da40be53de65e583fe1abf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1e727fe4607e7019f7fee5dc393bd01b6f36d9067b3339af65d858495da47f2a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9971B175A042098BDB15DF6CD8486BEBBF5EF88314F18429DE916A7380DB35AD02CB90
                                                                                                                                                                                    Function 00F1E270 Relevance: 6.2, APIs: 4, Instructions: 222COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsWindowEnabled.USER32(?), ref: 00F1E381
                                                                                                                                                                                    • IsWindowEnabled.USER32(?), ref: 00F1E3D7
                                                                                                                                                                                    • CopyRect.USER32(00000000,?), ref: 00F1E441
                                                                                                                                                                                    • IsWindowEnabled.USER32(?), ref: 00F1E45A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: EnabledWindow$CopyRect
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2919275910-0
                                                                                                                                                                                    • Opcode ID: 1b94934cf2cfbb25854e89c28406a55e8b01431b3e1b788c95f25f90d4e70969
                                                                                                                                                                                    • Instruction ID: 4bf6f5d42cc069aa1c524e1bb845ad77621b8ac9457857ebc427f575e252bc71
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1b94934cf2cfbb25854e89c28406a55e8b01431b3e1b788c95f25f90d4e70969
                                                                                                                                                                                    • Instruction Fuzzy Hash: 58818175A001289FDB14CF68D899BADBBF5FB88311F148169EC16A7384DB34AC05DF60
                                                                                                                                                                                    Function 01019210 Relevance: 6.2, APIs: 4, Instructions: 217COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DeleteCriticalSection.KERNEL32(01241FBC,2F45994F,01238AB8,054AAC78,?,01241FAC,01238AB8,01123E70,000000FF,?,0101946F), ref: 010192B2
                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(01241F9C,2F45994F), ref: 0101932F
                                                                                                                                                                                    • DestroyWindow.USER32(00000000), ref: 0101934D
                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(01241F9C), ref: 01019396
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CriticalSection$DeleteDestroyEnterLeaveWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 307358592-0
                                                                                                                                                                                    • Opcode ID: 7bd0844fe8c6cd071024d928ab48d2cc7acdd82247760788a9b3fc5518b0c1f3
                                                                                                                                                                                    • Instruction ID: 5f799970bc359acea8c8af6887ad03ebd0da5dc8859b8c90003b9a7374518bcc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7bd0844fe8c6cd071024d928ab48d2cc7acdd82247760788a9b3fc5518b0c1f3
                                                                                                                                                                                    • Instruction Fuzzy Hash: D671C571A04315DBEB24CF58D858B5ABBF8FF44B18F05416DE85597388DB78B844CB90
                                                                                                                                                                                    Function 010521A0 Relevance: 6.2, APIs: 4, Instructions: 184COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,0104CCE2,00000000,?,00000000,00000000,?,00000000,?,?,?,0104CCE2,?,00000003), ref: 0105226D
                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,0104CCE2,?,00000003,00000009,2F45994F,00000000), ref: 0105227E
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,0104CCE2,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 0105229F
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,0104CCE2,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 010522F1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1717984340-0
                                                                                                                                                                                    • Opcode ID: 522a299621a0029165e88eea6bb9e51fd51051cccc30de27ad89bf8aaec6e1c7
                                                                                                                                                                                    • Instruction ID: b63bcd0b0d8cdd7d25aa53545393705940973021d7be612f1796a1323ed0c79c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 522a299621a0029165e88eea6bb9e51fd51051cccc30de27ad89bf8aaec6e1c7
                                                                                                                                                                                    • Instruction Fuzzy Hash: C5515471600309FBEBA09B68CC81F6B76D8FF54748F108529FE86EA181EBB6D4108B55
                                                                                                                                                                                    Function 00F11290 Relevance: 6.2, APIs: 4, Instructions: 180memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F113D8
                                                                                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 00F113EF
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F1140B
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00F11440
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClearVariant$AllocString
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2502263055-0
                                                                                                                                                                                    • Opcode ID: 7a85eb32fa26b94d8fa2625a89492b956cb869d36d1c3629b8522678393bb783
                                                                                                                                                                                    • Instruction ID: 9f82a1e7c98323dd27bd338dabfd4bea746a1e0fc8ad95acb8bdc135ef050e71
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7a85eb32fa26b94d8fa2625a89492b956cb869d36d1c3629b8522678393bb783
                                                                                                                                                                                    • Instruction Fuzzy Hash: 19519FB5E002699BDB20CF64D844BDDB7B4FF48724F1445A9EA19E7240DB34AD80DF98
                                                                                                                                                                                    Function 01046E40 Relevance: 6.2, APIs: 4, Instructions: 174COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 01046EA2
                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,?,?), ref: 01046F21
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 01046F71
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,00000000,00000000), ref: 01046FA7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiNamePathShortWide
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3379522384-0
                                                                                                                                                                                    • Opcode ID: 8676e4ffc59c1ca875e9032caadbd47626b65c1843fc96a258ecffe0e6434882
                                                                                                                                                                                    • Instruction ID: f0ebeb7f3d34a030fabd99ab63d128dad4cabb1031f810efd320e36cab0695f7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8676e4ffc59c1ca875e9032caadbd47626b65c1843fc96a258ecffe0e6434882
                                                                                                                                                                                    • Instruction Fuzzy Hash: CE5181B1A04609AFD714DF58CC89B6EF7B9FF44324F10866DF9259B290EB76A840CB50
                                                                                                                                                                                    Function 00F2A950 Relevance: 6.1, APIs: 4, Instructions: 113windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,000000C5,?,00000000), ref: 00F2A99B
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00F2A9D5
                                                                                                                                                                                    • GetDC.USER32(?), ref: 00F2A9EC
                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000), ref: 00F2A9F3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CapsClientDeviceMessageRectSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3507044913-0
                                                                                                                                                                                    • Opcode ID: f966ad4e3943ee9b41ba4bae57d731e8e0247c69292e5961e126a73142d4407a
                                                                                                                                                                                    • Instruction ID: 37ab40c27a87b7faad93ea96f98716d6569914fe44668761be1a27a99603bf49
                                                                                                                                                                                    • Opcode Fuzzy Hash: f966ad4e3943ee9b41ba4bae57d731e8e0247c69292e5961e126a73142d4407a
                                                                                                                                                                                    • Instruction Fuzzy Hash: B8419E316083059FE725DF74D849F9EBBE4BF88300F008629F94AA72A0DB35A955CF52
                                                                                                                                                                                    Function 00F08900 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Focus$ChildWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 501040988-0
                                                                                                                                                                                    • Opcode ID: cb66b0a5e3a9fa53b332f23e7ba5046186c0c2d0f42272f6e6b92901c8025034
                                                                                                                                                                                    • Instruction ID: 91388f1c4af15c106a9858ea7e21630d01cb65c84c8116ee3a284340e3bf71d6
                                                                                                                                                                                    • Opcode Fuzzy Hash: cb66b0a5e3a9fa53b332f23e7ba5046186c0c2d0f42272f6e6b92901c8025034
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4C317E71A0061AAFDB18DF64DC49B7ABBB9FB48760F104259F826933D0DB74AC11DB90
                                                                                                                                                                                    Function 00F14590 Relevance: 6.1, APIs: 4, Instructions: 60windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DeleteObject$Select
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 207189511-0
                                                                                                                                                                                    • Opcode ID: add5aeb274f340b7901b6d151a95f97ddc76e038d4aca9571399c7dd53a98a28
                                                                                                                                                                                    • Instruction ID: f4ad0091dd2097e4bfb5c5faaddbf4fb0b33cdeb9ba51db714d1505fe27da5dd
                                                                                                                                                                                    • Opcode Fuzzy Hash: add5aeb274f340b7901b6d151a95f97ddc76e038d4aca9571399c7dd53a98a28
                                                                                                                                                                                    • Instruction Fuzzy Hash: 39111975604606BFE720CF69D908F6AFBB8FB49760F104219E815D3680D775A860CBA0
                                                                                                                                                                                    Function 00F14640 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateCompatibleDC.GDI32(?), ref: 00F1469B
                                                                                                                                                                                    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00F146B4
                                                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 00F146C0
                                                                                                                                                                                    • SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 00F146D9
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CompatibleCreate$BitmapObjectSelectViewport
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1881423421-0
                                                                                                                                                                                    • Opcode ID: 8f35fc9a7855f2cb656efcf2afbe9e00a6aa520c7713c8501bbb1e939b7d6b0d
                                                                                                                                                                                    • Instruction ID: 0c608fbc1cfd1c768c479a37067503810fa25d6dfbf6a20b63160996f8e054ca
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8f35fc9a7855f2cb656efcf2afbe9e00a6aa520c7713c8501bbb1e939b7d6b0d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7321E575504B04EFD730CF58D948B6ABBF8FB08710F108A1DE8AA97A90D775A944CF90
                                                                                                                                                                                    Function 00F0C5A0 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00F0C5CB
                                                                                                                                                                                    • BitBlt.GDI32(00000000,?,?,?,00000000,?,00000000,00000000,00CC0020), ref: 00F0C5F6
                                                                                                                                                                                    • DeleteDC.GDI32(?), ref: 00F0C5FD
                                                                                                                                                                                    • ReleaseDC.USER32(?,?), ref: 00F0C60A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClientDeleteRectRelease
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2015589292-0
                                                                                                                                                                                    • Opcode ID: 737a235a2227a1504d3a6364d1fe5937dc7ce9b20493b8a1193d5ed8170d05d3
                                                                                                                                                                                    • Instruction ID: 11a1d992fe6ed31cfe93c4a8caa7bcabf9faf21dea41eb2f50d8ef43f0962a5c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 737a235a2227a1504d3a6364d1fe5937dc7ce9b20493b8a1193d5ed8170d05d3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A011776208201AFE314DF68DD89F2BBBF9FB8C310F444A18F54A92651D771E814CBA1
                                                                                                                                                                                    Function 010FA1E4 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 010FA1EB
                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 010FA1F6
                                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 010FA264
                                                                                                                                                                                      • Part of subcall function 010FA347: std::locale::_Locimp::_Locimp.LIBCPMT ref: 010FA35F
                                                                                                                                                                                    • std::locale::_Setgloballocale.LIBCPMT ref: 010FA211
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 677527491-0
                                                                                                                                                                                    • Opcode ID: 8199ba5781d11ff4cd61ff1374887fdf72231583c6351a79d4ac92dfacd226f4
                                                                                                                                                                                    • Instruction ID: 968763fe1726baeb1ac678298de0d346a6c4519688529d14978ff268a01d9665
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8199ba5781d11ff4cd61ff1374887fdf72231583c6351a79d4ac92dfacd226f4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3501B179B00261DBC70AEF60E4459BC7BB1FFA8640B14404CEA5657784CF34AA42CFC5
                                                                                                                                                                                    Function 00F00FB0 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00F00FC0
                                                                                                                                                                                      • Part of subcall function 010F9E8C: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,00F00FD6,?,00000000,00000000), ref: 010F9E98
                                                                                                                                                                                      • Part of subcall function 010F9E8C: GetExitCodeThread.KERNEL32(?,00000000,?,?,?,00F00FD6,?,00000000,00000000), ref: 010F9EB1
                                                                                                                                                                                      • Part of subcall function 010F9E8C: CloseHandle.KERNEL32(?,?,?,?,00F00FD6,?,00000000,00000000), ref: 010F9EC3
                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00F00FE9
                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00F00FF0
                                                                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00F00FF7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Cpp_errorThrow_std::_$Thread$CloseCodeCurrentExitHandleObjectSingleWait
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2210105531-0
                                                                                                                                                                                    • Opcode ID: 6fb22d19f6b2abff4ee538840f9c608cce0a247cc0b78a4f338af210329b407e
                                                                                                                                                                                    • Instruction ID: 9ec9985ab2d568f9d002b45f6fd16db119d4f6045b485e0f61617498a6cfde54
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6fb22d19f6b2abff4ee538840f9c608cce0a247cc0b78a4f338af210329b407e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4FF02E31C40706DAD7342FD48C0779673C9DF24F15F00456DB7E8468C0EEB16440E692
                                                                                                                                                                                    Function 01028F10 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 304COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ___std_exception_copy.LIBVCRUNTIME ref: 010290F6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ___std_exception_copy
                                                                                                                                                                                    • String ID: ios_base::failbit set$iostream
                                                                                                                                                                                    • API String ID: 2659868963-302468714
                                                                                                                                                                                    • Opcode ID: d39ba8043f6fe4b3a1674d9db17610b1e865050f2543a1d7f8463a9a82fa5638
                                                                                                                                                                                    • Instruction ID: 233187c5699a1dca91022908d73cc49bfbfcafa765d14bae39b43329f0347635
                                                                                                                                                                                    • Opcode Fuzzy Hash: d39ba8043f6fe4b3a1674d9db17610b1e865050f2543a1d7f8463a9a82fa5638
                                                                                                                                                                                    • Instruction Fuzzy Hash: 76C19AB1D00258DFDB14CFA8C844BAEFBB5FF48314F24825AE964AB281D7746A45CF91
                                                                                                                                                                                    Function 01066FE0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 207COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00EFB3A0: GetProcessHeap.KERNEL32 ref: 00EFB3F5
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0116C45F,000000FF), ref: 0106719B
                                                                                                                                                                                    • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0116C45F,000000FF), ref: 01067254
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • << Advanced Installer (x86) Log >>, xrefs: 010670F3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseCriticalDeleteHandleHeapProcessSection
                                                                                                                                                                                    • String ID: << Advanced Installer (x86) Log >>
                                                                                                                                                                                    • API String ID: 1977327082-396061572
                                                                                                                                                                                    • Opcode ID: d4b58489b5d4c1503e08306e7bae61e8ef75c31357b1d21458dc9f127a1fb381
                                                                                                                                                                                    • Instruction ID: ca5b8121e4d40108f2c6aa33d1309bc18dea28426a8781747d5d7beef2a0f339
                                                                                                                                                                                    • Opcode Fuzzy Hash: d4b58489b5d4c1503e08306e7bae61e8ef75c31357b1d21458dc9f127a1fb381
                                                                                                                                                                                    • Instruction Fuzzy Hash: 23710274A00248CBDB15CF68D44836EBBF6EF88314F24819EE915AB381CB759A05CF90
                                                                                                                                                                                    Function 0101F010 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • PathIsUNCW.SHLWAPI(?,2F45994F), ref: 0101F0B2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Path
                                                                                                                                                                                    • String ID: \\?\$\\?\UNC\
                                                                                                                                                                                    • API String ID: 2875597873-3019864461
                                                                                                                                                                                    • Opcode ID: 81606a3a19c8795ef41d7a240482c875aa09c2f175a769e5c0de103477a3bbce
                                                                                                                                                                                    • Instruction ID: 04bd6878e72b78077abd3d6ddfebb89dee67a301071067be507e2b5c5ec6c7dc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 81606a3a19c8795ef41d7a240482c875aa09c2f175a769e5c0de103477a3bbce
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7251D0B0D002059BDB25CF68C885BAEF7F4FF45308F10865EE99167285E7796948CBA1
                                                                                                                                                                                    Function 01068640 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTempPathW.KERNEL32(00000104,80000002,2F45994F,?,80000002,01242000), ref: 0106867F
                                                                                                                                                                                    • CreateDirectoryW.KERNEL32(80000002,00000000,?,80000002,01242000), ref: 010686E0
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateDirectoryPathTemp
                                                                                                                                                                                    • String ID: ADVINST_LOGS
                                                                                                                                                                                    • API String ID: 2885754953-2492584244
                                                                                                                                                                                    • Opcode ID: 238a81ea93e0595213d82f0cacdf5734d4ffc61d0f23aa15af200542972f8fbe
                                                                                                                                                                                    • Instruction ID: 5974102ac91ee77e8875e6fc5245ffcf7802f7c7dfbff0fd99d2ceb2ef360fff
                                                                                                                                                                                    • Opcode Fuzzy Hash: 238a81ea93e0595213d82f0cacdf5734d4ffc61d0f23aa15af200542972f8fbe
                                                                                                                                                                                    • Instruction Fuzzy Hash: C451F575900319CBDB709F28C8447BAB7F8FF14714F2485AFE89597290EB389991CB90
                                                                                                                                                                                    Function 01036CF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,2F45994F,011CC950), ref: 01036D5C
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 01036E53
                                                                                                                                                                                      • Part of subcall function 01022D50: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 01022DFA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Failed to get Windows error message [win32 error 0x, xrefs: 01036D7A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FormatFreeIos_base_dtorLocalMessagestd::ios_base::_
                                                                                                                                                                                    • String ID: Failed to get Windows error message [win32 error 0x
                                                                                                                                                                                    • API String ID: 201254970-3373098694
                                                                                                                                                                                    • Opcode ID: 11c7776a8c7b6779450b761ba292c2304342347db2d131c97a6bb7f74ff01ed7
                                                                                                                                                                                    • Instruction ID: 415d29214994758e8cbfc3ec015942f9a5b42e2141a0db02250842333ca0dbe1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 11c7776a8c7b6779450b761ba292c2304342347db2d131c97a6bb7f74ff01ed7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4D41A371A003099BDB10DF58C945BEFBBF8EF54714F108159E554A7280DBB5AB48CBD1
                                                                                                                                                                                    Function 00F3D200 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00F3D22B
                                                                                                                                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00F3D28E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                                                                                                    • String ID: bad locale name
                                                                                                                                                                                    • API String ID: 3988782225-1405518554
                                                                                                                                                                                    • Opcode ID: af9595d8f180f5965debb4f41b47178f14a21e247dfb3c193d6e0b4b7c8fb107
                                                                                                                                                                                    • Instruction ID: 4ef58c3699fc7cfa6c8b19416eae550f0e01edffe5c97e73cc589c2382d31559
                                                                                                                                                                                    • Opcode Fuzzy Hash: af9595d8f180f5965debb4f41b47178f14a21e247dfb3c193d6e0b4b7c8fb107
                                                                                                                                                                                    • Instruction Fuzzy Hash: BD21F170A05784DFD721CF68C904B8BBBF4AF15714F14869DD48597B81D3B5EA04CBA1
                                                                                                                                                                                    Function 00F1E6F9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetParent.USER32(0000000F), ref: 00F1E72C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00F1E711
                                                                                                                                                                                    • Unknown exception, xrefs: 00F1E701
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2483480952.0000000000EF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2483456187.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483683534.0000000001189000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483751086.000000000123D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483776796.000000000123F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483816869.0000000001240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2483841912.000000000124A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_ef0000_e-SPT Masa PPh.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Parent
                                                                                                                                                                                    • String ID: C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h$Unknown exception
                                                                                                                                                                                    • API String ID: 975332729-9186675
                                                                                                                                                                                    • Opcode ID: 742349867a79d5902aeabdf0ad4525356f05c61bd52ea93c21f1bef25394d99a
                                                                                                                                                                                    • Instruction ID: 0904fd99a63af8c51084f15aa0806c7a9d6536765e68a09e637f81822251da95
                                                                                                                                                                                    • Opcode Fuzzy Hash: 742349867a79d5902aeabdf0ad4525356f05c61bd52ea93c21f1bef25394d99a
                                                                                                                                                                                    • Instruction Fuzzy Hash: CC01F630D0529CEEDF05EBE8CA597DDBFB1AB21304F548098E0417B286DBB55A48D792